Security

Plan limits define metadata retention, trace retention, payload storage mode, eval replay, and archive/export limits.

TLS protects traffic in transit. Managed data stores, R2, and Cloudflare-managed services provide at-rest encryption. Virtual keys add application-layer encryption before storage.

Provider credentials are encrypted server-side; plaintext is not returned to the browser after creation.

Raw payload retention is off or redacted by default for builder plans. Full payload retention requires explicit configuration and a higher-trust plan.

Incident exports include omitted/redacted data sections and should redact secrets before sharing.

Rows are tenant/project scoped; export and dashboard APIs enforce tenant/project isolation.

Admin, policy, key, and org changes write audit entries where available.

Custom endpoints, OTLP, webhooks, SSO metadata, and MCP egress use allowlists and private-network guards.

Rotate Pulse keys from the dashboard and rotate upstream virtual keys by replacing encrypted credentials.

Report suspected vulnerabilities to security@orionslock.com with affected endpoint, reproduction steps, impact, and relevant request IDs. Do not test against other tenants or production customer data.