Security

Order3 is available today. This page describes the security posture we operate today and the direction we are heading. We are not yet attested for SOC 2, ISO 27001, HIPAA, or PCI; we will say so clearly on this page when we are, and what scope each attestation covers. If you need a signed security questionnaire, a vendor review, or specific contractual commitments before evaluating Order3, email security@order3.com and we will engage directly. We would rather lose a deal because we were honest than win one on paper claims we cannot back.

Workspace access is gated by individual accounts with email-based authentication and, for the Order3 team, multi-factor authentication on all production systems. Customer data access by Order3 employees follows least-privilege: engineers have access only to systems they need to operate, support requires explicit workspace consent before reading customer records, and all production access is logged. Admins on a workspace can manage user invitations, roles, and permission scopes. We are working on SSO/SAML and SCIM for enterprise workspaces and will publish a status when those ship.

Customer data is encrypted in transit using TLS 1.2 or higher across the public web app, mobile app, and API. Data is encrypted at rest in our managed databases and object storage using provider-managed encryption (AES-256-class). Backups are encrypted and stored in regions documented in our sub-processor list. Workspace data is logically isolated per workspace; we do not co-mingle customer records. We do not use customer inventory data to train external AI models, and AI features process workspace data only within the scope an admin has authorized.

We use a deliberately small set of vendors. Each is reviewed for security posture, data handling, and contractual commitments before we route customer data to it. Vendors with access to customer data are bound by a written DPA or equivalent. The current sub-processor categories, hosting, web analytics, error monitoring, transactional email, and support/CRM, are listed at /legal/sub-processors. We will publish specific named vendors and a change-notification process there as the product matures; today, named vendor lists are shared on request to active workspaces.

We monitor the production environment for availability, errors, and unusual access patterns. The status surface lives at status.order3.com. Uptime numbers will be published once we have a representative window of operation. For incidents involving customer data, we aim to notify affected workspace owners promptly and to publish an honest post-mortem after non-trivial events. If you discover a vulnerability, please report it to security@order3.com. We will acknowledge receipt within a reasonable window and work with you in good faith. We do not pursue legal action against good-faith researchers who follow responsible disclosure.

We do not currently hold SOC 2, ISO 27001, HIPAA, or PCI attestations. We are aware of GDPR and CCPA obligations and operate accordingly, but we do not claim certifications we do not have. Customers with regulated data should review fit carefully and contact security@order3.com before storing sensitive records in Order3. For security questions, vendor reviews, DPA requests, or disclosures, email security@order3.com.