Security and Compliance

Pick your trust model.

Either our compression engine runs on our servers, and we see only the prompts you choose to send — under a published data processing agreement. Or it runs inside a hardware-enforced enclave on your infrastructure, where we cryptographically cannot see your data and you cryptographically cannot see our engine. There is no third option. That is the point.

Security architecture

Zero-trust IP

The engine stays on Ordica-controlled infrastructure.

Free and Pro tiers execute server-side in US-based, FIPS-enabled environments. Enterprise tier executes inside verified hardware enclaves. We do not ship the engine as a binary for customers to run unprotected.

In-memory processing

Customer prompts are processed in memory only.

Prompts and responses are never written to persistent storage. Audit logs capture request metadata — token counts, timestamps, status — with no prompt or response content retained.

Hardened infrastructure

FIPS-enabled Linux, US data residency.

All production hosts run FIPS-enabled operating systems. Infrastructure is hosted in the United States. Network access is restricted and continuously monitored.

Access controls

Role-based, audited, principle of least privilege.

Production access requires multi-factor authentication. Administrative actions are logged to an append-only audit trail. Production secrets are rotated on a defined schedule.

Compliance posture

We publish our compliance posture honestly. Some items are live, some are in progress, some are not pursued. We will not claim a certification we do not hold.

SAM.gov
SUBMITTEDFederal contractor registration submitted 29 March 2026. Required for DoD and federal prospects.
FIPS
ENABLEDProduction infrastructure runs in FIPS-enabled mode.
NIST 800-171
DOCUMENTEDSystem Security Plan documented. Available to qualified prospects under NDA.
CMMC Level 2
IN PROGRESSSelf-assessment underway.
SOC 2 Type II
PRE-AUDITPre-audit preparation. Targeting Type II report in Q3 2026.
Third-party audits
NONE PUBLICNo third-party security audits have been published. We will announce them when they are complete.
Data residency
United States. Customer data is processed and any metadata is stored in US infrastructure.
Data retention
Prompt and response content: none. Request metadata: retained per DPA, available on request.

Subprocessors

We use the following subprocessors to deliver the service. We do not share customer prompts or responses with any party outside this list.

  • Stripe, Inc. — payment processing and metered billing (PCI DSS, Delaware, United States)
  • Cloudflare, Inc. — CDN, DDoS protection, TLS termination, and bot management for ordica.ai (California, United States)
  • Northwest Registered Agent LLC — California registered agent for service-of-process (Sacramento, California)

A complete subprocessor list, including transactional email infrastructure used for account and billing notifications, is provided to Enterprise customers as part of the DPA.

Benchmark-only providers (not used in production routing): OpenAI, Anthropic, xAI, and Google. These providers are called by Ordica only during internal benchmarking of the compression engine against the published cohort dataset. They are not invoked when processing customer API traffic, and customer prompts are never sent to them.

Ordica does not onboard a new subprocessor without posting an update to this page at least 15 days before the change takes effect.

Enterprise customers receive advance notice of subprocessor changes as part of the DPA.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in any Ordica service, please report it before public disclosure.

  • Report to: security@ordica.ai
  • Disclosure window: We ask for 90 days from initial report to coordinated disclosure
  • Acknowledgment: We credit reporters by name or handle in the fix notes, with your permission
  • Scope: ordica.ai, api.ordica.ai, and associated production endpoints
  • Out of scope: Social engineering, physical attacks, denial of service testing without prior written approval

Request our security package

For SOC 2 readiness documentation, NIST 800-171 System Security Plan, DPA, subprocessor list, or penetration test summaries, contact legal@ordica.ai. Detailed security documentation is shared with qualified prospects under mutual NDA.