Security & Governance
Built for mission-critical work. Secure by design.
Architecture overview
Orvanta's architecture ensures complete separation between control plane and data plane. Every script executes in an isolated sandbox.
Encryption at rest
All databases, secret stores, and object storage volumes are encrypted at rest using AES-256 block-level encryption.
Encryption in transit
All network traffic between internal microservices and external clients is secured with TLS 1.3.
Role-Based Access Control
Fine-grained permissions model supporting exact organisational structures.
- Manage users
- Configure SSO
- All permissions
- Write scripts
- Deploy flows
- View secrets
- Execute flows
- View logs
- Publish apps
- View runs
- Read audits
- View settings
- Mix permissions
- Group mapping
- API access
Audit logging
Every state-changing action is securely logged with immutable timestamp, user, and payload data.
Container isolation
- • Dedicated sandbox per execution
- • Temporary filesystem cleared on exit
- • Memory and CPU limits enforced via cgroups
- • No shared state between parallel runs
- • Strict 360-second execution timeout
Multi-tenancy
Data is strictly isolated at the workspace level. Database rows, object storage, and secrets are tied to specific workspace IDs.
Zitadel SSO & SAML
Enterprise identity management integrated out of the box.
- • SAML 2.0 and OIDC support
- • Automatic SCIM user provisioning
- • Just-in-Time (JIT) account creation
- • Group claim synchronization
Compliance roadmap
Responsible disclosure
We take security seriously. If you believe you have found a vulnerability, please contact us immediately.
security@orvanta.cloud