Security
Last updated: May 22, 2026
At Optima Engineering LLC ("Optima," "we," "us," or "our"), we are committed to protecting the security of Orakle and the data our customers entrust to us. This page describes the security practices and safeguards in place today. Orakle is an early-stage product, and we describe our practices honestly: where a capability is planned rather than in place, we say so. For details on how we handle personal data, see our Privacy Policy and Data Processing Agreement.
1. Infrastructure Security
Orakle is hosted on cloud infrastructure operated by established providers, including Vercel for application hosting. These providers maintain their own SOC 2-compliant facilities and physical security controls.
- Encryption in transit: all traffic between clients and the Orakle API, including REST requests and server-sent event (SSE) streams, is encrypted using TLS.
- Encryption at rest: data stored by Orakle is encrypted at rest using the encryption capabilities provided by our hosting and database providers.
- Managed hosting: we rely on managed cloud infrastructure so that platform-level patching, network controls, and physical security are handled by providers with mature security programs.
- Configuration management: infrastructure and application configuration is version-controlled and deployed through auditable, repeatable processes.
2. Application Security
We aim to incorporate security throughout how we build and ship Orakle.
- Dependency and vulnerability scanning: we use automated tooling to scan our dependencies for known vulnerabilities and monitor for newly disclosed issues.
- Code review: changes are reviewed before they are merged and deployed.
- Secrets management: credentials and secrets are kept out of source control and injected through managed environment configuration.
- Secure defaults: the API enforces authentication on all endpoints and rejects unauthenticated requests by default.
3. API Authentication and Access
Access to the Orakle API — whether through the TypeScript SDK, the MCP server, or direct REST calls — is authenticated with API keys.
- API-key authentication: every request to
api.orakle.xyz/v1must include a valid API key. Keys are scoped to your account. - Key rotation and revocation: you can generate new API keys and revoke existing ones at any time from your dashboard. Revoke and rotate keys promptly if you believe one has been exposed.
- Account authentication: dashboard sign-in is handled by a dedicated authentication provider, rather than credentials managed by Orakle directly.
- Least privilege: internal access to production systems is limited to the team members who need it, and is reviewed and removed as roles change.
4. Data Protection
We handle customer data with care and keep what we store minimal.
- What Orakle processes: Orakle receives natural-language product descriptions and returns calibrated price probability distributions and 90-day forecasts. We encourage you to avoid sending sensitive personal data in product descriptions, as it is not needed to generate a pricing estimate.
- Payment data: payments are processed by Stripe. Orakle does not store full payment card numbers; card data is handled by Stripe under its PCI-DSS compliance program.
- Data retention and deletion: customer data is retained and deleted in accordance with our Privacy Policy and Data Processing Agreement.
- Subprocessors: we maintain a current list of subprocessors that support the delivery of Orakle.
5. Incident Response
We monitor the service and respond to security events when they arise.
- Detection and response: we monitor our application and infrastructure for errors and anomalous activity and investigate potential security events.
- Customer notification: if we confirm a security incident that affects your data, we will notify affected customers without undue delay, consistent with our Data Processing Agreement and applicable law.
- Remediation: following a security incident, we work to identify the root cause and apply corrective measures to reduce the likelihood of recurrence.
6. Compliance
We apply commercially reasonable administrative, technical, and physical safeguards to protect customer data, and we are transparent about where we stand.
- Certifications: Orakle has not yet obtained formal certifications such as SOC 2 or ISO 27001. Pursuing recognized certifications is on our roadmap as the product matures.
- Compliant infrastructure providers: while Orakle itself is not yet certified, we build on infrastructure providers, including Vercel and Stripe, that maintain their own independently audited compliance programs.
- Data protection: our handling of personal data, including obligations under regulations such as the GDPR and CCPA/CPRA, is described in our Privacy Policy and Data Processing Agreement.
7. Reporting Vulnerabilities
We appreciate the work of security researchers in helping us keep Orakle secure. If you discover a potential security vulnerability, please report it responsibly to security@optima.engineering rather than disclosing it publicly. We will acknowledge your report and work to investigate and address confirmed vulnerabilities promptly.
For questions about our security practices, please contact security@optima.engineering.