Last updated: 25 June 2026 · OrchestriX PMO Pty Ltd · Melbourne, Australia
OrchestriX PMO is designed to the SOC 2 Type II control framework covering Security, Availability, and Confidentiality. Our full audit report is available to enterprise customers under NDA — contact security@orchestrixpmo.com.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database backups are encrypted with separate key material. Encryption keys are managed via AWS KMS with automatic rotation.
All customer project data, artefacts, and conversation logs are stored exclusively in AWS ap-southeast-2 (Sydney). We do not replicate data outside Australia. AI inference calls use Anthropic's API — conversation content is transmitted per-request and not retained by Anthropic.
Role-based access control (RBAC) enforces workspace isolation. All admin actions are logged to an immutable audit trail. OrchestriX PMO staff access to customer data requires two-person approval and is time-limited.
Supports password authentication with bcrypt hashing, Google OAuth 2.0, and Microsoft SSO (Enterprise plan). 2FA via TOTP is available on all plans. Session tokens expire after 30 days (or 24 hours if Remember Me is not selected).
We conduct annual penetration tests via an independent Australian CREST-certified security firm. Findings are remediated on a risk-tiered schedule (Critical: 48h, High: 7d, Medium: 30d).
To report a security vulnerability, email security@orchestrixpmo.com with subject line "Responsible Disclosure". We aim to acknowledge within 24 hours and provide a remediation timeline within 72 hours. We do not pursue legal action against good-faith researchers.
In the event of a data breach affecting your organisation, we will notify you within 72 hours of becoming aware, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
Security team: security@orchestrixpmo.com
OrchestriX PMO Pty Ltd, Melbourne VIC 3000, Australia