Security & Compliance

The security of the service we provide is central to how we build and operate Orbit. Membership organizations trust us with their members' data, and we take that responsibility seriously.

This page describes how we protect your data, the security practices we follow, and our compliance posture.

Compliance & Privacy

GDPR-aligned — Data subject rights (access, rectification, erasure, portability) are supported through self-service account management and admin tools. We act as a data processor on behalf of Organizations (data controllers) and provide a Data Processing Agreement (DPA) to all customers.

CCPA-aligned — We do not sell personal information.

PIPEDA-aligned — As a British Columbia-incorporated company, we comply with Canadian federal privacy law (Personal Information Protection and Electronic Documents Act).

SOC 2 — We have implemented controls aligned with the SOC 2 Security Trust Service Criteria, covering access control, change management, system operations, risk management, and data protection. We maintain formal internal policies (Information Security, Access Control, Change Management, Incident Response, Data Protection, Backup & Recovery, Vendor Management, and Acceptable Use) and are working toward independent audit certification.

PCI DSS — All payment processing is handled by Stripe, a PCI DSS Level 1 certified processor. We never store, process, or transmit cardholder data — card details go directly to Stripe and never touch our servers.

We are happy to discuss our security posture with current and prospective customers. Contact security@orbitams.com for details.

Infrastructure & Architecture

Network and Hosting

Orbit is hosted on managed cloud infrastructure in the United States (Heroku/AWS). Our infrastructure includes:

• Automated server provisioning and scaling
• Managed database services (PostgreSQL) with automated failover
• CDN, DDoS protection, and Web Application Firewall (WAF) services via Cloudflare
• File storage via Cloudflare R2 (US East region) with built-in redundancy
• Redis caching hosted in the United States
• Development and testing environments are separate from production, and production data is not used in development or testing

By default, our systems are configured with least-privilege access. Unused services and ports are disabled.

Tenant Isolation

Every organization on Orbit operates in a completely isolated database environment. We use PostgreSQL schema-based multi-tenancy, which means:

• Each organization's data is stored in its own dedicated database schema
• One organization's data is never accessible to another
• Queries are automatically scoped — there is no possibility of cross-tenant data leakage at the application level
• API access tokens are scoped per-tenant

Encryption

In Transit: All data transmitted between your browser and Orbit is encrypted using TLS 1.2+ (HTTPS). We enforce HTTPS on all connections and use HSTS headers.

At Rest: All databases and file storage are encrypted at rest using AES-256 encryption provided by our infrastructure providers.

Application-Level: Sensitive integration tokens (payment processor, video conferencing, OAuth credentials) are individually encrypted at the application level using Fernet symmetric encryption before storage in the database. Passwords are hashed using PBKDF2 with SHA-256 — we never store plaintext passwords.

Data Access and Auditing

Our software development lifecycle is subject to a formal Change Management Policy. All changes to the system are captured in an auditable, reversible trail (Git version control with pull request review). Code review is required before any change is merged to the production branch.

Access to production systems is restricted to authorized personnel on a need-to-know basis, following the principle of least privilege. We conduct periodic access reviews to ensure access permissions remain appropriate.

All access to our systems is logged. We use centralized error monitoring and application logging to detect anomalies and respond to incidents.

Authentication & Access Control

For Your Members

• Email-based authentication — no insecure username/password patterns
• Strong password requirements — minimum length, common password detection, and similarity checks
• Email verification — all accounts require verified email addresses
• Optional admin approval — require administrator approval before new accounts become active
• Social login — Google OAuth with PKCE (Proof Key for Code Exchange) for enhanced security
• Custom SSO — connect your own identity provider via OAuth2/OIDC with PKCE support

For Administrators

• Role-based access control — three distinct roles (Member, Staff, Admin) with enforced permission boundaries
• Granular permissions — every admin action is protected by role-checking middleware
• Session management — configurable session timeouts with secure cookie handling (HttpOnly, Secure flags)

