Security

Last updated: February 7, 2026

1. Our Security Commitment

At Orbit AI, security is not a feature we bolted on after the fact—it is foundational to how we design, build, and operate every part of our platform. From the moment data enters our systems to the moment it is deleted, every layer of the stack is engineered to protect your information.

We take a defense-in-depth approach, layering multiple independent security controls so that no single point of failure can compromise the integrity of your data. Our security practices encompass encryption, strict access controls, continuous monitoring, and proactive vulnerability management.

This page provides a transparent overview of the technical and organizational measures we employ to safeguard our platform, your accounts, and the data you entrust to us. We encourage you to read it alongside our Privacy Policy, Terms of Service, and GDPR Compliance documentation.

2. Infrastructure Security

Our platform is hosted on enterprise-grade cloud infrastructure operated by industry-leading providers with SOC 2 Type II, ISO 27001, and ISO 27017 certifications. We leverage the security capabilities of these providers while adding our own controls on top.

2.1 Network Architecture

Edge network distribution: Traffic is served through a globally distributed edge network that provides automatic DDoS mitigation, filtering malicious traffic before it reaches our application servers.
Environment isolation: Production, staging, and development environments are fully isolated from one another. Each environment uses separate databases, credentials, and network boundaries.
No direct database exposure: Databases are not accessible from the public internet. All data access flows through authenticated application layers and API gateways.

2.2 Deployment Security

Automated deployments: All code changes are deployed through automated CI/CD pipelines with no manual server access required. Human intervention in the deployment process is eliminated to reduce configuration errors.
Immutable infrastructure: Application instances are rebuilt from scratch on every deployment rather than modified in place, ensuring a clean and reproducible runtime environment.
Environment variable validation: All required configuration values and secrets are validated at application startup. The application will not start if critical security-related environment variables are missing or malformed.

3. Data Encryption

Encryption is a cornerstone of our data protection strategy. We employ strong, industry-standard algorithms for both data at rest and data in transit.

3.1 Encryption at Rest

Sensitive data stored within Orbit AI—including third-party API keys, integration credentials, and OAuth tokens—is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). AES-256-GCM provides both confidentiality and authenticity, meaning that encrypted data cannot be read or tampered with without the correct encryption key.

Each encrypted value uses a unique initialization vector (IV) to prevent pattern analysis.
Authentication tags are verified during decryption to detect any modification of ciphertext.
Database-level encryption is additionally provided by our infrastructure provider, creating a layered encryption model.

3.2 Encryption in Transit

All network communications with Orbit AI are encrypted using TLS 1.2 or higher. This applies to every connection: browser sessions, API calls, webhook deliveries, and internal service-to-service communication. We enforce HTTPS across the entire platform—HTTP connections are automatically redirected to HTTPS. HSTS (HTTP Strict Transport Security) headers instruct browsers to only communicate with us over secure channels.

3.3 Key Management

Encryption keys are stored separately from the data they protect and are never committed to source code or included in application bundles. Keys are injected at runtime through secure environment variable management and are accessible only to the application processes that require them.

4. Application Security

We implement multiple layers of application-level security controls to defend against common web vulnerabilities and attack vectors.

4.1 Cross-Site Request Forgery (CSRF) Protection

All state-changing API requests are protected against CSRF attacks through origin header validation. Every mutating request is verified to originate from an authorized domain before it is processed. Requests that fail origin verification are rejected with a 403 status code.

4.2 Cross-Site Scripting (XSS) Prevention

We implement a strict Content Security Policy (CSP) using nonce-based script loading. Every inline script receives a unique, cryptographically random nonce per request, preventing the execution of unauthorized scripts. Additionally, all user-supplied content is sanitized before rendering, and output encoding is applied consistently throughout the application.

4.3 SQL Injection Prevention

All database queries use parameterized statements through our ORM and query builders. User input is never interpolated directly into SQL strings. Additionally, Row-Level Security (RLS) policies are enforced on every database table, ensuring that even in the event of an application-layer bypass, data access is constrained to the authenticated user's authorized scope.

