Your data stays yours.
Orpheus is built with privacy and operational controls in mind. Audio you upload is encrypted in transit and at rest, processed through configured subprocessors, and handled according to the retention settings that apply to your plan and product path.
What happens to your audio
Upload
Files are transmitted over TLS 1.3. They land in an isolated per-account storage bucket — no shared paths between users.
Process
Transcription runs in ephemeral worker environments that are discarded after each job. No persistent access to raw audio during inference.
Store
Transcripts and audio are encrypted at rest. Anonymous and registered-user content follow the retention policy for the product path and plan in use.
Delete
Deletion and erasure workflows are handled through support and product controls as they become available. Some billing, security, and audit metadata may be retained where legally required.
Built for regulated industries
Privacy and data protection
Orpheus maintains technical records for access, exports, retention, and subprocessors. Our controller/processor role, DPA terms, and cross-border transfer language are handled through customer and counsel review.
- Subprocessor inventory maintained
- Data export is available from the console
- Erasure workflow is being implemented and documented
- Enterprise privacy terms reviewed case by case
Security control program
We are building the control set expected by larger customers: access management, dependency scanning, incident response, change management, audit logging, and availability monitoring.
- SOC 2 readiness work in progress
- Security review process before major releases
- Automated dependency scanning
- Incident response contact: [email protected]
Who can see your data
Keys can be scoped to read-only, write-only, or specific endpoints. Rotate or revoke any key instantly from the console.
Team plan includes role-based access control. Owners, editors, and viewers have distinct permission sets across jobs, keys, and billing.
Enterprise accounts get full audit logs of who accessed what, when, and from which IP — exportable as JSON or CSV.
Enterprise customers can enforce SSO via SAML 2.0 or OIDC, disabling password-based login for all team members.
Where your data lives
| Layer | Provider | Region | Standard |
|---|---|---|---|
| CDN / Edge | Cloudflare | Global | ISO 27001, SOC 2 |
| Object storage | Cloudflare R2 | Cloudflare-managed regions | AES-256 at rest |
| Database | Cloudflare D1 | US East | Encrypted, replicated |
| AI inference | Cloudflare AI | Global edge | Ephemeral, no logging |
Security questions
Is my audio used to train AI models?
Orpheus does not use customer audio to train Orpheus-owned models by default. Third-party AI providers process audio only to provide the transcription service, subject to their applicable terms and our configured retention settings.
Can I get a DPA (Data Processing Agreement)?
Enterprise customers can request data protection terms by emailing [email protected]. Availability and terms are reviewed based on the customer, jurisdiction, and use case.
Where is data stored geographically?
Default storage and processing depend on the Cloudflare services and AI providers used for a job. Enterprise residency requirements should be discussed before production deployment.
How do I delete my data?
Use the console export tools and contact [email protected] for deletion or erasure requests while the self-service deletion workflow is being completed. Some records may be retained where required for billing, fraud prevention, security, or legal obligations.
Do you have a bug bounty program?
We review responsibly reported security issues. To report a vulnerability, email [email protected]. Response and remediation timing depends on severity, exploitability, and required third-party coordination.
Have specific security requirements?
Talk to us about enterprise deployments, privacy terms, residency requirements, and security review materials.