// Trust & Security Report
Orca Security Ltd.
AI-Powered Cloud Native Application Protection Platform (CNAPP): CSPM, CWPP, CIEM, CDR, DSPM, API Security, Application Security, Vulnerability Management, Orca AI (AI assistant and agents), Orca Sensor (eBPF-based real-time sensor), SideScanning agentless technology
Certifications held
13
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on orca.security“Footer of orca.security homepage states 'SOC 2 TYPE II Certified'. Trust center (trustcenter.orca.security) lists SOC 2 Report as a featured document available for download.”
Verify on orca.security“Footer of orca.security homepage states 'ISO/EC 27001 Information'. Trust center lists ISO/IEC 27001 certification document as a featured downloadable report.”
Verify on orca.security“Footer of orca.security homepage states 'ISO/EC 27017 Information'. Trust center (trustcenter.orca.security) lists 'ISO/IEC 27017:2015' as a held certification and provides the certification document.”
Verify on orca.security“Footer of orca.security homepage states 'ISO/EC 27018 Information'. Trust center (trustcenter.orca.security) lists 'ISO/IEC 27018:2019' as a held certification and provides the certification document.”
Verify on orca.security“Footer of orca.security homepage states 'ISO/EC 27701 Privacy'. Trust center (trustcenter.orca.security) lists 'ISO/IEC 27701' as a held certification.”
Verify on orca.security“Footer of orca.security states 'FedRAMP Moderate Authorized'. Press release dated February 12, 2025: 'The Orca Cloud Security Platform is now listed as FedRAMP Authorized on the FedRAMP Marketplace'. FedRAMP Marketplace entry: FR2301844932.”
Verify on orca.security“Footer of orca.security states 'PCI SAQ-D'. Blog post (July 29, 2024): 'Orca is eligible for SAQ D because it doesn't directly store, process, or transmit cardholder data.' GRSee Consulting validated compliance. NOTE: SAQ-D is a self-assessment questionnaire, not a full QSA-audited PCI DSS Report on Compliance. The blog title uses the word 'certification' but the text clarifies 'The SAQ D certification doesn't make Orca fully compliant with PCI DSS.'”
Verify on orca.security“Footer of orca.security states 'Star Level One: Self-Assessment Cloud Security Alliance'. Trust center confirms CSA STAR is held. Level 1 is a self-assessment (CAIQ), not an independently audited Level 2 Attestation.”
Verify on orca.security“Footer of orca.security states 'CSA Trusted Cloud Provider Cloud Security Alliance'.”
Verify on orca.security“Blog post published August 12, 2025: 'the Orca Cloud Security Platform has completed the Australian IRAP assessment at the Protected classification level.' Auditing partner: Tesserent (approved IRAP assessor). Note: vendor describes this as an 'assessment' rather than a formal certification.”
Verify on orca.security“Government solutions page (orca.security/solutions/industries/multi-cloud-security-and-compliance-for-government/) lists 'GovRAMP Authorized' among Orca's held certifications.”
Verify on orca.security“Government solutions page (orca.security/solutions/industries/multi-cloud-security-and-compliance-for-government/) lists 'TX-RAMP Certified' among Orca's held certifications.”
Verify on orca.security“Footer of orca.security homepage states 'AWS Advanced Technology Partner Security Competency'. Also mentioned in platform and partner pages.”
> Show 3 unconfirmed / not-held certifications
source: trustcenter.orca.securityHIPAA is not listed in the orca.security footer certifications, not listed in the trust center certification list, and no public BAA documentation was found. Orca's platform helps customers assess their own HIPAA posture, but no evidence Orca itself holds a HIPAA compliance attestation or offers BAAs as a standard contract term.
source: trustcenter.orca.securityNo mention of ISO/IEC 42001 found on orca.security, in the trust center, or in vendor blog posts as of June 2026.
source: orca.securityTrust center and homepage footer confirm only CSA STAR Level 1 (Self-Assessment). No evidence of independently audited CSA STAR Level 2 attestation.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
No specific data residency options publicly documented. Privacy policy mentions EU/EEA transfers are covered by Standard Contractual Clauses, and access from Israel is covered by the EU Adequacy Decision for Israel. Trust center notes Impact Level: Moderate.
