Security Policy

1. Overview

Orchard Reach is committed to protecting the security and confidentiality of customer data and prospect data processed through our Platform. This Security Policy describes the technical and organisational measures we implement to safeguard data. While we do not currently hold SOC 2 or ISO 27001 certifications, we follow industry best practices appropriate to the nature and scale of our operations.

2. Infrastructure Security

• Cloud hosting: The Platform is hosted on Amazon Web Services (AWS) in the EU region eu-central-1 (Frankfurt, Germany). AWS maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications for its infrastructure.
• Encryption in transit: All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher. Internal service-to-service communication is also encrypted.
• Encryption at rest: All data stored on the Platform, including databases and file storage, is encrypted at rest using AES-256 encryption via AWS managed keys.
• Network security: The Platform employs private subnets, security groups, and network access control lists to restrict access to internal services. Backend services are not directly accessible from the public internet.

3. Application Security

• Authentication: User authentication is managed through a dedicated authentication service with support for secure password policies and session management.
• Access control: Role-based access control (RBAC) is implemented across the Platform, ensuring users only have access to features and data appropriate to their subscription tier and role.
• Secrets management: API keys, database credentials, and other sensitive configuration values are stored in AWS Systems Manager Parameter Store and AWS Secrets Manager, not in source code.
• Dependency management: We regularly review and update third-party dependencies to address known vulnerabilities.

4. Operational Security

• Access policies: Employee and contractor access to production systems is limited to the minimum necessary for their role. Access is reviewed periodically and revoked upon role change or departure.
• Logging and monitoring: We maintain logs of system activity and security events. Anomalous activity is reviewed and investigated.
• Incident response: We maintain an incident response process for handling security events. In the event of a personal data breach, affected customers will be notified within 72 hours of discovery, as described in our Data Processing Agreement.

5. Payment Security

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Orchard Reach does not store, process, or transmit full payment card data. Payment information is submitted directly to Stripe's secure infrastructure.

6. Data Backup and Recovery

Customer data is backed up regularly using AWS-native backup services. Backups are encrypted and stored within the EU region. We maintain and periodically test recovery procedures to ensure data availability in the event of a failure.

7. Vulnerability Disclosure

If you discover a security vulnerability in the Orchard Reach platform, we encourage responsible disclosure. Please report any security concerns to info@orchardreach.com. We will acknowledge receipt within 48 hours and work to address confirmed vulnerabilities promptly. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

8. Continuous Improvement

We regularly review and improve our security practices as the Platform grows. This includes evaluating the need for formal certifications such as SOC 2 and ISO 27001 as our customer base and operational complexity increase.