Security & Trust

Last Updated: February 2026

1. The Core Principle: Data is not the product

Cortex is an operations engine, not an advertising network. We charge for software execution, not data aggregation. Your store's data—catalog, customers, orders, and reasoning history—is strictly isolated to your organization. It is never used to train generalized multi-tenant models.

2. Infrastructure & Isolation

Cortex runs on a strictly isolated, multi-tenant architecture designed to prevent cross-tenant data leakage at both the application and database levels.

  • Database Isolation: Every record in PostgreSQL is tagged with an Organization ID. Access is strictly enforced via Row-Level Security (RLS) policies baked directly into the database engine. Even if the application layer is compromised, the database refuses queries that lack the correct tenant context.
  • Durable Execution: Complex operations (like importing 10,000 SKUs from Shopify) are managed by Temporal. If the system restarts mid-operation, Temporal ensures the exact state is recovered without data corruption or duplication.

3. The Copilot Safeguard (Human-in-the-Loop)

Cortex is designed for autonomous execution, but it defaults to caution to protect your business.

  • Confidence Thresholds: If Cortex calculates a decision confidence below your configured threshold (e.g., matching a massive anomalous order, or changing pricing drastically), the execution is paused.
  • Escalation: The system immediately escalates the decision to a human via your configured messaging channel (WhatsApp, Telegram, Slack) for explicit approval before proceeding.

4. Encryption & Compliance

All data is encrypted in transit using industry-standard TLS 1.3 and encrypted at rest using AES-256.

Cortex connects to your external systems (Shopify, WooCommerce, Meta) using OAuth 2.0 wherever possible, removing the need to store raw passwords. Where API keys are required, they are rotated regularly and vaulted securely.

5. Vulnerability Disclosure

If you discover a security vulnerability, please report it immediately to security@oryxa.in. We will acknowledge your report within 24 hours.