Skip to main content

Keeping our customers’ data protected at all times is our highest priority. We help do this in many ways

  • Data security: We ensure we are meeting the highest of security standards such as encryption of data in transit Distributed Denial of Service (“DDoS”) mitigations, and a Support team available through live chat.
  • Disclosure of Customer Service Data: Orlo discloses data where necessary to provide service or as required to respond to lawful requests from public authorities. For further details as to the ways in which Orlo may share Customer Service Data with third parties please refer to our privacy policy
  • Trust: Orlo has developed our platform with security in mind to ensure a secure enviroment for our customers data. We use external CREST accredited third parties to verify our security through pen tests from both an external attacker and an internal user.
  • Data Location: All our data is stored and does not leave the E.U.
  • Access Management: Orlo provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining and improving the services and as otherwise required by law.

You are the data controller of all personal data held in our application under your account and Orlo is merely your data processor in respect of all the services provided to you. Our processing of your personal data is only on your documented instructions as set out in the contract between us. We do not use any of your personal data for anything that is not in the contract or the privacy policy.

Our application only holds basic information about your authorised users, this being name, email address, password, last login, IP address browser and device details. If you opt for two-factor authentication, we will also store the user’s mobile phone number.

Your social media followers may include any type of information (including personal data, images and videos) in their messages to you and your users can add free text to social contacts and messages. We don’t use any of this information for any of our own purposes other than to create aggregated statistics, which do not identify any individuals.
Our system is merely a place to store their messages to you and to enable you to manage and retrieve them. You are the data controller of your followers’ messages and your users’ free- text additions. As such, it is your responsibility to ensure you use these in compliance with data protection and other laws.

You are able to export your social inbox whenever you wish during your contract term. Our reports are printable and downloadable.

Once our contract with you has ended, we expunge all of your data (other than your shortened links) which then propagates through our backups. The deletion process can take up to a month to be completely removed from backups.

We retain your shortened links after our contract so that any social posts created from within our application using our link shortening service continue to redirect users to the correct location. No other information is retained or stored.

We are proud of our record of having no reportable data breaches to date. However, we know the importance of being prepared in the unlikely event of an incident.

All security incidents and platform wide issues will be recorded in a Major Incident Report which will cover: the nature of the incident, the impact on your business and data subjects the resolution and any preventative action planned to avoid recurrence. We will also make an assessment as to whether the breach must be reported to the Information Commissioner and/ or affected individuals.

In the event of a data breach affecting your personal data, we will report this to you without undue delay through our normal support process.

To date Orlo has not used external developers and intends to use only in-house developers moving forward. This may change in the future but, if so, external developers would be given only limited access to code bases, no access to live data and all code/contributions would be vetted before been deployed.

If you would like to read more about where your data will be processed please see more information about our infrastructure here

We carry out regular audits inline with the company audit plan against all of our sub processors, if you would like to review this you can see it here: View List

We offer a number of login options:

  • SAML (Security Assertion Markup Language) – this allows you to use SAML authentication single log in services such as OKTA and One Login . On request we can add other providers
  • Two Factor Authentication (2FA) – this requires users to enter a code sent to them by SMS when logging into the system
  • Google Account Login (Single Sign On / SSO) – this allows users to log in via Google Accounts if your organisation is using Google Business apps to manage its email accounts. Using this option allows your users to utilise Google’s own security around the log-in procedure.

Ultimately, you are responsible for ensuring your users keep your account log-in credentials secure and for any activities or actions occurring under your account. Our application offers the ability to require “strong” passwords (passwords that use a combination of upper and lower case letters, numbers and symbols) for your account. Administrators can disable email/password as a means of logging into the application and force one of the above options instead.

We have a suite of security measures in place. These are kept under review and, wherever we consider it appropriate, they are enhanced. These include:

  • Encryption: See more about encryption in our Security & Compliance resource here
  • Resilience: See more about resilience in our Security & Compliance resource here
  • Monitoring: See more about security monitoring and our network level security monitoring and protection our Security & Compliance resource Application security monitoring – Network level security monitoring and protection
  • Security testing: See more about secure development on our Security & Compliance resource here and you can see our latest results by downloading them
    (results can be seen here 2022202120202019)

We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track with a combination of active checks and, for some things, such as back-ups, passive checks. Our set up allows use to detect unexpected behaviour early and team members are alerted if an expected behaviour has not executed as expected.

Our code is written to log any critical events for our developers to address.

What is GDPR

The General Data Protection Regulation (“GDPR”) is the European privacy regulation which replaced the EU Data Protection Directive (“Directive 95/46/EC”). The GDPR addresses the processing of personal data and the free movement of such data. It aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. Broadly, it sets out a number of data protection principles and requirements which must be adhered to when personal data is processed.

The GDPR also established the European Data Protection Board (“EPDB”), which ensures that the data protection law is applied consistently across the EU and works to ensure effective cooperation amongst data protection authorities.

How does this apply to Orlo’s customers?

Customers that collect and store personal data are considered data controllers under the GDPR. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with relevant EU data protection law, including the GDPR and uniquely determine what personal data is submitted to, and processed by, Orlo in accordance with the Services.

Are the systems used by Orlo GDPR compliant?

We have carried out a Privacy Impact Assessment of our software, systems and services and have made changes to ensure we meet and, in some cases, exceed GDPR requirements.

Our system architecture was developed with data protection and data security in mind. The databases in which your personal data is stored are only accessible by a small division of the internal development team who are internally vetted and have worked for us for a substantial amount of time. If you would like to find out more about our security and infrastructure please see our public Security & Compliance Page

As a data processor, how do we handle requests made by End-Users?

If Orlo receives a data subject request from a Subscriber’s End-User (i.e., a user of the Services to whom a Subscriber has provided our Services), Orlo is the Processor, and Orlo will, to the extent that applicable legislation does not prohibit Orlo from doing so, promptly inform the End-User to contact our Subscriber (i.e. the Controller) directly about any request relating to his/her Personal Data such as access or deletion. Orlo will not further respond to a data subject request without the Subscriber’s prior consent.

Does Orlo need access to your systems?

We do not need access to your system unless requested for training or demo purposes.

Will Orlo help us comply with data subject rights?

You have full control over your user data and data from followers so you should be able to manage all data subject rights yourself just by using the application. If you need any specific guidance on how to do this, you can use our ‘help’ feature in the application, consult our user guide or use our online chat facility.

Will we be able to audit Orlo premises and systems for compliance?

You will appreciate how important it is that our systems and premises ensure confidentiality for all of our clients and we do not normally allow clients to have access. We do, however, engage an external CREST accredited specialist to check our systems and provide a report on compliance each year and we are happy to make that available to you for your peace of mind. You can find a copy of the latest report here

Of course, if a court or regulatory body requires us to give you access, we will honour that requirement but will require that you comply with our security and health and safety requirements in doing so.

Secure as standard

Over 300 customers, including 2/3rds of UK Policing, over 100 Local Authorities and many Central Government bodies, trust Orlo with to keep their data safe, and it’s one of our top priorities. Find out all about the processes we have in place to keep everything under lock and key.

Back to Security Hub

Think we might be the one you want?