How the platform handles your data,
your money math, and the record.
Posture statements, not certificates. We publish what we do and how, including the things we have not earned yet. The document is updated when the practice changes, not when the marketing window opens.
Your data rights.
We collect the minimum personal data required to run an account. Email is stored as a SHA-256 hash on the application side; the raw address is held only by the magic-link store and the email delivery provider.
You can export everything we hold on you in one call, and you can delete it in one call. Deletion pseudonymises history rather than erasing it, so the audit trail remains verifiable — your identity is removed, the events are not.
Authentication and access.
Sign-in is by single-use email link, signed and short-lived. No passwords to leak, lose or reuse. The session cookie is first-party, same-site, secure, and rotated on privilege escalation.
Teams gate access by membership. Role changes are audit-logged. There are no shared accounts in production.
Audit and accountability.
Every state change is hash-stamped over a GDPR-compatible projection. The chain is exportable in one call and independently verifiable end-to-end — including by a regulator, an auditor, or you.
Because the projection excludes raw personal data, an erasure request never breaks the chain. The audit trail and the right to be forgotten coexist.
A public anchor is published at /api/audit-anchor — no auth, no PII, just the sha256 head and length. Fetch it on a schedule and store each receipt locally; a later fetch whose chain does not pass through your earlier head is third-party-detectable evidence of a rewrite.
Reproducibility of every euro.
Every plan we generate is stamped with the calculator version, the data-snapshot date, and — as of 2026-06-02 — the per-quote TARIC duty rate pinned with its source and asOf timestamp. You can reproduce any quote we wrote, on any date we wrote it.
The LLM never produces a number that drives a decision. Calculators move money; the AI layer writes prose on top. The two are walled off in the codebase and enforced by CI.
Recompute a saved plan and the verdict tells you, plainly, whether today’s market data still produces the same euros — and when it doesn’t, it itemises which values moved (FX rate, AD/CVD rate, ETS price, TARIC duty rate) and shows the original landed total side-by-side with today’s.
AI use.
OrcaTrade deploys five AI agents — compliance, sourcing, logistics, finance, and an orchestrator that merges their tools. Each carries a published model card covering intended use, out-of-scope use, model and provider, inputs and outputs, calculator-grounding contract, evaluations, known limitations and human oversight.
- No decision-driving numbers from the LLM.Every monetary, percentage, weight or duty-rate figure comes from a deterministic calculator output. Two eval gates enforce it: checkGrounding catches fabrication; checkNumericFidelity catches omission.
- EU AI Act Limited Risk (Art. 50 transparency).Full position published — covering Art. 50 transparency, voluntary Art. 14 oversight, no high-risk Annex III activity.
- No training on customer data.Anthropic does not train on API traffic. We do not fine-tune. We do not train any models ourselves.
- Human-in-the-loop on irreversible action.Customs filings, CBAM surrenders, EUDR DDS submissions and signed supplier contracts all route through requestHumanReview first. The platform never files.
- Per-tenant spend cap.Hard EUR/month limit per tier — free €1, starter €15, growth €100, scale €500. Runaway behaviour surfaces before billing.
- Threat models published.STRIDE walk-throughs for the AI agent surface, the customer API, and magic-link auth — with residual risk listed honestly.
Application and transport security.
HSTS, content-security-policy, X-Frame-Options, X-Content-Type-Options and a strict Referrer-Policy on every response. Subresource integrity on third-party scripts. Cookies SameSite=Strict where compatible.
Inbound HTTP is TLS-only. Database connections are encrypted in transit. Secrets live in the platform key store; the application code never sees raw credentials.
Responsible disclosure.
Found a vulnerability? Send the details to security@orcatradegroup.com. We acknowledge within one business day, triage within three, and credit the reporter when the fix lands.
We will not pursue good-faith research that respects the disclosure timeline. There is no bug bounty programme today; if that changes, the terms will be published here first.
Subprocessors.
A short list, chosen for what they refuse to do as much as for what they do. Hosting and edge — Vercel. Database — Neon. Email — Resend. Analytics — Vercel Analytics, page-view counts only, opt-in. AI inference — Anthropic.
No advertising or retargeting subprocessors. No behavioural tracking. The list is published on this page and updated when it changes.
Reliability.
Health endpoint at /api/health publishes the live status of every subsystem the platform depends on — calculators, retrieval, sanctions lists, customs integration, audit chain.
Public status page at /status with the same readout, refreshed on a short interval. Incidents are written up post-hoc, dated, and kept in the record permanently.
Certifications & compliance roadmap.
Being straight about where we are: we are not yet certified against SOC 2 or ISO 27001, and we will not claim a certification we do not hold. Roadmap below — Live means evidence is in the repository today; Ready means scoping is complete and engagement is queued; Queued means planned without a commitment date.
| Standard / framework | Status | Target |
|---|---|---|
| GDPR — data-subject tooling, audit log, retention enforcement | Live | — |
| UK ICO data-protection registration | Queued | Before first paying customer |
| EU AI Act — Limited Risk transparency (Art. 50) | Live | — |
| SOC 2 Type I — scoping | Ready | Phase 2 (post-seed) |
| SOC 2 Type II | Queued | Post Type I + 6 months evidence |
| ISO 27001 | Queued | Phase 3 |
| ISO 27701 (privacy ISMS extension) | Queued | Phase 3 (paired with 27001) |
| Third-party penetration test | Ready | Scope brief published |
Documents we publish.
Every load-bearing security or compliance claim on this page is backed by a versioned document in the repository. Each document carries a Last updated date and a revision history. Read the underlying claim, not the marketing.