Security & Privacy
How Ordaze protects your data, handles authentication, and meets compliance requirements.
Authentication
- All users authenticate via Google OAuth 2.0. Ordaze does not store passwords.
- Sessions are managed server-side using encrypted, HTTP-only cookies.
- API access uses workspace-scoped bearer tokens created in the dashboard.
Data Storage
- All data is stored in PostgreSQL with encryption at rest (AES-256).
- Database connections use TLS. No unencrypted connections are permitted.
- Backups are encrypted and retained for 30 days.
Transport Security
- All traffic is served over HTTPS with TLS 1.2+ enforced.
- HSTS headers are set with a 1-year max-age.
- API endpoints validate Content-Type and reject malformed requests.
Access Control
- Role-based access control (RBAC) with four roles: Owner, Admin, Editor, Viewer.
- All API endpoints enforce workspace membership and role checks server-side.
- API tokens are scoped to a single workspace and can be revoked at any time.
Third-party Services
- Google OAuth: authentication only, no data shared beyond email and name.
- Stripe: payment processing. Ordaze never sees or stores card numbers.
- Sentry: error monitoring. No user content is sent, only stack traces.
- Resend: transactional email (invitations). Only recipient email and workspace name are shared.
Data Retention & Deletion
- Account data is deleted within 30 days of account deletion request.
- Workspace data (events, versions, scans) is deleted when the workspace is deleted.
- Audit logs are retained for the lifetime of the workspace.
Privacy & Compliance
- Ordaze is operated from Lithuania (EU) and complies with GDPR.
- We do not sell user data or use it for advertising.
- Essential cookies only, no tracking cookies or third-party analytics on the app.
- Users can request data export or deletion by contacting [email protected].
Questions?
If you have security concerns or need a detailed security questionnaire completed, contact us at [email protected].