4.4 Input Validation and Sanitization

All incoming data is validated and sanitized at the application boundary. Our input handling includes:

Type and schema validation: Inputs are validated against strict schemas before processing.
HTML sanitization: Any user-provided HTML (such as webhook content) is sanitized to strip dangerous tags and attributes.
Prototype pollution prevention: Object merging and deserialization operations are hardened against prototype pollution attacks.
SSRF protection: Server-side requests are validated against an allowlist to prevent Server-Side Request Forgery, blocking requests to internal networks and private IP ranges.

4.5 Security Headers

Every response from Orbit AI includes a comprehensive set of security headers:

Strict-Transport-Security (HSTS): Enforces HTTPS-only connections with a long max-age.
X-Content-Type-Options: Prevents MIME-type sniffing with the nosniff directive.
X-Frame-Options: Controls framing to prevent clickjacking attacks.
Permissions-Policy: Restricts access to browser APIs such as camera, microphone, and geolocation.
Referrer-Policy: Limits the information sent in the Referer header to protect user privacy.
Content-Security-Policy: Nonce-based CSP restricting script sources, style sources, and other resource loading.

4.6 Rate Limiting

API endpoints are protected by distributed rate limiting backed by Redis, with an automatic in-memory fallback to maintain protection even during cache outages. Rate limits are applied per-IP and per-authenticated-user to prevent abuse, brute-force attacks, and resource exhaustion. Limits are calibrated per endpoint based on expected usage patterns, with stricter thresholds for authentication-related endpoints.

4.7 Webhook Security

Inbound webhooks are verified using HMAC-SHA256 signature validation. Each webhook payload is signed with a shared secret, and the computed signature is compared against the provided signature using a constant-time comparison to prevent timing attacks. Payloads that fail verification are rejected.

4.8 File Upload Security

File uploads are restricted through multiple controls:

File type allowlist: Only explicitly approved file types are accepted.
Magic byte validation: File contents are inspected to verify that the actual file type matches the declared content type, preventing extension spoofing.
Size limits: Maximum file sizes are enforced to prevent storage abuse and denial-of-service.
Isolated storage: Uploaded files are stored in isolated object storage, separate from application code and databases.

5. Authentication and Access Control

Robust authentication and granular access control are essential to preventing unauthorized access. Orbit AI provides multiple layers of identity verification and permission enforcement.

5.1 Multi-Factor Authentication (MFA)

Orbit AI supports multi-factor authentication via Time-Based One-Time Passwords (TOTP). When enabled, users must provide a temporary code from an authenticator application in addition to their password. This significantly reduces the risk of unauthorized access even if a password is compromised.

5.2 Session Management

Inactivity timeout: Sessions are automatically terminated after 30 minutes of inactivity. Users are prompted before timeout and must re-authenticate to continue.
Secure session tokens: Session identifiers are generated using cryptographically secure random values and are transmitted only over encrypted connections.
Active session management: Users can view their active sessions and revoke any session from their account settings.

5.3 Password Policy

Passwords must be at least 8 characters long and include a combination of uppercase letters, lowercase letters, numbers, and special characters. Passwords are hashed using modern, computationally expensive hashing algorithms before storage—plaintext passwords are never stored or logged.

5.4 Role-Based Access Control (RBAC)

Access within Orbit AI is governed by a team-based model with role-based permissions. Each team member is assigned a role that determines their level of access to resources, settings, and administrative functions. Roles follow the principle of least privilege—users are granted only the permissions necessary for their responsibilities. Row-Level Security (RLS) policies are enforced at the database layer, ensuring that authorization is checked on every query regardless of the application path.

5.5 API Authentication

Programmatic access to Orbit AI is authenticated through two mechanisms:

OAuth 2.0: Third-party integrations authenticate via the OAuth 2.0 authorization framework, with scoped tokens that limit access to only the required resources.
API keys: API keys are generated per team and are encrypted at rest using AES-256-GCM. Keys can be revoked instantly, and usage is logged for audit purposes.

6. Data Privacy and Minimization

We collect and retain only the data necessary to provide our Services. Our data handling practices are designed around the principles of purpose limitation and data minimization.

