Do you host or store data in locally-based data centers? 

Yes! For enterprise customers, we can offer local data hosting in either the United States, Europe, Australia, or Asia.

How do you communicate service outages?

Visit our status page to see our current app and API status. We communicate any service impacting outages to our customers here. You can also subscribe to updates via the status page: https://www.orttostatus.com/

How do I report a security vulnerability?

Our security team promptly investigates all reported security issues. We have a bug bounty program in place. If you believe you have found a security vulnerability please visit https://ortto.com/security/ for more information. We will respond as soon as possible to your report. We ask that you not publicly disclose the issue until it has been addressed by the Ortto team.

Do you meet data compliance requirements?

Yes! We are compliant with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Service Organization Controls (SOC 2) as well as meeting the framework for the EU and US Privacy Shield.

Can I enforce SSO and Two-factor authentication (2FA)?

Yes! You can choose to enforce one or both. You have full control via the privacy settings in your Ortto account. Single sign-on (SSO) can be implemented using Google or Okta. Two-factor authentication (2FA) can be implemented using SMS or via the Google Authenticator app.

Do you comply with The Privacy Act 1988?

Yes, we comply with the Australian Privacy Act and also meet APRA requirements for institutions across banking, insurance, and superannuation.

Does the platform undergo regular penetration testing?

Yes, we undergo penetration testing every six (6) months. Reports are available on request.