Data privacy and security built into every layer
Your members' data stays private. Your organization stays compliant.
Orgo encrypts sensitive fields, isolates tenants completely, and gives members control over their own profile visibility. Built-in GDPR tools handle data export, deletion requests, and consent tracking. Six permission types let you define exactly who sees what.
What makes Orgo different on privacy
Encryption by default
Personal ID numbers are encrypted at the field level. Passwords and MFA codes are hashed. Identity documents are stored encrypted. No sensitive data sits in plaintext.
GDPR tools included
Data export, right-to-be-forgotten workflows, consent management, and email unsubscribe are built in. Not bolted on after the fact.
Complete tenant isolation
Every tenant's data is fully isolated. Cross-tenant access is blocked at the infrastructure level. Domain-based routing ensures requests reach the right tenant.
How Orgo protects your data
Privacy is not a feature you toggle on. It is how Orgo works. Every entity in the system, from Identity records to Sessions to Webhook logs, is designed with access control and data protection from the start. Here is what that looks like in practice.
Authentication & MFA
Multiple authentication methods. Device tracking. Automatic lockout detection. Every login is verified and logged.
JWT authentication
Every login uses JWT token authentication. Tokens expire. Sessions are tracked per device.
MFA with device tracking
Members can enable two-factor authentication. The system tracks which devices are registered and trusted via the UserDevice entity.
OAuth & SSO providers
Sign in with Google, Apple, Microsoft, LinkedIn, or Facebook. One less password for members to manage.
Session management
Active sessions are tracked. Admins can see login history. The system detects and flags locked accounts.
Privacy controls
Members control their own data. Admins control organizational visibility. Nobody sees more than they should.
Per-field privacy
Each profile field has its own privacy setting: name, email, phone, age, town, photo, profession, and social links. Members decide what is visible.
Admin-only visibility
Some fields can be restricted to admin-only visibility. Other members will not see them at all.
Visibility scoping
Data visibility is scoped to the right audience. Not everyone in the organization needs to see everything.
Profile view tracking
The system logs who views a profile and when. Members and admins can see this activity.
GDPR compliance
Data export, deletion workflows, consent tracking, and unsubscribe. The GDPR basics, done properly.
Data export
Members can export all their personal data at any time. The export includes everything Orgo stores about them.
Right to be forgotten
A resignation request workflow handles right-to-be-forgotten. The member requests it, the system processes it, and the data is removed.
Consent management
Track what members have consented to and when. Privacy policy and terms of service are displayed and accepted before account use.
Email unsubscribe
Every email includes an unsubscribe option. Members manage their own communication preferences directly.
Role-based access control
Not just admin vs. member. Six permission types across three organizational levels, with inheritance built in.
Three-level hierarchy
Roles work at three levels: Tenant (organization-wide), Parent Local (regional), and Local (chapter). Permissions follow the hierarchy.
Six permission types
Six permission types cover the main areas: ADMIN, HR, FINANCIAL, HR_ASSISTANT, COMMUNICATION, and EVENT. Assign what each role needs.
Permission inheritance
Higher-level permissions cascade down to child levels. A regional HR admin automatically has HR access to their local chapters.
Tenant-scoped access
Every tenant is fully isolated. A role in one tenant cannot access data in another. Cross-tenant access is blocked by design.
Data encryption & audit
Sensitive data is encrypted or hashed. Every action is logged. Infrastructure runs on AWS with isolated services.
Field-level encryption
Personal ID numbers and identity documents are encrypted at the field level. Even database access does not expose plaintext values.
Hashed credentials
Passwords are hashed, not encrypted. MFA codes are hashed too. Even Orgo cannot read them.
User access logs
The UserAccessLog entity records who did what and when. Every login, every data access, every change.
Email & webhook logs
Email delivery, data imports, and webhook deliveries all have their own log entities. If something goes wrong, you can trace it.
AWS infrastructure
Files are stored in AWS S3 with pre-signed URLs. Messages go through SQS. Emails through SES. Static assets via CloudFront CDN.
Data privacy & security FAQ
Every member's Identity record has per-field privacy settings. Name, email, phone, age, town, photo, profession, and social links each have their own visibility control. Members set these themselves. Some fields can be restricted to admin-only, meaning other members cannot see them at all.
On top of that, sensitive fields like personal ID numbers are encrypted at the database level. Passwords and MFA codes are hashed, not stored in reversible form. Profile view tracking logs who looked at a member's profile and when.
Orgo includes built-in GDPR tools: data export so members can download everything stored about them, a resignation request workflow for right-to-be-forgotten, consent management with privacy policy and terms of service tracking, and email unsubscribe on every message.
These are not add-ons. They are part of the Identity and Session entities in the core data model. When a member requests deletion, the workflow processes it through the system and removes their data.
RBAC in Orgo works at three levels: Tenant (the whole organization), Parent Local (regional), and Local (chapter). There are six permission types: ADMIN, HR, FINANCIAL, HR_ASSISTANT, COMMUNICATION, and EVENT.
Permissions inherit downward. If someone has HR access at the regional level, they automatically have it for the local chapters under that region. Each tenant is fully isolated. There is no way for a role in one tenant to reach data in another.
Orgo supports JWT token authentication for every request. Members can enable MFA/2FA, and the system tracks trusted devices through the UserDevice entity. If an account gets locked due to failed attempts, the system detects and flags it.
For SSO, Orgo integrates with Google, Apple, Microsoft, LinkedIn, and Facebook. Sessions are managed through the Session entity, which tracks active sessions, login times, and devices. UserApiToken handles API access for integrations.
Orgo encrypts sensitive fields like personal ID numbers and identity documents at the database level. Passwords are hashed using one-way algorithms. MFA codes are also hashed. There is no way to reverse these values, even with direct database access.
Files are stored in AWS S3 with pre-signed URLs, meaning file access is time-limited and authenticated. The infrastructure uses SQS for message queuing, SES for email delivery, and CloudFront as the CDN for static assets.
Orgo logs activity through several dedicated entities. UserAccessLog records who accessed what and when. Email logs track every message sent. Import logs capture data import operations. WebhookDeliveryLog records every webhook call and its result.
WebhookSubscription manages external integrations, so you can see exactly which systems receive data and track every delivery. These logs are not optional. They run automatically as part of normal system operations.