Ora symbolORA

LEGAL

Security

Last updated: June 24, 2026

Our Commitment

At Ora Computing FlexCo, security is foundational to everything we build. We apply defence-in-depth across our infrastructure, codebase, and operational processes to protect customer data and compressed model artefacts. This page describes our security practices and how to report a vulnerability.

Infrastructure Security

  • Cloud hosting: Our services run on AWS infrastructure located within the European Union. We leverage AWS security features including VPC isolation, security groups, and IAM least-privilege policies.
  • Network controls: All external traffic is routed through a web application firewall (WAF). Internal services communicate over private networks and are not exposed to the public internet.
  • Encryption in transit: All data transmitted between clients and our services is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
  • Encryption at rest: Customer data and model artefacts stored on our infrastructure are encrypted at rest using AES-256.
  • Access control: Access to production systems is restricted to authorised personnel, enforced through multi-factor authentication (MFA) and role-based access control (RBAC).

Application Security

  • Secure development: Our engineering team follows secure coding practices. Code changes undergo peer review before merging to production.
  • Dependency management: We regularly audit third-party dependencies for known vulnerabilities and apply patches promptly.
  • Secrets management: API keys, credentials, and secrets are managed through dedicated secrets management tooling and are never stored in source code or logs.
  • Logging and monitoring: We maintain audit logs of access to sensitive systems and monitor for anomalous activity. Alerts are routed to our on-call team.

Data Handling

Models and data submitted to our compression pipeline are processed in isolated environments. Customer model artefacts are not used to train any Ora proprietary models and are deleted from our systems upon completion of the compression job, unless explicitly retained for ongoing deployment services as agreed in your service agreement.

Incident Response

In the event of a confirmed security incident affecting customer data, we will:

  • Contain and investigate the incident promptly.
  • Notify affected customers without undue delay and within 72 hours of becoming aware of a breach, as required by the GDPR.
  • Report to the Austrian Data Protection Authority (Datenschutzbehörde) where required by law.
  • Provide a post-incident report to affected customers detailing the nature of the incident and remediation steps taken.

Responsible Disclosure

We take security vulnerabilities seriously and appreciate the work of the security research community. If you believe you have discovered a vulnerability in any Ora Computing system or service, please report it to us responsibly.

To report a vulnerability:

  • Email info@oracomputing.com with a clear description of the issue.
  • Include steps to reproduce, affected systems, and potential impact.
  • Encrypt sensitive details using our PGP key if available (contact us for the key).

We ask that you:

  • Give us reasonable time to investigate and remediate before public disclosure.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Not exploit the vulnerability beyond what is necessary to demonstrate the issue.

We commit to acknowledging your report within 3 business days, keeping you informed of our progress, and, where appropriate, publicly crediting your contribution.

Contact

For security enquiries, contact info@oracomputing.com. For general legal or privacy questions, contact info@oracomputing.com.