Trust & procurement
What your security and procurement review needs to know about Kortex, stated plainly — including what we do not yet have. Kortex is an early-stage product from Orkora Ltd, operated founder-led and sold through pilot programmes. We would rather state that clearly than imply enterprise scaffolding that does not exist yet.
Security posture
- Transport. TLS 1.2/1.3 only, HSTS enforced, certificates via Let's Encrypt. Requests for any hostname other than
kortex.orkora.comare refused at the edge. - Authentication. API keys are stored as SHA-256 hashes — plaintext keys are never persisted. Keys are scoped (capability grants per key), support expiry, and are revocable immediately. Key rotation is available on request.
- Anonymous surface. Unauthenticated access is limited to documentation pages and three fixed demo queries, each behind a dedicated anonymous rate limit. Everything else requires a key.
- Audit trail. Every API request is metered and logged per key — endpoint, cost, status, latency — giving both sides a complete usage record.
- Isolation. Services (graph database, relational store, cache, API, edge proxy) run as isolated containers; the databases are not reachable from the network, only through the API.
- No third-party code on public pages. All JavaScript, CSS and fonts on the public site are self-hosted. No CDNs, no analytics trackers, no cookies on public pages.
- Query surface. Customer-facing Cypher access is read-only and scope-gated; write access to the graph does not exist through the API.
Data protection
- The graph contains infrastructure and corporate-entity records, not personal data. Nodes are power plants, substations, grids, dams, ports, legal entities, jurisdictions. There is no consumer or employee personal data in the product.
- One internal source (ICIJ Offshore Leaks) includes named company officers. Those records are held internally for derived corporate-screening analytics and are not served through the API.
- Every source feeding the graph is documented with licence and commercial status at /sources and /licensing — including, honestly, the ones still under rights review.
- Customer data we hold is minimal: contact details, API keys (hashed), and usage records. We do not receive or store customer datasets unless a pilot explicitly involves them, in which case handling is agreed in the pilot agreement.
- Hosting and offsite backup infrastructure is located in the EU.
Availability, backups & support
- Deployment. Single-region deployment, appropriate to pilot scale.
GET /healthis public and unauthenticated for monitoring. - Backups. Nightly database snapshots and dumps of the curated and audit layers, pushed encrypted (restic) to offsite storage in a separate EU facility, with 14-daily / 8-weekly / 6-monthly retention.
- Support. Founder-led, by email (kortex@orkora.com): same-business-day response as the working target during pilots. Incidents affecting your keys or data are communicated by email.
What we do not have yet — stated plainly. No formal SLA (a measured-uptime SLA comes with the first annual contracts). No SOC 2 or ISO 27001 certification (on the roadmap as the customer base matures; the controls above are what exists today, and we will not imply otherwise). No 24/7 on-call rota. If your procurement gate requires these today, we are happy to discuss timelines honestly.
Commercial terms
- Pilots. Fixed-term pilot agreements signed per customer, covering scope, keys, usage limits, confidentiality and fees. Terms of service and data-processing terms are agreed within the pilot agreement; standard drafts are available on request.
- Pass-through obligations. Some sources impose attribution or share-alike conditions (e.g. ODbL for OpenStreetMap-derived layers). These are documented per source at /licensing, and responses carry the provenance needed to comply.
- Pricing. Metered, published machine-readable at
/.well-known/kortex.json; every response reports its own cost. Provenance metadata on responses is never billed.
Verify us
- /validation — flagship outputs checked against GLEIF, published LBNL research, and SEC filings, with misses published.
- /licensing — per-source commercial rights, including what is still under review.
- /sources — the full source register, licence and cadence per source.
GET /health,GET /stats— live, unauthenticated.
Company
Orkora Ltd · kortex@orkora.com. Security questions, procurement questionnaires and vulnerability reports all go to the same address; questionnaires are answered directly by the people who operate the system.