Our Adherence to Protection

Our mission is to orchestrate end-to-end procurement across teams, systems, and processes present in your organization. A core part of our mission is our commitment to security, best-in-class infrastructure, and innovation that will keep your organization secure and compliant.

ORO Lab’s Trust Center

ORO Lab’s mission is to provide your organization with modern procurement fabric that helps orchestrate end-to-end procurement across teams, systems, and processes. We honor our commitment by having a sharp focus on security, best-in-class infrastructure, and ability to innovate will help keep your organization secure and compliant.


Privacy-first Approach

We’re committed to the protection of customers’ data and maintain a high level of information security. We make it a priority to keep your data secure and prevent unauthorized access. We accomplish this by keeping privacy and security on the forefront of our mind when developing all of our products.

World-class Security

We use the best practices and industry standards to ensure security for our customers. We implement key security protections from the beginning of our development process. This ensures security, integrity, and confidentiality of our customers’ data.


We undergo independent external audits and are certified SOC 2 Type 1 and SOC 2 Type 2 by AICPA. This is a testament to the competency of our internal controls put in place to safeguard customer data.


Our internal controls that safeguard customer data are designed correctly


Our system and controls have been tested for their effectiveness


Infrastructure security

Data Encryption

We encrypt our customers’ data with TLS 1.2+ in transit and AES-256 at rest. Our administrative controls enforce protection at every level of the organization.

Customer Data Segregation

We’ve distinct controls in place to prevent data leakage. Development, Testing, and Production environments are all isolated to keep data where it belongs.

Firewall Controls

Subnet and security group rules are leveraged to control network traffic. All components that process your data operate in our private network inside our secure cloud platform. Application-level ingress and egress filtering are implemented to control inbound and outgoing traffic. Our servers and network ports are behind load balancers and a web application firewall.

Application Security

Security in Software Development & Deployment Process

We use secure SDLC processes, including threat modeling, design reviews, code reviews, SCA. Manual QA are implemented to keep the product free of bugs. We also leverage up-to-date and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).

Penetration Testing

We actively work to identify and fix security vulnerabilities in our product and infrastructure. That’s why we undergo third-party network penetration tests on a routine basis.

Information Security Awareness & Training

Our employees complete mandatory annual training on a wide range of privacy and security topics. Training targets phishing, escalating issues, insider threats, and malware. It is also updated on a regular basis to stay up to date with industry security changes.

Access Controls

SSO Integration

We offer SSO integration with any SAML-based IdP.

Role/Permissions Based Access

Our customers can configure users and their respective permissions in any secure form they seek. We can assign privileges by role, department, and group as per requirements.

Audit Logging & Tracking

We maintain audit logs for actions taken by any user. This includes the date/time stamp, user, and the action taken.

Operational Security

Zero-Trust Model for Production Access

We carefully authenticate and authorize all users and devices before granting access to production resources. Security measures are consistently applied across the network.

Background Checks

We conduct background checks on all employees, vendors, and contractors who work with us or have any access to data.

Device Endpoint Security

Mobile Device Management (MDM) is configured to enforce security for all employee devices. Enterprise anti-malware is installed to provide alerts on potential viruses to prevent data leakage.

Vulnerability Reporting & Disclosure

Security is a top priority for us, and we continuously work with skilled security researchers and third party testers to identify weaknesses in our products and infrastructure. If you believe you have found a security vulnerability, please let us know right away by emailing us at privacy@orolabs.ai. We investigate all reports and do our best to quickly fix valid issues.

Terms of Service

Privacy Policy