6.1 IP Address Hashing

Orbit AI does not store plaintext IP addresses. When IP-based analytics or fraud detection is required, IP addresses are irreversibly hashed using SHA-256 before storage. This allows us to detect patterns (such as duplicate submissions or abuse) without retaining personally identifiable network information.

6.2 Configurable Data Retention

Account administrators can configure data retention periods for their workspaces. When retention periods are set, data that exceeds the configured age is automatically purged from our systems through scheduled cleanup processes. This helps organizations comply with their own data governance policies and regulatory requirements.

6.3 Right to Erasure and Data Export

In accordance with applicable privacy regulations, users may request the deletion of their personal data or a complete export of the data we hold. Erasure requests are processed promptly, and we verify that data is removed from primary storage and any backups within the documented retention window. For details, see our Privacy Policy and GDPR Compliance documentation.

6.4 Cookie Consent

Orbit AI provides a cookie consent management system that gives users control over non-essential cookies and tracking technologies. Consent preferences are respected across sessions and can be updated at any time.

7. AI Security

Orbit AI incorporates artificial intelligence features such as smart form generation, contact enrichment, lead scoring, and workflow automation. We take the following measures to ensure that AI capabilities do not compromise the security or privacy of your data.

7.1 Data Sent to AI Providers

When AI features are invoked, the minimum data necessary to perform the requested operation is transmitted to our AI processing providers. All data sent to AI providers is encrypted in transit using TLS 1.2+. We select AI providers that contractually commit to not using customer data for model training purposes.

7.2 Isolated Processing

AI processing requests are isolated per tenant. Your data is never mixed with data from other accounts during AI operations. Responses from AI providers are validated and sanitized before being stored or displayed within the application.

7.3 Transparency and Control

Users have full control over whether AI features are used within their workflows. AI processing is never performed without explicit user initiation. For more details on how we handle AI-related data, see our AI Policy.

8. Monitoring and Incident Response

Continuous monitoring and rapid incident response are critical to maintaining the security of any platform. Orbit AI invests in both to ensure threats are detected and addressed quickly.

8.1 Structured Logging

All significant application events are captured through structured audit logging, producing machine-readable records that enable efficient analysis and alerting. Security-relevant events—such as authentication attempts, permission changes, data access, and configuration modifications—are logged with metadata including timestamps, actor identifiers, and affected resources.

8.2 Security Event Monitoring

Dedicated security event logging tracks critical activities including failed authentication attempts, CSRF violations, rate limit breaches, and suspicious request patterns. These events are monitored for anomalies that may indicate an attack or compromise.

8.3 Error Tracking with PII Sanitization

Application errors are tracked through a centralized error monitoring service. Before error data is transmitted, personally identifiable information (PII) is stripped from stack traces, request bodies, and headers. This ensures that debugging information remains useful without exposing sensitive user data.

8.4 Incident Response Procedures

Orbit AI maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident, affected customers are notified in accordance with applicable data breach notification laws and our contractual obligations. Our target for initial incident assessment is within one hour of detection.

8.5 Audit Trails

Comprehensive audit trails are maintained for administrative actions, configuration changes, and data access events. These trails are retained for a minimum period sufficient to support security investigations and compliance audits, and are protected against unauthorized modification.

9. Vulnerability Management

We take a proactive approach to identifying and remediating security vulnerabilities before they can be exploited.

9.1 Dependency Scanning

Third-party dependencies are continuously monitored for known vulnerabilities through automated scanning. When a vulnerability is identified in a dependency, our team evaluates the impact and applies patches or mitigations promptly. Critical and high-severity vulnerabilities are prioritized for immediate resolution.

9.2 Security Code Reviews

All code changes undergo peer review before being merged into the production branch. Security-sensitive changes—including authentication logic, encryption implementations, and access control modifications—receive additional scrutiny with a focus on secure coding practices.

9.3 Responsible Disclosure Program

We welcome reports from security researchers and the broader community. If you discover a vulnerability in Orbit AI, we ask that you disclose it responsibly by contacting us at security@orbitforms.ai before making any public disclosure. We commit to acknowledging receipt within 48 hours and providing regular updates on our investigation and remediation progress.

