Security at Orbit

What we encrypt

Sensitive fields are wrapped in an AES-256-GCM envelope (versioned enc:v1:) with per-row IV and authentication tag. The encryption key is held in Google Cloud Secret Manager and rotated per the rotation schedule below.

• Tenant API tokens and webhook signing secrets at rest.
• Inbound and outbound OAuth tokens (Meta WABA, Telnyx one-shot import, Stripe Connect, etc.).
• Customer-supplied PII when written to long-term storage (audit-log linkage rows, suppression-list entries).
• Vector-store chunk content backing retrieval-augmented generation (RAG) for AI agents — chunk payloads encrypted before write to Qdrant.
• All transport: TLS 1.2+ enforced on every public endpoint and on every internal hop between microservices and managed datastores.

Tenant isolation

Every Orbit customer (organization) gets a dedicated Postgres schema and a tenant-scoped namespace across every shared resource. Cross-tenant data leakage is prevented structurally, not by application-layer checks alone.

• Per-tenant Postgres schema (tenant_<id>); raw SQL interpolation passes through a single sanitiser with a hard regex allowlist.
• Per-tenant cache namespaces in Redis (consistent hash-tag prefix {devotel}: on every key).
• Per-tenant BullMQ queue context; webhook delivery, campaign batching, and webhook signing all carry tenant identity end-to-end.
• Suppression lists, consent records, and STOP/START state are tenant-scoped — a contact who opts out of Tenant A is NOT auto-suppressed for Tenant B.
• OAuth tokens issued to a connected provider are scoped to the tenant that performed the connect.

Authentication and access

• Dashboard sign-in is via Clerk: email + password, SSO (Google, Microsoft, GitHub, SAML for enterprise plans), magic links, and multi-factor authentication (TOTP / SMS / passkey).
• Per-tenant API keys with rotation, scoping, and audit trail. Revocation is immediate.
• Webhook deliveries are signed with HMAC-SHA256 over a tenant-specific signing secret. Signatures fail closed when a secret is set.
• Internal service-to-service calls use HMAC-SHA256, not bearer tokens — Clerk authentication is never used on internal endpoints.
• Production database, secret manager, and Kubernetes cluster access is gated by Google Workload Identity and reviewed quarterly.

Operational posture

• Production runs on Google Kubernetes Engine in europe-west1 (Belgium) with a cross-region Cloud SQL read replica in europe-west2 (London).
• Cloud SQL is configured with enhanced point-in-time recovery (PITR), automated daily backups retained for 30 days, and deletion-protection enabled. Target RPO ≤ 7 minutes for the primary database.
• Append-only audit log with a chained-hash record format — tampering breaks the chain and is detected by the integrity check on read.
• Backups are encrypted at rest with customer-managed encryption keys (CMEK) and stored in a separate GCP project from the live workload.
• Incident response runbooks cover provider outages, data exposure, suspected account takeover, and carrier-side abuse reports. Post-incident reviews publish a redacted RCA within 10 business days.
• Application errors and performance regressions are monitored continuously; per-service alerts page the on-call engineer.

Compliance — in progress

We are pre-launch and have NOT yet completed a third-party audit. The status below is honest, not aspirational. If you need a signed report or a contractual commitment to a specific framework, please contact trust@devotel.io — we can share documented controls under NDA and discuss a timeline that matches your procurement process.

• SOC 2 Type II — controls documented; auditor selection in planning. No report available yet.
• ISO 27001 — controls documented and mapped to Annex A; formal certification not yet pursued.
• HIPAA — Business Associate Agreement (BAA) available on request for qualifying healthcare customers, reviewed case-by-case. Default account configuration is NOT HIPAA-eligible; contact us before sending PHI.
• PCI DSS — cardholder data never traverses Orbit systems; payment processing is handled entirely by Stripe (PCI DSS Level 1). Orbit is out of scope for direct PCI assessment.
• GDPR — primary processing is performed in the EU. Standard Contractual Clauses are incorporated by reference in our Data Processing Agreement.

Report a security issue

If you believe you have found a security vulnerability in Orbit, please email security@devotel.io with a clear description of the issue, steps to reproduce, and any supporting evidence. We commit to:

• Acknowledging your report within 2 business days.
• Providing a preliminary triage and severity assessment within 5 business days.
• Coordinated disclosure on a 90-day timeline by default, accelerated when patch and rollout are faster.
• Public credit, with your permission, in the post-resolution write-up.

A formal bug-bounty program is on the roadmap. Until it launches, in-scope reports that lead to a confirmed fix are eligible for discretionary recognition — please ask in your initial email.

More information

• Trust Center — data residency, subprocessor list, control mappings.
• Data Processing Agreement
• Privacy Policy
• Subprocessor list