Orpheus is built on a privacy-first architecture. Audio you upload is encrypted in transit and at rest, processed in isolated environments, and never used to train models.
Files are transmitted over TLS 1.3. They land in an isolated per-account storage bucket — no shared paths between users.
Transcription runs in ephemeral worker environments that are discarded after each job. No persistent access to raw audio during inference.
Transcripts and audio are encrypted at rest with AES-256. Anonymous free-tier files are deleted after 24 hours. Registered users control retention.
Delete any file from the console and it is removed from storage within 24 hours. Account deletion triggers a full data purge within 30 days.
Orpheus acts as a data processor under GDPR. We provide a Data Processing Agreement (DPA) to enterprise customers, honor data subject rights (access, rectification, erasure), and maintain records of processing activities.
We are currently undergoing our SOC 2 Type II audit. Security controls cover access management, vulnerability management, incident response, change management, and availability monitoring.
Keys can be scoped to read-only, write-only, or specific endpoints. Rotate or revoke any key instantly from the console.
Team plan includes role-based access control. Owners, editors, and viewers have distinct permission sets across jobs, keys, and billing.
Enterprise accounts get full audit logs of who accessed what, when, and from which IP — exportable as JSON or CSV.
Enterprise customers can enforce SSO via SAML 2.0 or OIDC, disabling password-based login for all team members.
| Layer | Provider | Region | Standard |
|---|---|---|---|
| CDN / Edge | Cloudflare | Global | ISO 27001, SOC 2 |
| Object storage | Cloudflare R2 | US East + EU West | AES-256 at rest |
| Database | Cloudflare D1 | US East | Encrypted, replicated |
| AI inference | Cloudflare AI | Global edge | Ephemeral, no logging |
No. Orpheus does not use customer audio to train, fine-tune, or evaluate any AI models. Your data is processed for transcription and then stored or deleted according to your retention settings.
Yes. Enterprise customers can request a DPA by emailing [email protected]. We will respond within 2 business days.
By default, data is stored in US East. Enterprise customers can request EU-only data residency (EU West, Frankfurt region) as an add-on.
Individual files can be deleted from the console immediately. To delete all data, use the account deletion flow in Settings — this triggers a full purge within 30 days. API customers can also delete jobs via DELETE /v1/jobs/:id.
We responsibly disclose all security issues. To report a vulnerability, email [email protected]. We aim to acknowledge reports within 24 hours and resolve critical issues within 7 days.
Talk to us about enterprise deployments, custom DPA terms, EU data residency, and SOC 2 reports.