Platform
Use Cases
Multi-Agent Routing Fallback Chains Token Budgets Human-in-the-Loop Integrations Docs Blog Pricing
Sign In Get Early Access
Security

Designed for enterprise deployment from day one

OrchVynt is designed with the security controls that production teams require — not retrofitted after the fact. This page documents our security posture, data handling practices, and deployment options.

Talk to us about Enterprise Security
Security Principles

Built for production from the first line of code

Encryption at rest and in transit

All data stored by OrchVynt is encrypted at rest using AES-256. All traffic between your agents and OrchVynt and between OrchVynt and model providers is TLS 1.2 or higher.

API key isolation

Your model provider API keys are stored encrypted in a dedicated secrets vault, never in application logs or telemetry output. Keys are never exposed in response payloads or error messages.

Role-based access control

RBAC with configurable roles (Admin, Operator, Viewer) controls access to policy configuration, HITL approval queues, and telemetry data. SSO via SAML 2.0 or OIDC on Production and Enterprise tiers.

Minimal attack surface

OrchVynt is designed with a small surface area. The control plane exposes only the interfaces needed for routing, budgeting, and HITL. We run regular dependency audits and maintain a minimal dependency footprint.

Full audit trail

Every routing decision, configuration change, HITL resolution, and budget enforcement event is recorded in a tamper-evident audit log. Audit logs are exportable in JSON and CSV format for compliance workflows.

Self-hosted option

Enterprise customers can run OrchVynt entirely within their own VPC. In self-hosted mode, no traffic data leaves your infrastructure. OrchVynt does not phone home with invocation content in self-hosted deployments.

Data Handling

What OrchVynt stores and why

Data type Cloud-hosted Self-hosted Retention (cloud default)
Routing metadata (model selected, policy applied, latency) Stored Stored locally 7 days (Starter) / 90 days (Production)
Invocation content (prompts & responses) Configurable (on/off) Never leaves VPC Off by default on Starter
Budget accounting events Stored Stored locally Same as routing metadata
HITL gate events + reviewer decisions Stored Stored locally 90 days (all tiers)
Model provider API keys Encrypted at rest in secrets vault Stays in your VPC Never in logs or telemetry

Questions about our security posture?

We're happy to do a technical call with your security team. Contact us and we'll schedule a review.

Talk to us Privacy Policy