Security

Overview

Orvipa builds payroll software where confidentiality, integrity, and availability of customer and employee data are central. This page describes security practices at a high level for visitors to our marketing website and outlines how security works for the Orvipa product. Specific technical controls, certifications, and audit reports for enterprise customers are typically shared under non-disclosure agreement as part of a security review package.

Marketing website

The public Site is designed with the following principles:

• Transport security — pages are served over HTTPS (TLS) between your browser and our hosting provider, protecting data in transit from eavesdropping and tampering in ordinary network conditions.
• Hosting — we use reputable cloud infrastructure (for example Vercel or equivalent) with physical and network controls operated by the provider under shared responsibility models.
• Minimal data — the marketing Site collects limited personal information (primarily what you submit in forms and technical metadata). Optional analytics loads only after explicit consent as described in our Cookie policy.
• Patching and dependencies — we apply security updates to the Site’s framework and dependencies through our normal development and deployment pipeline.

Organizational measures

• Access control — access to production systems and customer data within Orvipa is limited to personnel who need it for their role, subject to authentication and authorization policies.
• Vendor management — subprocessors that host or process data are evaluated for security and privacy practices; contractual terms include confidentiality and assistance obligations where appropriate.
• Incident response — we maintain procedures to detect, contain, and remediate security incidents, including assessment of whether notification to customers or regulators is required under law or contract.

Product (Orvipa application)

The payroll application is multi-tenant: customer organizations are logically separated; users authenticate with credentials appropriate to their environment; and role-based access limits what each user can see and do. Features such as approvals, audit trails, and exports are designed to support operational and compliance workflows. Exact architecture diagrams, encryption details, backup frequency, and penetration test summaries are provided to customers under NDA.

Encryption and data protection

We use industry-standard encryption for data in transit. Data at rest may be encrypted depending on database and storage configuration provided by our hosting partners. Key management follows provider best practices. Customers remain responsible for configuring strong authentication, managing user access within their tenant, and classifying data they upload.

Logging and monitoring

We may collect logs for security monitoring, troubleshooting, and abuse detection. Logs are retained for limited periods according to operational need and legal requirements. Product audit logs may be available to customer administrators depending on subscription features.

Business continuity

We design for resilience using cloud redundancy, backups, and recovery procedures appropriate to our service tier. Recovery time and point objectives vary by component; enterprise customers may negotiate specific commitments in their agreement.

Vulnerability disclosure

If you discover a vulnerability in the Site or the Services, please report it responsibly. Send email to hello@orvipa.com with:

• A clear description of the issue and affected component.
• Steps to reproduce, including proof-of-concept if safe and minimal.
• Potential impact (confidentiality, integrity, availability).
• Your contact information for follow-up.

Do not access data you do not own, perform actions that could harm availability for other users, or publicly disclose details before we have had a reasonable time to remediate. We appreciate coordinated disclosure and will acknowledge receipt where possible.

Personal data breaches

Where a breach affects personal information, we assess notification obligations under PIPEDA, provincial law, GDPR, and other applicable rules, and we coordinate with affected customers under contractual terms for product data.

Your responsibilities

Keep your devices patched, use strong unique passwords or SSO where offered, and report suspected compromise of your account immediately. Follow your organization’s security policies when using Orvipa on behalf of an employer or client.