No explicit public statement found on whether Orca AI (AI assistant, AI agents, AI discovery) trains on customer cloud environment data. A CISO-authored article states 'We enforce strict access policies and follow robust data governance practices, including data encryption, anonymization, masking, and secure storage' but does not directly address AI training on customer data. Customers should request explicit contractual commitments on this point.
// Security controls
Encryption in transit
Industry-standard (implied by SOC 2 Type II audit scope and trust center SecurityScorecard A grade); no specific TLS version stated publicly
trustcenter.orca.securityEncryption at rest
Implied by SOC 2 Type II and ISO 27001 scope; CISO article references 'data encryption' as a data governance practice
orca.securityAgentless architecture
SideScanning technology scans customer cloud environments without installing agents; cloud credentials or read-only API access are used. Orca Sensor (eBPF) is an optional lightweight runtime agent for real-time CDR.
orca.securityPenetration testing
Trust center lists a Pentest Report as a featured downloadable document, indicating regular third-party penetration testing is conducted.
trustcenter.orca.securityData access to customer environment
Read-only cloud API access or snapshot-based SideScanning. Data Access Level listed as 'Restricted' in trust center.
trustcenter.orca.securityVulnerability disclosure / bug bounty
Security Portal linked from homepage footer (https://orca.security/security-portal/). No public bug bounty program page found.
orca.security// Products & data scope
data: Read-only access to customer AWS, Azure, GCP, Oracle Cloud, Alibaba Cloud, Tencent Cloud environments via SideScanning (out-of-band, agentless) or API. Scans workloads, containers, configurations, identities, data stores, and AI models within customer clouds.
Core offering. Enterprise SaaS. Pricing is not public; demo required. Available on FedRAMP Marketplace and AWS Marketplace (try free). Covers CSPM, CWPP, CIEM, DSPM, CDR, vulnerability management, API security.
data: Operates across the same Unified Data Model derived from customer cloud scans. Includes AI Assistant (Q&A), AI agents (automated workflows), AI Discovery (discovery of AI models in customer environments), AI-Generated Code Fixes.
Built into the platform; not a separate product tier. AI training posture on customer data is not publicly documented.
data: Optional lightweight eBPF-based sensor deployed in customer workloads for real-time threat detection. Extends visibility to hybrid and multi-cloud environments.
Supplement to agentless platform; separate deployment required.
data: Same platform scope, operated under FedRAMP Moderate authorization. Available via Carahsoft, SAIC, GuidePoint Security, Lumen, Optiv+Clearshark, and GSA Multiple Schedule.
FedRAMP Authorized (Moderate), GovRAMP Authorized, TX-RAMP Certified.
// What to watch
- PCI SAQ-D over-claim risk: Blog post title says 'Orca Earns PCI DSS Certification' but body clarifies 'The SAQ D certification doesn't make Orca fully compliant with PCI DSS.' SAQ-D is a self-assessment questionnaire, not a full QSA-audited Report on Compliance. AIFOXX should list as 'PCI DSS SAQ-D (self-assessed)' rather than 'PCI DSS certified.'
- CSA STAR Level 1 is a self-assessment (CAIQ submission), not an independently audited Level 2 Attestation. Both the homepage and trust center are accurate in calling it 'Level One: Self-Assessment' but it should not be presented equivalently to audited certs.
- AI training on customer data: No public statement or contractual commitment found on whether Orca AI features train on customer cloud environment data. Customers handling sensitive workloads should request explicit contractual language before deployment.
- HIPAA: Orca helps customers achieve HIPAA compliance on their own cloud environments; however, Orca's own HIPAA certification or BAA availability is not publicly documented. Do not list HIPAA as a vendor-held cert.
- IRAP is described as an 'assessment' not a formal government certification. It demonstrates meeting Australian ISM standards at Protected level but terminology differs from FedRAMP-style formal authorization.
- Data residency options are not publicly detailed. Enterprise buyers with strict data locality requirements (EU, APAC) should confirm geographic controls contractually.
// At a glance
Pricing model
Enterprise SaaS; pricing not publicly disclosed; demo/quote required. Free trial available via AWS Marketplace.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Orca Security Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.orca.security