How it works What it replaces Who it's for Advisory Guide Legal
Legal/ Information Security

Information Security

Orca is designed so that data security is a function of architecture, not just policy. Your data does not need to leave your systems, so it does not.

Last updated: March 2026  |  OMG Center Limited, Company No. 14169551

1. Our Approach to Security

Security by architecture, not just policy

Most security documentation describes controls that prevent a vendor from misusing data they hold. Orca's security posture is different: the application is designed so that operational data never reaches OMG Center in the first place.

Your Orca instance runs on your device. It connects to your database, your email, your calendar, and your AI service using your credentials. OMG Center does not intermediate any of these connections, does not operate relay servers, and has no means of accessing your operational data.

This section describes the specific security controls built into the Orca application and the standards they meet.

Layer Control Responsibility
Authentication OAuth 2.0 PKCE with S256 challenge method Client (their credentials)
Token storage OS keychain (encrypted by the operating system) Client device
Database Supabase with Row-Level Security and AES-256 encryption at rest Client (their instance)
Data in transit TLS 1.2+ for all API communication Automatic (protocol-enforced)
Application Tauri sandboxed runtime with code-signed binaries OMG Center (build)
AI processing API-only, no data retention by Anthropic for API usage Client (their API key)
Licensing Machine fingerprint binding via Keygen OMG Center

2. Authentication

Orca uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) for all identity provider authentication. PKCE with the S256 challenge method is the current recommended flow for desktop applications and provides strong protection against authorisation code interception attacks.

The authentication flow works as follows:

  • When you connect your Microsoft 365 or Google Workspace account, Orca opens a browser window directed at your identity provider's authorisation endpoint.
  • You authenticate directly with Microsoft or Google. Orca never sees your password.
  • Your identity provider issues an access token and refresh token, which are returned to the application via a local redirect.
  • These tokens are immediately written to your operating system's keychain and are not stored in any other location.
  • OMG Center does not receive, see, or store any authentication tokens at any point in this flow.

On macOS, token storage uses the macOS Keychain, which supports hardware-backed encryption on devices with Apple Silicon or a T2 security chip. On Windows, tokens are stored in the Windows Credential Manager.

3. Data at Rest

Operational data generated by your Orca instance is stored in two locations, both under your control:

  • Your Supabase database: Supabase encrypts data at rest using AES-256. Your Orca database uses Row-Level Security (RLS) policies to ensure that data is accessible only to authenticated sessions within your instance. You hold the database credentials. OMG Center does not.
  • OS keychain: Authentication tokens for your identity providers are stored in your operating system's keychain. On supported hardware, this uses hardware-backed encryption. OMG Center has no access to your keychain.

Local application state (configuration, preferences, cached data) is stored on your device. OMG Center has no remote access to your device.

4. Data in Transit

All communication between your Orca instance and external services uses TLS 1.2 or higher. This applies to:

  • Connections to your Supabase database
  • Microsoft Graph API calls
  • Google Workspace API calls
  • Anthropic Claude API calls
  • Transcription service API calls
  • Licence validation requests to Keygen

No plaintext data transmission occurs. Orca will refuse connections that cannot be established over TLS.

None of this traffic is routed through OMG Center infrastructure. Each connection goes directly from your device to the relevant service.

5. Application Security

Orca is built on the Tauri framework, which uses a Rust backend with a web-based frontend rendered in a sandboxed WebView. This architecture provides several security properties compared to conventional Electron-based desktop applications:

  • Reduced attack surface: The Rust backend handles privileged operations (file system access, OS keychain, network requests). The frontend WebView is sandboxed and cannot directly access these resources without going through explicitly defined Tauri commands.
  • Permissions model: Tauri's permissions system restricts the application to a defined set of allowed file system paths and network endpoints. The application cannot access arbitrary file system locations or make arbitrary network requests.
  • No Node.js runtime: Unlike Electron, Tauri does not include a Node.js runtime in the shipped application, removing a significant class of supply-chain attack vectors.
  • Code-signed binaries: Orca binaries are code-signed. macOS builds are notarised with Apple. Windows builds are signed with a code-signing certificate. This allows your operating system to verify that the application has not been tampered with since it was built.
  • Automatic updates: When updates are issued, they are delivered via a signed update mechanism. The application verifies the update signature before applying it.

