Security

Data Security

Orbit management has approved all policies that detail how customer data may be made accessible and should be handled confidentially. These policies are accessible to all employees and contractors. Orbit is fully compliant with GDPR regulations and best for information and data privacy.
‍
Orbit authorises access to information resources, including data and the systems that store or process customer data, based on the principle of least privilege. Orbit only collects basic, non-identifying data such as page loads. No personal or private data is collected by default.

Orbit stores all its data in (AWS eu-west-1 region), encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume.

Orbit’s transactional email provider, Postmark uses opportunistic TLS encryption, which is becoming the standard for SMTP. Read more about this here.

Orbit does not handle any credit card information. We use Stripe, a first-class payment processor, which is PCI-Compliant and maintains security best practices. You can read more about these here.

Infrastructure Security

All of Orbit’s services run in the cloud. Orbit does not run its own routers, load balancers, DNS servers, or physical servers.We leverage our services to be behind private IP addresses that can be accessed only by the relevant applications that depend on them. We host different components of our application and our APIs separately.

The vast majority of Orbit’s services and data are hosted on Heroku (part of Salesforce App Cloud) and Amazon Web Services (AWS) facilities in the USA.Both Heroku and AWS maintain best-in-class security processes and equipment, including reports, certifications, independent assessments. You can read about this for Heroku here and for AWS here.

Orbit’s Heroku data center is based in the US, which has been accredited under: ISO 27001; SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II); PCI Level 1; FISMA Moderate; and Sarbanes-Oxley (SOX).Orbit’s data is stored using our database provider, Heroku PostgresData is backed-up daily and all backup files are taken using Heroku PGBackups. These backups are stored in an encrypted S3 bucket in the US region. You can read more here

Orbit is served over HTTPS with HSTS preloaded for useorbit.io and all Orbit web application communications (incl. cookies) are encrypted over 256 bit TLS. Our certificates are 2048 bit RSA, signed with SHA256.Orbit ensures that all connections to its web application from its users are encrypted and TLS protocols are enforced.

Orbit has implemented monitoring tools (such as Rollbar and Sentry) for Orbit’s databases, servers, and web platform. These notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.

Orbit requires two factor authentication to access sensitive systems and applications in the form of user ID, password, OTP and/or certificate.No public SSH is allowed to any of the internal Orbit servers and platforms.

Orbit engages with a third-party to conduct vulnerability scans and penetration tests of the production environment at least annually. Results are reviewed by management and high priority findings are tracked to resolution. Orbit aims to maintain 99.9% uptime or higher across our services.

Organisational Security

Orbit’s new hires and/or internal transfers are required to go through an official recruiting process, during which their qualifications and experience are screened to ensure that they are competent and capable of fulfilling their responsibilities.Orbit Management has approved security policies, and all employees agree to these procedures when hired. Management also ensures that security policies are accessible to all employees and contractors.Orbit conducts background checks for all employees that have access to customer data.

Orbit has established training programs for privacy and information security to help employees understand their obligations and responsibilities to comply with the Orbit’s security policies and procedures. This includes the identification and reporting of any incidents. All full-time employees and contractors are required to complete this training.

Orbit reviews its organisational structure, reporting lines, authorities, and responsibilities in terms of information security on an annual basis.Access to infrastructure and code review tools are removed from terminated employees within one business day.

Orbit has a defined System Access Control Policy that requires annual access control reviews to be conducted and access request forms be filled out for new hires and/or employee transfers.

Orbit has established formal guidelines for passwords to govern the management and use of authentication mechanisms, including the use of a password manager.

Orbit ensures that all company-issued (managed by the organisation) computers use a screensaver lock with a timeout of no more than 60 seconds, and have encrypted hard-disks. Further, security patches are applied automatically and antivirus software is installed on workstations to protect the network against malware.

Orbit uses a version control system to manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system admin. Only authorised Orbit personnel can push or make changes to production code.

Orbit operates a test-driven development approach. This means Orbit builds rigorous tests, which must pass before any new code is deployed into production environments.

Orbit tracks security deficiencies through internal tools and closes them within an SLA, that management has pre-specified.

Orbit provides a process for reporting security, confidentiality, integrity, and availability failures, incidents, concerns, and other complaints to external users and workforce members.

Orbit uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet.

Orbit has defined a formal risk management process that specifies risk tolerances and the process for evaluating risks, based on identified threats and the specified tolerances.

Orbit engages with a third-party to conduct a Risk Assessment at least annually. Results are reviewed by management and high priority findings are tracked to resolution.

Orbit has an established BC/DR plan that outlines roles, responsibilities and detailed procedures for recovery of systems.

Orbit has implemented an Incident Response Policy that includes creating, prioritising, assigning, and tracking follow-ups to completion. This also includes responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents and annual testing.