Your wedding data is among the most personal information you'll ever share. We treat it that way.
Updated June 2026
~6 min read
Encryption
AES-256 at rest, TLS 1.3 in transit. Every byte of your data is protected end-to-end.
Access Control
Strict role-based permissions. Only you decide who can see your planning workspace.
Monitoring
24/7 anomaly detection and automated incident response to catch threats before they matter.
Security was built into Orivia from day one, not retrofitted. We follow a security-first engineering approach at every layer of the stack.
Infrastructure Security
Cloud Hosting
Orivia is hosted on enterprise-grade cloud infrastructure with physical security controls, redundant power, and 99.9% uptime SLA. Our servers are located in SOC 2 Type II certified data centers.
Network Security
All traffic encrypted with TLS 1.3; older protocols are rejected
Web Application Firewall (WAF) filtering malicious requests
DDoS protection and rate limiting on all public endpoints
Network segmentation isolating production, staging, and development environments
Intrusion Detection System (IDS) monitoring for anomalous traffic patterns
Data Encryption
At rest: AES-256 encryption for all stored data, including database records, file uploads, and backups
In transit: TLS 1.3 for all data transmission between clients and servers
Key management: Encryption keys are managed by a dedicated key management service with automatic rotation
Application Security
Secure Development Lifecycle
Security is integrated throughout our development process:
Code reviews with mandatory security checklists for all changes
Automated static analysis scanning for known vulnerability patterns
Dependency scanning to detect vulnerable third-party libraries
Regular third-party penetration testing by independent security researchers
Secret scanning in our CI/CD pipeline to prevent credential leaks
Authentication
Bcrypt password hashing (plaintext passwords are never stored)
Two-factor authentication (2FA) available for all accounts
Secure session tokens with configurable expiry
Suspicious login detection and automatic account lockout
OAuth 2.0 support for social login (Google, Apple)
Access Controls
Role-based access control (RBAC) within planning workspaces
Principle of least privilege: users see only what they need
Audit logs for all significant actions within your workspace
Granular permission settings for vendors, family, and guests
Operational Security
Internal Access Controls
Orivia staff access to production systems is strictly controlled:
All employees undergo background checks before employment
Production access is granted on a need-to-know basis only
All staff access requires 2FA and is logged and audited
Access is automatically revoked upon employee departure
Regular access reviews to ensure permissions remain appropriate
Backups and Recovery
Automated encrypted backups every 6 hours
Point-in-time recovery capability for the last 30 days
Backups stored in geographically separate regions
Disaster recovery plan tested quarterly
Incident Response
In the event of a security incident, our response process includes:
Immediate containment and impact assessment
Notification to affected users within 72 hours of discovery
Transparent communication about what happened and what data was involved
Post-incident review and improvement of security controls
Compliance
Orivia is committed to meeting or exceeding applicable data protection regulations:
GDPR: Full compliance for users in the European Economic Area, including data subject rights, lawful basis for processing, and cross-border transfer safeguards
CCPA: Compliance for California residents, including the right to know, delete, and opt-out of data sale (we do not sell data)
APPI: Compliance with Japan's Act on the Protection of Personal Information
We conduct annual data protection impact assessments and maintain records of processing activities as required.
Responsible Disclosure
We welcome security researchers who discover vulnerabilities in Orivia and responsibly disclose them to us. Our responsible disclosure policy:
Please email vulnerabilities to security@orivia.digital; do not disclose publicly until we've had 90 days to remediate
Include a detailed description, reproduction steps, and potential impact
Do not access or modify user data, interrupt services, or perform social engineering
We will acknowledge reports within 48 hours and provide updates on remediation progress
Researchers who follow this policy will not face legal action from us
Found a vulnerability?
We take every report seriously. Our security team responds within 48 hours to all responsible disclosures.