Security

Built for work
that cannot leak.

Ori is designed around local-first execution, visible agent behavior, and administrator control. This page separates what is available now from what is part of the enterprise roadmap.

SOC 2Type II program in progress
DataLocal-first by design
AdminTeam controls planned
ReviewSecurity packet on request
Architecture

Local-first
execution.

Ori is built to run workflows on the user's Windows machine. Recordings, memory, and workflow context are designed to stay on the device or inside a customer-controlled environment for team deployments.

Control

Humans stay
in charge.

Important actions should require user approval. Ori shows what it is doing, what it plans to do next, and where a workflow needs human judgment.

Enterprise

Admin and
audit.

Team deployments are planned around SSO, app allowlists, workflow approval, redaction controls, and action logs so IT can understand what is installed and what ran.

Core controls

  • Local storage: workflow recordings and memory are designed to live on the user's device by default.
  • Least privilege: agents should only operate in the apps, sites, and workflows approved by the user or administrator.
  • Action visibility: Ori surfaces active work, planned steps, and approval points instead of silently operating in the background.
  • Admin policy: team plans are planned to support SSO, group scoping, app allowlists, workflow approval, and centralized audit logs.
  • Data minimization: telemetry and diagnostics should be minimized, optional where appropriate, and never used as a substitute for user consent.

Compliance status

SOC 2 Type II is on the roadmap and the control program is being prepared. Once the attestation is complete, we expect to share the report with qualified customers under NDA.

For regulated workflows, including healthcare, legal, finance, and HR, customers should use a team deployment review before running production workflows. Additional contractual terms, deployment constraints, or a business associate agreement may be required depending on the use case.

Vulnerability reports

If you believe you found a security issue, email hello@ori-agent.com with the affected version, reproduction steps, impact, and any proof of concept. Please do not access, modify, or exfiltrate data that is not yours.

Security packet

For procurement and security review, contact hello@ori-agent.com. We can share architecture notes, planned controls, deployment assumptions, and the current compliance roadmap.