Key Messages
- ORCA provides zero-trust cloud storage, meaning that ORCA and our carefully selected service providers can NOT decrypt the sensitive information that our clients enter/upload in their ORCA Accounts.
- ORCA is committed to data privacy by design. We are EU General Data Protection Regulation (GDPR) compliant and only work with service providers that are GDPR compliant (see our Overview of Service Providers). For further details on our security model, see our Security White Paper, and on GDPR, read our dedicated article on GDPR.
- This Privacy Notice applies to all data collected when a User uses ORCA’s software. If you have any questions or feedback about it, please send an email to privacy@withorca.com. We will be very happy to assist you.
Contents
This Privacy Notice outlines
- WHICH information ORCA and our carefully selected service providers collect and can access about our clients,
- WHAT this information is used for,
- WHY we need to collect/access this information (neither ORCA nor our service providers ever collect information about our clients without a reason).
Which information ORCA and our service providers can access
ORCA is committed to protecting our clients’ privacy! ORCA and our service providers can NOT access the sensitive information our clients store in their ORCA Accounts. ONLY the Account Users can access this information.
The only information ORCA and our service providers can access about our clients is:
- the information ORCA needs to run/operate ORCA’s software, and
- the information our service providers need to provide their services.
This information includes personal data such as: the name of the Billing Contact, the Billing Address, etc. It does NOT include the sensitive information our clients specifically chose ORCA to store and protect (e.g. the names and details of legal entities, key documents etc.).
To ensure our clients’ privacy is protected as much as possible, ORCA does our utmost to limit the information we and our service providers can access. The exact information ORCA requires to run/operate our software and that our service providers need to provide their services is documented below. Any information entered into ORCA that is not listed below is encrypted and stored in such a way that neither ORCA nor our service providers can decipher it (e.g. the specifics of Legal Entities, Persons, Files etc.). We refer to this approach as zero-trust. For more information about our zero-trust approach and how we encrypt the data, please see our Security White Paper.
The information ORCA and our service providers need access to can not be encrypted in the same way as the sensitive information our clients specifically use ORCA to store and protect. We need access to this data to fulfill and honor the contract we have. The legal basis for us processing the personal data listed below is documented in each section.
ORCA needs access to the following information to run/operate our software
Authentication Data
To use ORCA’s service, Users need to authenticate. To this end, ORCA must store:
- the email address of every User, and
- the cryptographic key derived from the User’s Secret Key (which is a one way derivation and therefore ORCA can NOT infer the Users’ Secret Key).
Please note that ORCA can NOT see, infer, change or reset the Secret Key required to login for any User. ORCA does NOT possess the information required to decrypt the sensitive data kept in any ORCA Account.
The legal basis for processing this data is our legitimate interests in applying appropriate security measures for the provision of our services.
Database Data
To ensure that
- every User has access to the correct data within ORCA,
- the data has not been compromised,
- there are reliable audit trails within the Account, and
- invoices are generated accurately
ORCA needs to collect and store information about each User.
The information that ORCA has access to for every User, Account and Vault is limited to:
- the User’s email address (and the associated User ID in ORCA),
- the timestamp of when the User was created and registered,
- the User’s status (Active or Deleted),
- the information as to if Two-Factor Authentication is active for the User or not,
- the meta information of each User’s Trusted Devices, including the browser’s name and version and Operating System’s name and version,
- the associated Account ID and Vaults IDs the User has access to (please note that ORCA does NOT see the names of the Accounts and Vaults, just the IDs),
- the role the User has per Account ID and per Vault ID (e.g. Account Owner, Admin, Member with Edit / Read rights, etc.),
- the timestamp of each action the User performs in the Account / Vault data (please note that ORCA can NOT see the details of the changes made, the type of change made, i.e. creation, edition or deletion, or which data is affected by the change - that information is all encrypted),
- the meta information about secured shared links, including the expiration date of the link, the type (e.g. structure, files, meetings, etc.), the IDs of the entities shared and the cryptographic key derived from the shared link password (please note that ORCA can NOT see any of the contents of the shared link if the link is password protected),
- the information required to invoice each Account (such as the number of Persons, Assets, Securities, Liabilities and Files stored per Vault ID),
- the additional modules activated within each Vault ID (i.e. Cash Flows, Reminders, Meetings, etc.), and
- when/if specific functionalities were enabled in each Vault ID, namely Upload Via Email functionality (see more in the Upload via Email Addendum to the Terms and Conditions) and Addepar (see more in the Addepar Addendum to the Terms and Conditions).
ORCA can NOT see any other information. Neither ORCA nor our carefully chosen service providers can see anything specific about the Assets, Persons, Files or Tasks stored within an Account. Specifically, we can NOT see or access any sensitive data, such as:
- the names of Assets, Persons or Files,
- the content of Files,
- the pictures for Assets or Persons,
- the contact details (address, telephone numbers or email addresses) for Persons,
- the contents of the notes for Assets, Persons or Files,
- the relationships between Assets, Persons and Files,
- the contents of Tasks (including Title, Description and Linked items), or
- the details of the Account and Vaults, such as their name.