10. Compliance

Orbit AI aligns its security program with recognized industry standards and regulatory frameworks. We continuously evaluate and improve our controls to meet evolving compliance requirements.

10.1 SOC 2 Readiness

Our security controls are designed in alignment with the SOC 2 Trust Services Criteria, covering security, availability, processing integrity, confidentiality, and privacy. We maintain documentation and evidence of our controls as part of our ongoing SOC 2 readiness program.

10.2 ISO 27001 Alignment

Our information security management practices follow the ISO 27001 framework, including risk assessment processes, control implementation, and continuous improvement cycles. We apply this framework to guide our policies, procedures, and technical controls.

10.3 GDPR Compliance

Orbit AI is designed to help our customers comply with the European Union's General Data Protection Regulation (GDPR). We provide data processing agreements, support data subject access requests, and implement the technical and organizational measures required under Articles 25 and 32 of the GDPR. For detailed information, see our GDPR Compliance page.

10.4 CCPA Compliance

For California residents, Orbit AI complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We honor requests to know, delete, and opt out of the sale of personal information. We do not sell personal information. For more details, see our Privacy Policy.

11. Employee Security

Security extends beyond code and infrastructure to the people who build and operate the platform. Orbit AI maintains organizational security measures to reduce human-related risk.

11.1 Least Privilege Access

Internal access to production systems, databases, and customer data is governed by the principle of least privilege. Team members are granted access only to the systems and data necessary for their specific role. Access grants are reviewed periodically and revoked when no longer needed.

11.2 Security Training

All team members receive security awareness training that covers secure development practices, phishing recognition, data handling procedures, and incident reporting protocols. Engineering team members receive additional training on application security topics relevant to their work.

11.3 Access Controls for Personnel

Production system access requires multi-factor authentication. Credentials are managed through centralized identity management, and access is revoked immediately upon role change or departure. Administrative actions on production systems are logged and auditable.

12. Business Continuity

Orbit AI is designed for high availability and resilience, ensuring that your workflows and data remain accessible even during disruptions.

12.1 Automated Backups

Database backups are performed automatically on a regular schedule. Backups are encrypted at rest and stored in a geographically separate location from the primary database to protect against regional failures. Backup integrity is verified periodically through restoration testing.

12.2 Disaster Recovery

We maintain a disaster recovery plan that defines procedures for restoring service in the event of a major infrastructure failure. Recovery objectives are documented and tested to ensure that data loss and downtime are minimized. Our infrastructure is designed so that critical components can be rebuilt and restored from backup within defined recovery time objectives.

12.3 High Availability

The Orbit AI platform is architected for high availability with redundancy across key components. Our edge network, application servers, and database infrastructure are distributed to avoid single points of failure. Health checks and automatic failover mechanisms ensure that service interruptions are detected and resolved with minimal impact.

13. Responsible Disclosure

We value the work of security researchers and believe that responsible disclosure of vulnerabilities makes the internet safer for everyone. If you believe you have found a security vulnerability in Orbit AI, we encourage you to report it to us.

How to Report

Email your findings to security@orbitforms.ai.
Include a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence (screenshots, logs, proof-of-concept code).
Please do not access, modify, or delete data belonging to other users during your research.
Allow us reasonable time to investigate and remediate the issue before any public disclosure.

Our Commitment

We will acknowledge receipt of your report within 48 hours.
We will provide an estimated timeline for remediation.
We will keep you informed of our progress.
We will not take legal action against researchers who follow responsible disclosure guidelines.
We will credit researchers (with permission) when a vulnerability is resolved.

14. Contact

If you have questions about our security practices, need to report a security concern, or would like to request additional information about the measures described on this page, please reach out to us.

Security inquiries and vulnerability reports: security@orbitforms.ai
Privacy and data protection inquiries: privacy@orbitforms.ai

For more information about how we handle your data, please review our Privacy Policy, Terms of Service, GDPR Compliance, and AI Policy.