6. AI Processing

When your Orca instance uses AI capabilities, data is sent to the Anthropic Claude API using your own Anthropic API key. Several points are relevant to data security:

  • The API request is made directly from your device to Anthropic's API endpoint. It does not pass through OMG Center servers.
  • Anthropic's current API usage policy confirms that data submitted via the API is not used to train Anthropic's models. You should review Anthropic's current terms directly, as these may be updated.
  • Data sent in an API request is processed to generate the response and is not retained by Anthropic as persistent storage.
  • Your API key is stored in your Orca configuration, not in OMG Center systems. You can rotate or revoke it at any time via your Anthropic account.
  • You control what data is included in prompts sent to the API. Orca is configured to send the minimum context necessary for the task.

If you have specific data residency requirements regarding AI processing, review Anthropic's current infrastructure documentation for information on data processing locations.

7. Licence Management

Orca uses Keygen for software licence validation. Licence validation is the only outbound connection from your Orca instance that involves OMG Center (via Keygen as our licence management provider).

The licence validation process:

  • On activation, Orca generates a machine fingerprint derived from hardware identifiers on your device. This fingerprint is used to bind the licence to your machine and prevent unauthorised use of a single licence key across multiple devices.
  • Licence validation requests contain the licence key and machine fingerprint. They do not contain operational data.
  • Keygen confirms whether the licence is valid and active for the presenting machine.
  • If Keygen is temporarily unreachable, Orca uses a cached validation state with a defined grace period.

The machine fingerprint is a technical identifier. It does not contain personal data or operational data from your Orca instance.

8. What OMG Center Secures

Because OMG Center does not hold your operational data, our own security perimeter is limited to:

  • simmance.ai website: Hosted with standard security practices, TLS, and access controls. No customer operational data is stored here.
  • Commercial records: Client contact details, invoices, and licence records are held in business systems with appropriate access controls and encryption at rest.
  • Configuration documentation: Per-client configuration notes held securely, accessible only to Chris Simmance.
  • Build and distribution pipeline: The Orca build process and distribution infrastructure are access-controlled. Only OMG Center can publish signed Orca binaries.
  • Keygen account: Our licence management account is secured with strong credentials and MFA.

9. Incident Response

In the event of a security incident affecting OMG Center systems (our website, commercial records, or build infrastructure):

  • Affected clients will be notified promptly at the email address on record.
  • OMG Center will assess whether the incident triggers notification obligations under UK GDPR (incidents involving personal data must be reported to the ICO within 72 hours where there is a risk to individuals).
  • OMG Center will take immediate steps to contain the incident and prevent recurrence.

A security incident at OMG Center cannot result in exposure of your operational data, because we do not hold it. An incident affecting your own systems (your Supabase instance, your Microsoft or Google account) is outside OMG Center's perimeter and would be subject to your own incident response procedures and the relevant service provider's policies.

10. Responsible Disclosure

If you identify a security vulnerability in the Orca application, in our website, or in any OMG Center system, please report it to us before disclosing it publicly. We will acknowledge receipt promptly and work to address valid issues in a reasonable timeframe.

To report a security concern:

  • Email: chris@omgcenter.org
  • Please include a clear description of the vulnerability, steps to reproduce it, and your assessment of its impact.
  • We ask for a reasonable disclosure window (typically 30 days) before any public disclosure, to allow us to address the issue.

We do not operate a formal bug bounty programme, but we will acknowledge responsible disclosure and give appropriate credit where desired.