Trust is product architecture.
OrcaLinq sits between customer messages, tenant-owned channel credentials, AI keys, and live business workflows. The platform is designed around isolation, verification, minimal data exposure, and auditable handoff.
Controls that matter before procurement asks.
Each tenant gets isolation, audited handoff, BYOK channel ownership, and clear export. Below are the controls we ship by default.
-
Tenant isolation
Every tenant runs as its own Pod with a tenant-scoped data plane. Locks, configuration, transcripts, and audit trail are scoped to one tenant.
-
BYOK secret handling
Channel and AI credentials are stored encrypted, never returned in API responses, never logged, and never shared across tenants. The platform never holds custody of your provider relationship.
-
Webhook verification
Inbound webhooks (Meta, Telegram, LINE, Shopify, custom) are verified with raw-body HMAC or provider-native signatures before any processing. Mismatched payloads are dropped at the edge.
-
Widget isolation
The 2.4 KB chat loader sandboxes its UI in a shadow DOM-style boundary, ships its own CSP-friendly assets, and cannot leak host-page state. CSP guidance is published for buyers' security teams.
-
Passkey-first auth
Owner and agent access run on passwordless login (passkeys, magic links, OAuth) plus TOTP. Sessions are short-lived. Revocation, IP/device pinning, and audit are first-class.
-
Audit trail (Wake)
Every routing decision, AI tool call, knowledge lookup, handoff, agent action, export, and admin operation is captured with timestamps, actors, and reasoning into the per-tenant Wake.
-
Configurable retention
Define how long transcripts, intent signals, and audit events are kept. Per-channel and per-policy overrides are supported.
-
Export and deletion
Tenants can export their conversations and audit data, and request bulk deletion with retention overrides. Hard delete propagates across primary, replicas, and warm caches.
Report security issues privately
Email security@orcalinq.com. We prioritize reports that are specific, reproducible, and avoid harm to tenants or visitors.
- Use a clear subject line and indicate the affected surface.
- Include reproduction steps, expected behavior, actual behavior, and impact.
- Do not access, modify, delete, or exfiltrate tenant or customer data.
- Avoid denial-of-service testing, social engineering, and physical attacks.
- Allow a reasonable response window before public disclosure.
Frequently asked questions
Is the product multi-tenant?
Yes. OrcaLinq is built around per-tenant isolation with separate channel credentials, audit trails, and configurable retention.
Do you store customer transcripts?
Yes — transcripts and routing events form the Wake, which supports handoff continuity, audit, analytics, and customer experience. Retention is configurable by plan and policy.
Can our agents avoid logging into another dashboard?
Yes. Agent endpoints are designed so people can reply from WhatsApp, Telegram, LINE, the PWA, or future custom endpoints. The Podium is for owners and supervisors who want a live view.
What happens to channels if we leave?
Because every channel is BYOK, your Meta app, WABA, LINE channel, and Telegram bot remain on your accounts. OrcaLinq can stop processing messages, but your numbers and provider relationships stay yours.
Where is the data hosted?
On a global edge with regional pinning for primary state. Specific data residency arrangements can be discussed for enterprise tenants.
How do I report a security issue?
Email security@orcalinq.com with a clear subject, reproduction steps, expected vs actual behavior, and impact. Avoid touching real tenant data, denial-of-service tests, social engineering, or physical attacks.
Bring your security checklist.
Architecture diagrams, audit data samples, and tenant-isolation walkthroughs are available on demo calls.