Security is the foundation of an autonomous analyst

Orion works directly with your most sensitive business data, so we build with security and privacy from the ground up. We hold ourselves to enterprise standards, connect to your data read-only, and back it with independent audits and continuous monitoring. Below is a high-level summary of our posture. For the full picture, visit our Trust Center.

Compliance and certifications

Gravity maintains a SOC 2 Type 2 attestation, independently audited against the Security, Availability, and Confidentiality trust services criteria. Our report covers the controls described on this page and is available under NDA to current and prospective customers through our Trust Center.

Request our SOC 2 report →

SOC 2 Type 2

Independently audited

Key controls

The practices and safeguards we use to protect your data across our product and infrastructure.

Read-only by design

Orion only ever issues read queries: SELECT statements and metadata introspection. It never runs DDL, DML, or stored procedures, so it can explain what is changing without writing back to your systems.

Encryption everywhere

Data is encrypted in transit with TLS 1.2+ and at rest with AES-256. The credentials you share to connect a data source are encrypted at rest in our database.

Least-privilege access

Access to production systems is role-based, scoped to the minimum required, and protected with SSO and mandatory multi-factor authentication. Access is reviewed regularly.

Isolated infrastructure

Each customer's data is logically isolated. Our infrastructure runs on SOC 2 compliant cloud providers with network segmentation, hardened configurations, and automated backups.

Monitoring and logging

Systems are continuously monitored for anomalous activity. Audit logs capture access and administrative actions, and alerts route to our on-call team for investigation.

Secure development

Code changes go through peer review and automated security checks. We run regular vulnerability scans and engage third parties for periodic penetration testing.

How we handle your data

Orion connects to your data stack, including warehouses like BigQuery, Snowflake, and Redshift, BI tools like Looker, and transformation layers like dbt, to understand your metrics and business logic. We are deliberate about what we access and how long we keep it.

Read-only access: We recommend connecting Orion with a dedicated service account scoped to only the data you want it to analyze, using read-only credentials.
Data minimization: We process the data needed to answer a question and to extract business logic from your semantic layer. We do not sell your data or use it to train third-party models.
Logical isolation: Customer data is logically separated, and access is restricted to authorized systems and personnel on a need-to-know basis.
Retention and deletion: You control your connections and can revoke access or request deletion of your data at any time.

Looking for documentation, reports, or a security review?

Our Trust Center has our SOC 2 report, sub-processor list, and answers to common security questions. For anything else, our team is happy to walk your security and procurement reviewers through our controls.