// Trust & Security Report

    Orca Security Ltd. logo

    Orca Security Ltd.

    AI-Powered Cloud Native Application Protection Platform (CNAPP): CSPM, CWPP, CIEM, CDR, DSPM, API Security, Application Security, Vulnerability Management, Orca AI (AI assistant and agents), Orca Sensor (eBPF-based real-time sensor), SideScanning agentless technology

    Certifications held

    13

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Footer of orca.security homepage states 'SOC 2 TYPE II Certified'. Trust center (trustcenter.orca.security) lists SOC 2 Report as a featured document available for download.

    Verify on orca.security
    ISO/IEC 27001
    HELD

    Footer of orca.security homepage states 'ISO/EC 27001 Information'. Trust center lists ISO/IEC 27001 certification document as a featured downloadable report.

    Verify on orca.security
    ISO/IEC 27017
    HELD

    Footer of orca.security homepage states 'ISO/EC 27017 Information'. Trust center (trustcenter.orca.security) lists 'ISO/IEC 27017:2015' as a held certification and provides the certification document.

    Verify on orca.security
    ISO/IEC 27018
    HELD

    Footer of orca.security homepage states 'ISO/EC 27018 Information'. Trust center (trustcenter.orca.security) lists 'ISO/IEC 27018:2019' as a held certification and provides the certification document.

    Verify on orca.security
    ISO/IEC 27701 (Privacy Information Management)
    HELD

    Footer of orca.security homepage states 'ISO/EC 27701 Privacy'. Trust center (trustcenter.orca.security) lists 'ISO/IEC 27701' as a held certification.

    Verify on orca.security
    FedRAMP Moderate
    HELD

    Footer of orca.security states 'FedRAMP Moderate Authorized'. Press release dated February 12, 2025: 'The Orca Cloud Security Platform is now listed as FedRAMP Authorized on the FedRAMP Marketplace'. FedRAMP Marketplace entry: FR2301844932.

    Verify on orca.security
    PCI DSS SAQ-D (v4.0)
    HELD

    Footer of orca.security states 'PCI SAQ-D'. Blog post (July 29, 2024): 'Orca is eligible for SAQ D because it doesn't directly store, process, or transmit cardholder data.' GRSee Consulting validated compliance. NOTE: SAQ-D is a self-assessment questionnaire, not a full QSA-audited PCI DSS Report on Compliance. The blog title uses the word 'certification' but the text clarifies 'The SAQ D certification doesn't make Orca fully compliant with PCI DSS.'

    Verify on orca.security
    CSA STAR Level 1 (Self-Assessment)
    HELD

    Footer of orca.security states 'Star Level One: Self-Assessment Cloud Security Alliance'. Trust center confirms CSA STAR is held. Level 1 is a self-assessment (CAIQ), not an independently audited Level 2 Attestation.

    Verify on orca.security
    CSA Trusted Cloud Provider
    HELD

    Footer of orca.security states 'CSA Trusted Cloud Provider Cloud Security Alliance'.

    Verify on orca.security
    IRAP (Australia, Protected Level)
    HELD

    Blog post published August 12, 2025: 'the Orca Cloud Security Platform has completed the Australian IRAP assessment at the Protected classification level.' Auditing partner: Tesserent (approved IRAP assessor). Note: vendor describes this as an 'assessment' rather than a formal certification.

    Verify on orca.security
    GovRAMP
    HELD

    Government solutions page (orca.security/solutions/industries/multi-cloud-security-and-compliance-for-government/) lists 'GovRAMP Authorized' among Orca's held certifications.

    Verify on orca.security
    TX-RAMP
    HELD

    Government solutions page (orca.security/solutions/industries/multi-cloud-security-and-compliance-for-government/) lists 'TX-RAMP Certified' among Orca's held certifications.

    Verify on orca.security
    AWS Advanced Technology Partner Security Competency
    HELD

    Footer of orca.security homepage states 'AWS Advanced Technology Partner Security Competency'. Also mentioned in platform and partner pages.

    Verify on orca.security
    > Show 3 unconfirmed / not-held certifications
    HIPAA (vendor-held BAA/certification)
    NOT CONFIRMED

    HIPAA is not listed in the orca.security footer certifications, not listed in the trust center certification list, and no public BAA documentation was found. Orca's platform helps customers assess their own HIPAA posture, but no evidence Orca itself holds a HIPAA compliance attestation or offers BAAs as a standard contract term.

    source: trustcenter.orca.security
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No mention of ISO/IEC 42001 found on orca.security, in the trust center, or in vendor blog posts as of June 2026.

    source: trustcenter.orca.security
    CSA STAR Level 2 (Independent Attestation)
    NOT CONFIRMED

    Trust center and homepage footer confirm only CSA STAR Level 1 (Self-Assessment). No evidence of independently audited CSA STAR Level 2 attestation.

    source: orca.security

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    No specific data residency options publicly documented. Privacy policy mentions EU/EEA transfers are covered by Standard Contractual Clauses, and access from Israel is covered by the EU Adequacy Decision for Israel. Trust center notes Impact Level: Moderate.

