Orbis
← Back

Security

Last updated: 5 April 2026

Our Commitment

Security is fundamental to Orbis. We implement industry-standard measures to protect your data and ensure the integrity of our platform. This page outlines our security practices and infrastructure.

Infrastructure

  • Hosting — Our platform is hosted on Amazon Web Services (AWS) within the EU (eu-north-1, Stockholm). All data remains within the European Economic Area.
  • Encryption in transit — All connections use TLS 1.2+ encryption. We enforce HTTPS across all endpoints.
  • Encryption at rest — All databases and storage volumes are encrypted using AES-256.
  • Network security — Our infrastructure uses VPCs, security groups, and network ACLs to isolate and protect resources.

Authentication & Access

  • Authentication — User authentication is handled through AWS Cognito with secure token-based sessions.
  • Password policy — We enforce minimum password complexity requirements and secure password hashing.
  • Access control — Internal access to production systems follows the principle of least privilege. All access is logged and audited.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or have access to your full credit card details. All payment data is transmitted directly to Stripe over encrypted connections.

Data Protection

  • GDPR compliance — We process personal data in accordance with the EU General Data Protection Regulation.
  • Data minimisation — We only collect data that is necessary for providing the Service.
  • Data retention — Personal data is retained only as long as necessary. Account data is deleted within 30 days of account closure.
  • Sub-processors — All third-party sub-processors are bound by data processing agreements compliant with GDPR.

Application Security

  • Dependency management — We regularly audit and update dependencies to address known vulnerabilities.
  • Input validation — All user inputs are validated and sanitised to prevent injection attacks.
  • CORS & CSP — We implement strict Cross-Origin Resource Sharing and Content Security Policies.

Incident Response

In the event of a security incident involving personal data, we will:

  • Notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
  • Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms.
  • Document the incident, its effects, and the remedial actions taken.

Responsible Disclosure

If you discover a security vulnerability, we encourage responsible disclosure. Please contact us at news@orbisx.ai with details. We ask that you:

  • Do not access or modify other users' data.
  • Provide sufficient detail for us to reproduce and address the issue.
  • Allow reasonable time for us to respond before any public disclosure.

Contact

For security-related questions or concerns, contact us at news@orbisx.ai.