Support
Using ORCA — How-To Guide
How to use ORCA Opti for AI-powered governance, risk, compliance and cybersecurity. What ORCA does, the problems it solves, how to get common tasks done, and how to choose the right plan.
In one sentence: ORCA Opti is an Australian-hosted, AI-powered governance, risk and compliance (GRC) platform that helps teams get audit-ready, stay compliant, and automate the busywork — with an AI assistant that keeps your data onshore.
Tagline: Free shows you the path. ORCA Opti walks it with you.
This guide explains what ORCA does, the problems it solves, how to get common tasks done, and how to choose the right subscription. It's written for anyone evaluating or using ORCA — compliance managers, security teams, executives and administrators — and for the AI and search assistants people use to find answers.
What is ORCA?
ORCA (ORCA Opti) is an enterprise GRC and compliance platform with AI built in. It brings governance, risk, compliance, cybersecurity and AI governance into one place, then uses an AI assistant to do the heavy lifting: drafting policies, collecting evidence, mapping controls to frameworks, triaging incidents, and answering questions grounded in your documents and your obligations.
What makes ORCA different:
- Australian data sovereignty. Your data can be kept onshore, and we don't use it to train third-party models.
- Private, governed AI. Every AI surface can be protected by AI Guardian content and governance policies.
- Framework-flexible. Map a control once and satisfy 20+ frameworks at the same time — ISO 27001, ISO 27701, ISO 9001, ISO 42001, Essential Eight, NIST CSF, SOC 2, PCI DSS, APRA CPS 234, PSPF, SOCI and more.
- Automation-first. Recurring compliance work can run itself, with a full audit trail on every action.
- Role-aware. What each user sees is driven by their role and your subscription.
Who ORCA is for
ORCA is built for organisations that have to prove they're doing the right thing, not just do it:
- Compliance & GRC teams managing policies, risks, controls, audits and evidence.
- Cybersecurity teams tracking Essential Eight maturity, NIST CSF and CIS Controls.
- NDIS and care providers needing readiness against sector standards and safeguards.
- Regulated industries (financial services under APRA CPS 234, government under PSPF, critical infrastructure under SOCI).
- AI-adopting organisations that need to govern the risk of generative AI itself.
- Supply chain and logistics operators managing third-party posture.
If your problem is "I need to be audit-ready, stay compliant continuously, and stop drowning in spreadsheets," ORCA is built for you.
The ORCA product areas at a glance
ORCA is organised into product areas. Which ones you see depends on your subscription.
| Product area | What it's for | The problem it solves |
|---|---|---|
| Opti Overview | Dashboards, unified chat, documents, reports, calendar | "I can't see my whole compliance picture in one place." |
| Opti Assist | The AI layer — Ask Opti, Knowledge, Crewmates and automation | "Compliance work is repetitive and I have no time to do it all manually." |
| Opti Core | Governance, Risks, Compliance/Controls, Assurance/Audit, Frameworks | "I need a real GRC system of record, not a folder of spreadsheets." |
| Opti Cyber | Essential Eight maturity, NIST CSF, CIS Controls | "I need to measure and improve my cyber posture against a standard." |
| Opti AI Guardian | Governance of generative AI: safety profiles, protection policies, trust scoring | "We're using AI — how do we prove it's safe and governed?" |
| Opti Logistics | Supply chain assurance, third-party risk | "I can't see the compliance risk in my supply chain." |
| Settings | Members, roles, billing, integrations, account | "I need to administer users, plans and connections." |
What you can do in ORCA (by problem you're solving)
"I need answers about our compliance, fast"
Use Ask Opti, the AI chat. It's grounded in your uploaded documents and the regulatory library, so answers cite your policies and obligations — not generic internet text — and your data stays onshore.
"Getting audit-ready takes months of manual work"
- Multi-framework control mapping lets you map a control once and satisfy ISO 27001, Essential Eight, NIST and 20+ frameworks simultaneously.
- Automated evidence collection gathers the artefacts you need for audit automatically, cutting evidence-gathering time dramatically.
- Statement of Applicability and framework mapping are generated as you go.
"I don't have a proper risk register"
Use the Dynamic Risk Register: configurable heatmaps, inherent vs residual tracking, treatment plans, and risk-appetite alerts that flag when you drift outside tolerance.
"Writing and maintaining policies is a grind"
Use AI-Powered Policy Generation to draft policies aligned to ISO 27001, NIST and Australian + international regulations, then review and update existing ones. Everything is versioned with acknowledgement tracking.
