How OrgPilot hosts, protects, and isolates the information organizations entrust to us. We are an early-stage product and aim to describe our posture plainly, including what we have in place today and what is on our roadmap.
OrgPilot runs on Amazon Web Services in the United States. The application operates within a private virtual network (VPC), and application data is stored in a managed PostgreSQL database (Supabase) hosted in AWS's US East region. All data is stored and processed in United States regions, at rest and in transit.
For production customer deployments, we provision dedicated, single-tenant infrastructure so that a customer's environment is isolated from other workloads.
Data is encrypted in transit using TLS and encrypted at rest in our database and storage layers. Access to service endpoints is over HTTPS only.
OrgPilot supports SAML-based single sign-on, including with Microsoft Entra ID, so that organizations retain control of identity and can apply their own multi-factor and conditional-access policies. Within the application, role-based access controls separate what supervisors and staff can see, and database-level access rules enforce that users only reach data they are permitted to access.
On our side, administrative access to infrastructure follows least-privilege principles and is limited to authorized personnel.
We operate a disciplined, tooling-driven development process aligned with NIST SSDF and OWASP guidance:
The current OrgPilot product does not include AI or large-language-model features in its data path. No customer or employee data is processed by any AI system, and no such data is used to train any model.
We do use AI-assisted coding tools internally during our own software development. Those tools operate only on our source code, never on customer or production data, and all generated code passes through our normal review, testing, and scanning before release. If a customer-facing AI capability is ever introduced, it would be optional, clearly disclosed, and subject to customer review before any of their data was involved.
We use a small set of vendors to operate OrgPilot. All process data in United States regions.
| Provider | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting and infrastructure | United States |
| Supabase | Managed PostgreSQL database | United States (us-east-1) |
We want to be straightforward about where we are. OrgPilot does not currently hold a SOC 2 Type II or FedRAMP authorization; SOC 2 is on our roadmap. We have completed AWS's Foundational Technical Review of our architecture, which is a Well-Architected based technical review rather than a security attestation. Our managed database provider, Supabase, maintains a SOC 2 Type II report covering its platform.
Evaluating us for a procurement? We are glad to complete your security questionnaire, share architecture details, and discuss controls appropriate to your data classification. Reach us at security@orgpilot.com.
We maintain an incident response process for identifying, containing, and remediating security events. In the event of a confirmed security breach affecting customer data, we will notify affected customers within a defined timeframe, which we are glad to specify contractually.
We collect only the information the service needs, and we do not sell data or use it for advertising. On termination of a customer relationship, we delete or return organizational data in accordance with our customer agreement. More detail on what we collect and how it is used is in our Privacy Policy.
Security questions, questionnaires, or vulnerability reports can be sent to security@orgpilot.com. OrgPilot is a product of OneBlink Inc, a Delaware corporation.