Trust & Security

Security by architecture,
not afterthought.

Orqista is designed so your code and data stay under your control. Whether you choose cloud or self-hosted, security is built into every layer.

Data Sovereignty

Your code stays under your control. Self-hosted Orqista means no external data transfer, no cloud dependencies, no data leaving your network.

  • Self-hosted: zero external data transfer
  • Cloud: isolated, encrypted tenancy
  • No model training on your code — ever
  • Full data retention and deletion controls

Agent Capability Isolation

Every expert agent operates under explicit capability grants — deny by default. Capabilities are declared at agent definition time and enforced at the kernel level.

  • Per-expert tool allowlists: agents only call what they're authorized for
  • Shell command allowlists by prefix pattern — not open-ended exec
  • Symlink-aware path canonicalization on every file and execution tool
  • Blocked system paths: /etc, ~/.ssh, ~/.aws regardless of workspace boundary
  • Workspace isolation: each mini-job runs in its own directory
  • Loop guard: automatic stuck-agent detection terminates runaway tool calls

Compliance Standards

Built-in compliance framework support with automated scoring, gap analysis, and auditor-ready evidence export.

  • NIS2, SOC 2, ISO 27001, HIPAA, PCI-DSS — activate per project
  • Per-standard conformance scores (0–100) with control evidence
  • Hash-chained audit event log — tamper-evident, append-only
  • Automated drift detection between compliance snapshots
  • Time-limited exception management with justification audit trail
  • Evidence export for auditor review (JSON, CSV)

Access Control

Secure authentication and authorization for every endpoint.

  • API key authentication for all requests
  • Secrets automatically redacted in responses and logs
  • Full audit trail for every expert agent action
  • Configurable approval authorization per user

Guardrails & Prompt Safety

Eight structured rule categories enforce constraints on AI-generated output before it reaches your codebase.

  • Content-pattern, infrastructure, process, dependency, secret, naming, testing, quality rules
  • Code-aware Terraform HCL evaluator for infrastructure rules
  • Scope inheritance: global → group → project, narrower scope wins
  • Locked rules cannot be overridden or exempted at any scope
  • Prompt injection defense in skills and tool result ingestion
  • Human approval gates before execution for high-risk workflows

GDPR / DSGVO Compliance

Designed for European compliance requirements from the ground up.

  • EU data residency for cloud deployments
  • No model training on customer data
  • Data minimization — agents access only what they need
  • Right to deletion and data portability
  • Self-hosted, cookie-free analytics — no third-party data sharing

Encryption & Offline

Data protection in transit and at rest. For the highest security requirements, run without any internet connectivity.

  • TLS 1.2+ for all communications
  • AES-256 encryption at rest
  • Secrets managed via environment variables or parameter store
  • Local AI models via Ollama — zero internet dependency after setup
  • Air-gapped environment support

Security questions? Let's talk.

Request access and we'll walk through our security architecture for your specific compliance requirements.

Request Early Access