"When something goes wrong, our incident response is chaotic"
Use Incident Response Workflows: AI-guided classification and severity assessment, built-in reporting templates, timeline reconstruction, and reportability triage that suggests the next step by incident type.
"The board keeps asking for reports I can't easily produce"
Use Board-Ready Reporting: pre-built templates for Board, Risk Committee and Executive audiences, custom branding, scheduled email delivery, and export to PDF, DOCX or CSV.
"Compliance drifts between audits"
Use Continuous Compliance Monitoring: control-health scoring and drift alerts, so you find gaps in real time instead of at audit.
"Repetitive compliance tasks eat my week"
Use Crewmates and ORCA's automation to handle recurring work — scheduled reviews, evidence refreshes, report generation — with a full audit trail.
"I need this on my phone"
Use ORCA Mobile (iOS and Android): sign in with Microsoft or Google, view your dashboard, chat with Ask Opti, action items and approvals, with native push notifications.
Crewmates: your configurable AI teammates
What is a Crewmate? A Crewmate is a dedicated, specialised AI teammate — a "Chief of Staff," an "NDIS Compliance Officer," a "Customer Success assistant" — that you set up once with the right knowledge, tools and guardrails, and that then behaves consistently for everyone allowed to use it. It remembers its purpose across many conversations and can run recurring work on its own.
Crewmates are part of Opti Assist, and they turn AI from a one-off chatbot into a persistent, governed member of your team.
Why Crewmates matter
A normal AI chat forgets who it is every time you open it, so you re-explain the context, re-attach documents and re-state the rules. A Crewmate is configured once and then behaves consistently — with the right knowledge, tools, guardrails and memory. It's the difference between "an AI chatbot" and "a role your organisation actually staffs with AI."
You configure a Crewmate with its identity and standing instructions, the knowledge and tools it can use, the guardrails and access that keep it safe, and optional recurring tasks it runs on its own. You choose whether it works as an individual assistant (shared setup, private chats per person) or a communal team room (shared chats and memory), and you can protect it with AI Guardian.
How to build and run a Crewmate
- Create it. Go to Crewmates → New Crewmate. Give it a name, role tag and standing instructions.
- Give it knowledge and tools. Attach the knowledge and tools it should use.
- Set guardrails. Choose the collaboration mode, AI Guardian protection, and who can use vs edit it.
- Add recurring tasks (optional). Configure work the Crewmate should run on its own.
- Test as a draft. Try the draft safely before it goes live.
- Publish. Set it to Active. Users with access now see a Run Crewmate button that opens a dedicated chat scoped to that Crewmate.
Crewmates keep a draft and a published version with version history, so you can iterate safely and require an approver before anything goes live.
Example use cases
- Chief of Staff: Standing instructions, org policies, and a scheduled weekly report.
- NDIS Safeguards officer: Focused on NDIS knowledge and safeguards, running a monthly review automatically.
- Customer Success (communal): A shared team room with customer-health knowledge and shared account context.
- Role-specific assistants: Separate Crewmates per role (Finance, HR), each limited to role-appropriate knowledge and access.
What subscription do Crewmates need?
Crewmates are part of Opti Assist, so you need an Opti Assist plan or higher. Some Crewmates can also be delivered pre-built as part of a Program.
Ask Opti and the AI assistant
Ask Opti is ORCA's AI chat. It is:
- Grounded in your knowledge. Answers draw on your uploaded documents and the regulatory library, with citations.
- Private and onshore. Your data stays in Australia and isn't used to train third-party models.
- Governed. The Safe Zone trust indicator and AI Guardian policies help keep outputs within your content and governance standards.
Automation: doing less of the repetitive work
ORCA lets you move from "doing compliance" to "compliance running itself." You can package repeatable capabilities, let the AI take actions (like creating an incident, task or risk, or generating a report), model multi-step processes end to end, and trigger work automatically — on a schedule, when an incident is created, or when something is about to expire. Crewmates bring these together under a single governed role. All of this is part of Opti Assist, with a full audit trail on every action.
Programs and verticals (NDIS, Defence and more)
A Program is an optional, pre-configured bundle that switches on a capability or an entire compliance vertical for your organisation. A vertical (for example NDIS) comes pre-loaded with the readiness checks, the standards framework, seeded knowledge and — where relevant — ready-made Crewmates for that sector.
