Security & compliancebuilt for cautious operators

We treat WordPress hosts as a security boundary we do not control. The Orthoplex server is the trust anchor; the plugin only ever holds a short-lived site token.

Server-managed AI keys

Provider keys never live on WordPress. Every AI call is proxied through the Orthoplex server using a per-site bearer token with a narrow scope.

  • Site tokens are 256-bit, random, and scoped to one plugin
  • Secrets are encrypted at rest with envelope encryption
  • Provider audit log captured for every request

Defence in depth

A standard hardening surface (helmet, strict CORS, per-route rate limits, body size caps, audit log) backed by an append-only event store.

  • Helmet, HSTS, X-Frame-Options, Referrer-Policy
  • CORS locked to first-party origins in production
  • Per-route rate limits + body size caps on AI proxy

Account safety

Magic-link auth with one-time tokens, replay-proof verification, and HttpOnly session cookies. No password to phish, no shared API key to leak.

  • Tokens are SHA-256 hashed; only the hash is stored
  • 15-minute TTL, single-use, locked under SELECT … FOR UPDATE
  • Sessions revoke on logout, on email change, and on idle

Billing safety

Stripe-hosted checkout, idempotent webhooks, and a 30-day money-back window enforced on the subscription metadata — not by an email queue.

  • Idempotent webhook handlers (constructEvent + dedup table)
  • Refunds are server-enforced, not support-discretion
  • Past-due → grace period → expire, not a silent overcharge

Reporting a vulnerability

Email [email protected] with a description and any reproduction steps. We acknowledge within 48 hours and aim to ship a fix or mitigation within 10 business days.

Compliance posture

  • GDPR & CCPA aligned data subject rights
  • Data residency: EU-region option on Business+
  • SOC 2 Type II in progress