Data Center and Network Security
Orai hosts all of its software and data with industry-standard providers such as AWS and Google Cloud's facilities in the USA. Our providers have an extensive list of compliance and regulatory assurances, including SOC 13, and ISO 27001. All of Orai servers are located within Orai's own virtual private cloud (VPC), protected by restricted security groups, allowing only the minimal required communication to and between the servers. Orai conducts third-party network vulnerability scans at least annually.
All connections to Orai are encrypted using SSL. Any attempt to connect over HTTP is redirected to HTTPS. We maintain an A grade for Qualys/SSL Labs. All customer data (including call recordings and transcripts) is encrypted at rest and in transit. Restricted access to specific production systems. Data access and authorizations are provided on a need-to-know basis and based on the principle of least privilege. Access to the production system is restricted to authorized personnel and is carried out using a VPN. Orai enterprise customers may configure a custom data retention duration with us.
Web application architecture and implementation follow OWASP guidelines. In addition to Orai's extensive testing program, Orai conducts application penetration testing by a third-party at least annually. Orai login requires strong passwords. User passwords are salted, irreversibly hashed, and stored in Orai's database. Audit logging lets administrators see when users last logged in.
All access to Orai applications is logged and audited. Logs are kept for at least one year. Orai maintains a formal incident response plan for major events. Orai maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.