Ora Cloud Services

Security

Security at Ora Cloud Services

The security of our own infrastructure and client data is a condition of our clients' trust. The following is a summary; a detailed security posture document is available to current and prospective clients under NDA.

Certifications and frameworks

  • ISO 27001:2022 (certified, Bureau Veritas)
  • SOC 2 Type II (in progress)
  • Cyber Essentials Plus (certified, UK delivery arm)
  • PCI DSS compliant as a cloud infrastructure service provider

Data protection

Client data — including infrastructure configuration, access credentials held under the managed service, and any data accessible through managed environments — is handled under GDPR and Irish data-protection law. Our management infrastructure is EU-resident on AWS (eu-west-1, eu-central-1). We do not transfer client data outside the EEA. See our privacy notice for detail.

Vulnerability disclosure

We welcome reports of security issues affecting our systems. To report a vulnerability, see our security.txt file or write to security@oracloudservices.com. We commit to acknowledging reports within two working days and to a coordinated disclosure timeline of up to 90 days, extendable by agreement.

Penetration testing

Our infrastructure is independently tested annually by a CREST-accredited assessor. The latest assessment was completed in Q4 2025 (assessor: a CREST-accredited Dublin firm); an executive summary is available to prospective clients on request under NDA.

Subprocessors

A current list of our subprocessors is available on request to clients under NDA. Updates to the list are notified by email with 30 days' notice.