    No explicit public statement found on whether Orca AI (AI assistant, AI agents, AI discovery) trains on customer cloud environment data. A CISO-authored article states 'We enforce strict access policies and follow robust data governance practices, including data encryption, anonymization, masking, and secure storage' but does not directly address AI training on customer data. Customers should request explicit contractual commitments on this point.

    // Security controls

    Encryption in transit

    Industry-standard (implied by SOC 2 Type II audit scope and trust center SecurityScorecard A grade); no specific TLS version stated publicly

    trustcenter.orca.security

    Encryption at rest

    Implied by SOC 2 Type II and ISO 27001 scope; CISO article references 'data encryption' as a data governance practice

    orca.security

    Agentless architecture

    SideScanning technology scans customer cloud environments without installing agents; cloud credentials or read-only API access are used. Orca Sensor (eBPF) is an optional lightweight runtime agent for real-time CDR.

    orca.security

    Penetration testing

    Trust center lists a Pentest Report as a featured downloadable document, indicating regular third-party penetration testing is conducted.

    trustcenter.orca.security

    SecurityScorecard rating

    Grade A

    trustcenter.orca.security

    CryptCheck rating

    A+ rating

    trustcenter.orca.security

    Recovery Time Objective

    4 hours (stated in trust center risk profile)

    trustcenter.orca.security

    Data access to customer environment

    Read-only cloud API access or snapshot-based SideScanning. Data Access Level listed as 'Restricted' in trust center.

    trustcenter.orca.security

    Vulnerability disclosure / bug bounty

    Security Portal linked from homepage footer (https://orca.security/security-portal/). No public bug bounty program page found.

    orca.security

    // Products & data scope

    Orca Cloud Security Platform (CNAPP)Cloud Native Application Protection Platform

    data: Read-only access to customer AWS, Azure, GCP, Oracle Cloud, Alibaba Cloud, Tencent Cloud environments via SideScanning (out-of-band, agentless) or API. Scans workloads, containers, configurations, identities, data stores, and AI models within customer clouds.

    Core offering. Enterprise SaaS. Pricing is not public; demo required. Available on FedRAMP Marketplace and AWS Marketplace (try free). Covers CSPM, CWPP, CIEM, DSPM, CDR, vulnerability management, API security.

    Orca AIAI Security and AI-Powered Platform Features

    data: Operates across the same Unified Data Model derived from customer cloud scans. Includes AI Assistant (Q&A), AI agents (automated workflows), AI Discovery (discovery of AI models in customer environments), AI-Generated Code Fixes.

    Built into the platform; not a separate product tier. AI training posture on customer data is not publicly documented.

    Orca SensorCloud Detection and Response (CDR) - Runtime Agent

    data: Optional lightweight eBPF-based sensor deployed in customer workloads for real-time threat detection. Extends visibility to hybrid and multi-cloud environments.

    Supplement to agentless platform; separate deployment required.

    Orca for GovernmentFedRAMP / Government Cloud Security

    data: Same platform scope, operated under FedRAMP Moderate authorization. Available via Carahsoft, SAIC, GuidePoint Security, Lumen, Optiv+Clearshark, and GSA Multiple Schedule.

    FedRAMP Authorized (Moderate), GovRAMP Authorized, TX-RAMP Certified.

    // What to watch

    • PCI SAQ-D over-claim risk: Blog post title says 'Orca Earns PCI DSS Certification' but body clarifies 'The SAQ D certification doesn't make Orca fully compliant with PCI DSS.' SAQ-D is a self-assessment questionnaire, not a full QSA-audited Report on Compliance. AIFOXX should list as 'PCI DSS SAQ-D (self-assessed)' rather than 'PCI DSS certified.'
    • CSA STAR Level 1 is a self-assessment (CAIQ submission), not an independently audited Level 2 Attestation. Both the homepage and trust center are accurate in calling it 'Level One: Self-Assessment' but it should not be presented equivalently to audited certs.
    • AI training on customer data: No public statement or contractual commitment found on whether Orca AI features train on customer cloud environment data. Customers handling sensitive workloads should request explicit contractual language before deployment.
    • HIPAA: Orca helps customers achieve HIPAA compliance on their own cloud environments; however, Orca's own HIPAA certification or BAA availability is not publicly documented. Do not list HIPAA as a vendor-held cert.
    • IRAP is described as an 'assessment' not a formal government certification. It demonstrates meeting Australian ISM standards at Protected level but terminology differs from FedRAMP-style formal authorization.
    • Data residency options are not publicly detailed. Enterprise buyers with strict data locality requirements (EU, APAC) should confirm geographic controls contractually.

    // At a glance

    Pricing model

    Enterprise SaaS; pricing not publicly disclosed; demo/quote required. Free trial available via AWS Marketplace.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Orca Security Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.orca.security

    > Browse all vendor trust reports