Security & trust
Built for ops teams who can't gamble on data handling.
OrderPier processes inbound purchase orders, which often contain pricing, customer identities, and contract terms. This page documents, honestly and concretely, how we protect that data.
Encrypted in transit & at rest
TLS 1.3 on every endpoint with HSTS. Database and backups encrypted with AES-256 via our managed Postgres provider. Inbound SMTP requires TLS.
Tenant isolation, not promises
Every customer-data row carries an organization ID, and every query is scoped to the signed-in tenant's organization at the data-access layer, a request can only ever read or write its own org's data. On top of that, Postgres Row-Level Security enforces the same boundary at the database itself, the connection serving each request runs as a non-privileged role bound to the tenant's organization, so a query bug in application code cannot cross tenants.
Your data does not train AI models
We run extraction through our model providers (Anthropic and Google) under their commercial terms, which contractually exclude your inputs and outputs from model training. Your documents are never used to train any model, see our sub-processor list for the full vendor breakdown.
Prompt-injection mitigations
Email content is processed by an extraction call with no tool access, no outbound network, and a strict JSON output schema. A successful injection cannot trigger any tool or network call, at worst it produces a malformed extraction, which the validator routes to human review.
Append-only audit trail
Every order action, assignment, edit, approval, and push, is logged with actor, timestamp, and detail in an append-only event trail, and exportable as CSV for compliance reviews.
Incident response
Sev-1 incidents (confirmed unauthorized access to customer data) are disclosed to affected customers within 72 hours with scope, root cause, and remediation.
Documented retention
Raw inbound emails: 90 days, then purged. Extracted PO records: lifetime of contract + 30 days, deletable on request within 7 days. Logs: 30 days hot, 1 year cold.
Vulnerability disclosure
Report security issues to security@orderpier.com (we acknowledge within 1 business day, triage within 5). See /.well-known/security.txt.
Certifications & roadmap
SOC 2 Type II: readiness underway with Vanta. Observation window opens Q3 2026. Type II report targeted Q1 2027. SIG Lite / CAIQ: available on request under NDA. Annual external pen test: scheduled with a qualified firm Q4 2026. GDPR Article 28 DPA: published. Sub-processor list: published with 30-day change-notice subscription.
Detailed control evidence and architecture diagrams are available under NDA for active security reviews, email security@orderpier.com.
What security reviewers ask
- Are you SOC 2 certified?
- OrderPier is not yet SOC 2 certified. We are in active readiness with Vanta and starting our Type II observation window in Q3 2026, with a Type II report targeted for early 2027. We do not display a "SOC 2 in progress" badge because that's frowned on by reputable auditors, we'd rather tell you exactly where we are.
- Does your AI provider see our PO data?
- Yes, the email body and attachments are sent to our model providers (Anthropic and Google) for extraction. Under their commercial terms, your inputs and outputs are excluded from model training and retained only briefly for abuse and trust-and-safety review. We're pursuing zero-data-retention arrangements and will update this page as they take effect.
- What about prompt injection in emails?
- Our extraction LLM call has no tools, no outbound network, and a fixed JSON output schema. Even a successful injection produces only a malformed extraction, which our validator rejects and routes to your team for review. We log suspected injection patterns and do not use LLMs in any agentic loop that writes to your ERP.
- How does tenant isolation work technically?
- Tenant isolation is enforced in the application's data-access layer: every customer-data table has an organization ID column, and every read and write is filtered by the signed-in user's organization (resolved server-side from their authenticated session), so one tenant's requests can never touch another tenant's rows. As defense-in-depth, PostgreSQL Row-Level Security enforces the same boundary at the database layer: the role serving requests has no bypass privilege and every customer-data table has a row-level policy keyed to the request's organization, so even a flawed query cannot cross tenants.
- Can you sign our DPA?
- OrderPier publishes a standard DPA at /legal/dpa, Article 28-compliant, with 2021 EU SCCs Module 2 + UK Addendum for international transfers. For enterprise contracts we'll counter-sign your DPA or ours.
- Where can I see your sub-processors?
- Up-to-date list at /legal/subprocessors. We commit to 30 days' notice of any sub-processor change, email subprocessor-updates@orderpier.com to subscribe.
- Can you meet HIPAA / data residency / on-prem requirements?
- OrderPier is currently US-region only. EU residency is on the roadmap and available on Enterprise. HIPAA-aligned deployments and on-prem are discussed case-by-case on Enterprise contracts. Tell us what you need.