The legal basis for processing this data is the provision of our services to you based on our contract with you.
ORCA’s service providers need access to the following information to provide their services
ORCA believes the best way we can provide value is to focus on developing our core offering whilst engaging carefully selected vendors to provide/support all ancillary services. Carefully selected means subjected to thorough security and privacy assessments.
Whilst we reserve the right to determine which vendors we engage for which purposes, we commit to 100% transparency, i.e. we will always communicate which service providers we engage for what.
ORCA strives to ensure our service providers can access as little information about our clients as possible. We only share information about our clients with a service provider if it is:
- Integral for them to provide the desired service, and/or
- Legally required.
For instance, we must share the billing contact name and billing address for an Account with our payment provider (Stripe) for them to be able to process credit card payments. Whereas our file storage provider does NOT need to know the Account’s name, billing address or the contents of the Files being stored to be able to store them (Every File is encrypted on the User’s device before it is sent to the file storage provider in encrypted format, i.e. illegible).
For details on which service providers ORCA uses, what they are used for, and what information each can access, see below. The list contains all service providers ORCA uses that are privy to client and User information. It is NOT an exhaustive list of all service providers ORCA uses. Any service provider(s) we use that does NOT process personal and/or sensitive data is not listed.
Google Cloud
ORCA uses Google Cloud to host its services. Whilst Google Cloud stores and backs-up all the information Users upload into the ORCA Accounts (all of the details of the Legal Entities, Assets, Persons and Files as well as the Files themselves), Google Cloud can NOT access any of this information. All of the information a User enters into ORCA is encrypted on the User’s device before it is sent to Google Cloud. Meaning Google Cloud can NOT read any information or Files stored in an ORCA Account (as they can NOT infer the Users’ credentials / access the Account).
The only information Google Cloud can access is
- the unencrypted information in the database (i.e. the same information ORCA has access to. See: ORCA needs access to the following information about you to run/operate our software → Database Data), and
- The application logs. The logs are used to debug any issue a User might face within the ORCA application. No sensitive or personal information is ever disclosed in the logs. The information in a log entry is limited to the:
- User ID,
- Account ID,
- Vault ID,
- Action triggering the issue (but NOT the contents of the action),
- Stack trace of the error,
- IP address of the User login, and
- User-Agent of the User’s browser.
The application logs are stored for a period of 180 days.
ORCA uses the Google Cloud data center in Zurich. Google Cloud is a certified PCI/DSS Service Provider (Level 1) and holds numerous other certificates, such as ISO 27001 and SOC 1, 2 and 3. More information about the certification and other security and privacy related details for Google Cloud can be found here.
The legal basis for processing this data is the provision of our services to you based on our contract with you.
Mailgun
Mailgun is ORCA’s tool for all technical email communications with clients. For example the email invitation each new User receives, or the email used to validate Users’ email address, etc are sent via Mailgun.
In performing this task, Mailgun becomes privy to every User’s email address and the email content.
Mailgun is GDPR compliant. More information about the information security and compliance at Mailerlite can be found here.
The legal basis for processing is the provision of our services to you based on our contract with you.
Stripe
Stripe is ORCA’s payment provider. We use Stripe to process credit card payments (example: for ORCA’s subscription fee).
As a regulated financial entity, Stripe is required by law to collect certain client specific data when conducting their business. They must however also adhere to very strict guidelines as to how to store/protect this sensitive information. Stripe is a certified PCI/DSS Service Provider (Level 1). More information about how Stripe treats security and privacy can be found here.
If the payment is executed via credit card, then the following information is shared with Stripe:
- the billing contact email address,
- the name on the credit card,
- the billing address for the credit card, and
- the credit card information (i.e. credit card number, expiry date etc.).
Please note that ORCA’s use of Stripe as a payment provider means ORCA never needs to know the credit card information for any of our clients (only Stripe needs to know the credit card details). Should a representative of ORCA ever ask for credit card information, please do not provide it and inform us immediately at privacy@withorca.com.
The legal basis for processing this data is the provision of our services to you based on our contract with you.
Xero
Xero is ORCA’s accounting software. We use Xero to reconcile our financial accounts and generate periodic profit and loss statements, balance sheets and other financial statements.
In the process of performing these functions, Xero becomes privy to the following information about:
- billing contact name,
- billing contact email address,
- billing address,
- Tax ID number (if applicable),
- how much was paid for ORCA and when (including the details of the subscription i.e. the number of Users, Vaults, Items etc.).
Xero does not have access to any information about Users invited to an Account (e.g usernames etc.).
Xero is ISO 27001 and SOC 2 certified and is GDPR and PCI/DSS compliant. More information about the certification and other security and privacy related details can be found here.