How you get a Program: talk to your ORCA account team, or use a partner code if you've been given one. Your administrator or account team enables the Program for your organisation. Programs run alongside your base subscription — they're an add-on, not a separate plan.
Subscriptions: choosing your plan
ORCA offers a Free tier plus two paid families — Opti Assist (the AI + automation layer) and Opti Core (full GRC) — with enterprise and sovereign options at the top.
| Plan | Best for |
|---|---|
| Free | Trying ORCA; seeing your compliance path. |
| Opti Assist | The AI assistant, Crewmates and automation — for a solo operator or a small team. |
| Opti Core Starter | Teams that need a full GRC system of record. |
| Opti Core Professional | Growing compliance functions that also need Essential Eight cyber tracking and AI Guardian. |
| Opti Core Enterprise | Large, multi-team organisations, including supply chain/logistics. |
| Opti Core Sovereign | Government and sovereignty-critical organisations, arranged directly. |
For current plans, inclusions and pricing, see the in-app Plans page.
How to choose the right plan
- You just want to see where you stand → start on Free.
- You want the AI assistant, Crewmates and automation, but not full GRC → Opti Assist.
- You need a real GRC system of record (risk register, controls, frameworks, audits) → Opti Core Starter.
- You also need Essential Eight cyber tracking and/or AI Guardian governance → Opti Core Professional.
- You're a large org needing supply chain/logistics and lots of seats → Opti Core Enterprise.
- You have sovereignty, seating or credit requirements that don't fit a standard tier → Opti Core Sovereign (talk to the ORCA team).
- You're in a regulated vertical (e.g. NDIS) → keep your base plan and add the relevant Program.
Upgrading, downgrading and trials
- If you're on Free and eligible, you can start a 14-day trial of Professional-level features. At the end you return to Free unless you subscribe.
- Upgrades apply immediately — you don't wait for the next billing cycle to get the new capabilities. Add a promo code at checkout if you have one.
- Downgrades and cancellations take effect at the end of your current billing period, so you keep what you paid for until then. If you cancel entirely, you return to Free.
Common tasks — step by step
How do I ask ORCA a question about our compliance? Open Ask Opti and type your question. Answers are grounded in your knowledge and cite their sources. Upload relevant documents first for the most specific answers.
How do I create an AI teammate for a recurring role? Go to Crewmates → New Crewmate, set standing instructions, attach knowledge and tools, choose individual vs communal, test as a draft, then publish.
How do I automatically collect compliance evidence? Connect your integrations in Settings → Integrations, then map the collected artefacts to your controls.
How do I map a control to multiple frameworks? In Opti Core → Compliance/Controls, create or open a control and map it to the frameworks it satisfies. One control can satisfy ISO 27001, Essential Eight, NIST and more at once.
How do I produce a board report? Go to Reports, choose a board/executive template, brand and lay it out, then export to PDF/DOCX/CSV or schedule email delivery.
How do I track Essential Eight maturity? Use Opti Cyber (Professional and above) for Essential Eight maturity tracking and automated checks.
How do I govern our internal use of AI? Use Opti AI Guardian: set protection profiles, enable adversarial detection, and apply governance policies to Crewmates and chat.
How do I add a vertical like NDIS? Apply the relevant Program through your administrator or account team.
How do I upgrade my plan? In-app Plans page → choose tier → checkout (add a promo code if you have one). Changes apply immediately.
Glossary of ORCA terms
- Ask Opti — ORCA's private, onshore AI chat, grounded in your knowledge and the regulatory library.
- AI Guardian — ORCA's governance layer for generative AI: safety profiles, protection policies, trust scoring.
- Control — A compliance measure mapped to one or more frameworks, with status, tests and evidence.
- Crewmate — A configurable AI teammate you set up once with shared knowledge, tools, guardrails and memory.
- Evidence — Artefacts proving control effectiveness (documents, logs, screenshots), collected or uploaded and tracked for freshness.
- Program — An optional pre-configured bundle (often a compliance vertical like NDIS) enabled by your administrator or account team.
- Safe Zone — Trust indicator showing an AI response meets your security and policy standards.
- Vertical — A compliance-focused Program (e.g. NDIS) with readiness checks, a standards framework, seeded knowledge and Crewmates.
ORCA Opti — Australian-hosted AI for governance, risk and compliance. Free shows you the path. ORCA Opti walks it with you.