Application Security

Secure Development Practices

• No raw SQL — we use an ORM exclusively, eliminating SQL injection risks
• CSRF protection — all forms are protected against cross-site request forgery
• XSS prevention — automatic output escaping in all templates, clickjacking protection headers
• Input validation — all user inputs are validated and sanitized at multiple levels
• File upload security — file type validation, size limits, UUID-based storage paths to prevent path traversal
• Signed URLs — private files are served via time-limited, signed URLs
• Dependency management — we monitor dependencies for known vulnerabilities and apply security patches

Secret Management

• All credentials and API keys are stored in environment variables — never in source code
• Secrets are managed through our hosting provider's encrypted configuration system
• Database credentials, API keys, and webhook secrets are all isolated from the codebase

Payment Security

We use Stripe for all payment processing. Stripe is a PCI DSS Level 1 certified payment processor — the highest level of certification in the payments industry.

• We never store credit card numbers — card details go directly to Stripe
• Webhook verification — all payment notifications are cryptographically verified
• Stripe Connect — each organization connects their own Stripe account, providing additional payment isolation
• Tokenized payments — all payment references use Stripe's secure token system

Monitoring and Incident Response

We use application error monitoring (with PII collection disabled) and infrastructure-level monitoring through our hosting provider. Error reports include technical context but do not include user email addresses or IP addresses.

Our response to security incidents is covered by a formal Incident Response Plan. In the event of a confirmed security incident affecting customer data, we will notify affected customers within 72 hours of discovery and coordinate research and remediation.

Vulnerability reports from monitoring tools, dependency scanning, and security researchers are triaged and remediated based on severity — critical issues are addressed with the highest priority.

Recovery

• Automated database backups with point-in-time recovery, retained on a rolling schedule
• File storage with built-in redundancy and high durability (Cloudflare R2)
• Source code continuously backed up via Git (GitHub)
• Disaster recovery procedures are documented and periodically reviewed

A formal Backup & Recovery Policy defines recovery time objectives and procedures for database, application, and file recovery.

Data Protection

• Account deletion is self-service with email confirmation, permanently removing personal data
• Data anonymization — when accounts are deleted, associated records (event registrations, purchases, analytics) are anonymized rather than deleted, preserving organizational reporting while removing personal identifiers
• Data export — organization administrators can export member data in Excel and JSON formats. Individual members may request a copy of their personal data.
• Data minimization — we collect only data necessary for service operation. Optional fields (profile photo, directory info, location) are user-controlled.
• Data retention — we define specific retention periods for each data category and do not retain data longer than necessary

Email Security

• Transactional emails are sent through authenticated email infrastructure with SPF, DKIM, and DMARC support
• Bounce and complaint monitoring — automated monitoring with configurable thresholds to maintain sender reputation
• Unsubscribe management — one-click unsubscribe in all marketing emails, with separate controls for marketing vs. operational notifications
• Rate limiting — daily and per-minute sending limits prevent abuse
• Suppression lists — email addresses that bounce or report spam are automatically suppressed

Vendor Security

We carefully select vendors that meet high security standards and maintain Data Processing Agreements (DPAs) with vendors that process customer data. We periodically review vendor security certifications.

A full list of sub-processors is maintained separately and available upon request.

Data Residency

Primary data hosting is in the United States (AWS infrastructure). The Platform operator (Empathy Works Inc.) is incorporated in British Columbia, Canada. For customers with data residency requirements, please contact us to discuss available options.

Responsible Disclosure

If you discover a security vulnerability, we want to hear about it. Please report security issues to:

Email: security@orbitams.com

We ask that you:

• Give us reasonable time to respond before making any information public
• Make a good faith effort to avoid privacy violations, data destruction, and service disruption
• Do not access or modify other users' data

We will not take legal action against researchers who follow these guidelines.

Questions?

If you have questions about our security practices or need additional information for your organization's vendor assessment, contact us at security@orbitams.com.

Last updated: March 23, 2026