Privacy

Privacy policy.

Aorka is operated by Auderas Inc (d/b/a Aorka). This policy explains what data we collect, why we collect it, and exactly where it goes. No legalese fog — just the facts.

Last updated: April 14, 2026

01

What we collect

Aorka collects data necessary to operate the platform. Nothing more. There are no analytics trackers, no advertising pixels, no third-party data brokers.

Account data

When you sign in via Microsoft 365 SSO or Google OAuth, we receive your email address, display name, and tenant/organization identifier. Aorka does not store passwords — authentication is delegated entirely to your identity provider. We also record the IP address and user agent of your sessions for security auditing.

Infrastructure data

Aorka's core function is managing your IT infrastructure. This means we store data about your endpoints: hostnames, hardware facts, software versions, configuration details, and other operational data collected by the agent or entered by your team. This data is what makes the knowledge base useful — it's the whole point of the product.

Conversations and scripts

Chat conversations with the AI assistant are stored so you can reference prior context. Scripts generated or executed through the platform are logged with their safety scores, approval status, and execution results. This history is essential for audit trails and for the AI to learn your environment over time.

Credentials

If you store credentials in the Aorka vault, they are encrypted at rest using AES-256-GCM. Viewing a stored credential requires MFA verification — a session alone is not sufficient. We cannot read your stored credentials in plaintext; decryption happens on-demand when you explicitly request access.

Session cookie

Aorka uses a single session cookie to maintain your authenticated session. That's it. No analytics cookies, no tracking cookies, no third-party cookies. We do not use Google Analytics, Mixpanel, Hotjar, or any similar service.

02

How we use your data

Operating the platform. Your infrastructure data powers the knowledge base, chat context, and script execution. This is the product.
Security and audit. IP addresses, user agents, and action logs are used for session management, anomaly detection, and audit trails.
Transactional email. We send emails related to demo requests and account operations. No marketing email lists. No newsletters unless you explicitly opt in.
Improving relevance across the platform. Aorka computes mathematical representations (vector embeddings) of knowledge items and groups them into concept clusters. These clusters are used to determine which types of knowledge are most relevant across the platform — for example, recognizing that firewall configuration facts are broadly important right now. This process operates on abstract mathematical coordinates, not on the content of your data. No titles, fact values, hostnames, or other readable information is shared between tenants. See Concept clusters below for details on how this works.
We do not sell your data. Not to advertisers, not to data brokers, not to anyone. Your infrastructure data is yours.
03

AI and third-party providers

Aorka integrates with external services to provide AI capabilities and transactional email. Here is exactly what each provider sees and retains.

Provider data flow

AI

Anthropic (Claude)

Powers the AI chat assistant and script safety evaluation. All API calls are stateless — conversation context is sent per-request and is not retained by Anthropic after the response is returned. Your data is not used to train Anthropic's models. Anthropic's data retention policy for API usage is zero retention.

SEARCH

Voyage AI

Provides vector embeddings for semantic search across your knowledge base and scripts. Same stateless model — text is sent, a vector is returned, nothing is stored. Your data is not used for training.

AUTH

Microsoft / Google

Authentication only. We receive your identity claims (name, email, tenant ID) via OAuth. We do not access your mailbox, files, or any other data beyond what is needed to sign you in — unless you explicitly configure Microsoft 365 integration for endpoint management, which uses separate per-tenant credentials under your control.

EMAIL

SMTP2GO

Transactional email delivery for demo requests. Receives only the recipient address and message content necessary to deliver the email. No bulk marketing, no mailing lists.

The key point: No third-party provider retains your infrastructure data. AI providers see conversation context for the duration of a single API call. Embedding providers see text fragments long enough to compute a vector. Neither stores your data or uses it for training.

04

Tenant isolation

Aorka is a multi-tenant platform. Your data — endpoints, facts, conversations, credentials, scripts, job history — is scoped to your tenant at the database level. This is not application-layer filtering that could be bypassed; it's structural. No other tenant can see, query, or access your data through the application.

Role-based access within tenants

Within your tenant, access is controlled by role-based permissions (admin, tech, viewer) and unit-scoped access grants. A user only sees the endpoints and data they've been explicitly granted access to. Tenant admins control who gets access to what.

Concept clusters and cross-tenant signals

While your data content is strictly tenant-isolated, Aorka uses a global relevance system to improve knowledge quality across the platform. Here is exactly how it works:

  1. Each knowledge item is converted into a vector embedding — a list of numbers representing the item's meaning in abstract mathematical space. This is a one-way transformation; the original text cannot be reconstructed from the vector.
  2. Vectors from all tenants are grouped into concept clusters using density-based clustering. A concept is a geometric centroid (average position) of nearby vectors — it has no name, no label, and no readable content. It's a point in mathematical space.
  3. Each concept has a salience score reflecting how actively that type of knowledge is being used across the platform. When many items in a concept cluster are accessed frequently, the concept's salience rises; when activity is low, it falls.
  4. Salience changes propagate to nearby items. If the "firewall configuration" region of the vector space is heating up across the platform, your firewall-related items benefit from that signal — they rank higher in search results and get validated more frequently.

What crosses tenant boundaries: Mathematical coordinates (vectors) and numerical relevance scores. What never crosses: Titles, descriptions, fact values, hostnames, IP addresses, credentials, or any other readable content. No tenant can reverse-engineer another tenant's data from concept clusters — the vectors are abstract, high-dimensional, and irreversible.

05

Infrastructure and data location

Where your data lives

All Aorka infrastructure runs in AWS us-east-1 (Northern Virginia). The application server runs on AWS Lightsail. The database is AWS RDS PostgreSQL with encryption at rest enabled. Application secrets are stored in AWS Secrets Manager with IAM-scoped access policies.

International data transfers

Aorka currently operates exclusively in the US (us-east-1). We do not have an EU data center at this time. If you are located outside the United States, your data will be transferred to and processed in the US. We are transparent about this rather than burying it in fine print. If regional data residency is a requirement for your organization, please contact us to discuss your needs.

Encryption

All data in transit is encrypted via TLS. The database uses encryption at rest via AWS RDS. Stored credentials use AES-256-GCM application-layer encryption on top of database encryption. Agent connections use WSS (WebSocket over TLS) with mutual authentication.

06

Data retention and deletion

You control your data

Conversations, facts, credentials, and knowledge base entries can be deleted by authorized users directly through the platform. Deletion is immediate — we don't soft-delete and retain data behind the scenes.

Account deletion

Tenant admins can request full account deletion by contacting us. We will delete all tenant data — endpoints, facts, conversations, credentials, scripts, and user records. Audit logs may be retained for up to 90 days after account deletion for security purposes, after which they are permanently deleted.

Backups

AWS RDS automated backups are retained per AWS default retention policy. When data is deleted from the live database, it will naturally age out of backups as they rotate.

07

Children's privacy

Aorka is an IT infrastructure management platform designed for business use. It is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.

08

Changes to this policy

If we make material changes to this privacy policy, we will notify active users via the platform and update the "Last updated" date at the top of this page. We will not retroactively reduce your privacy protections without notice.

09

Governing law and contact

Governing law

This privacy policy is governed by the laws of the State of Texas, United States, without regard to conflict of law principles.

Contact

For privacy-related questions, data deletion requests, or concerns about your data, contact us at privacy@aorka.com.

Questions about your data?

We're happy to walk through exactly how your data is handled. No marketing pitch — just answers.

Request a demo