Trust Center
Last updated: 2026-05-13
Everything procurement, security, and legal teams typically ask about, in one place. We keep this page in sync with what the platform actually does — if you spot a gap or need something not listed, email trust@devotel.io.
Data residency
Production data is processed in the European Union. Primary workload runs in Google Cloud europe-west1 (Belgium) with a Cloud SQL cross-region read replica in europe-west2 (London) for disaster recovery.
Current limitations: we do not yet offer US-only, UK-only, or APAC-only data residency. Customers with a regulatory requirement for region-pinned processing should contact trust@devotel.io so we can scope the work; this is on the roadmap but not GA.
Inbound message and call content may transit a carrier or channel provider before reaching Orbit; each subprocessor's region is listed in the table below.
Subprocessors
Orbit engages the third-party processors listed below to deliver the service. Each is contractually required to protect customer data and use it solely for the services they perform on our behalf. For a standalone page suitable for change-notification subscription, see /subprocessors.
| Processor | Purpose | Region | Scope |
|---|---|---|---|
| Anthropic · DPA | Large-language-model inference for AI agents, classifiers, and Orby in-product assistant. | US | content, metadata |
| Google Cloud Platform · DPA | Production compute (GKE), managed Postgres (Cloud SQL), object storage (GCS), Secret Manager, Cloud Build, and observability. | EU (europe-west1, Belgium) with cross-region replica in europe-west2 (London) | account, content, metadata, telemetry |
| Clerk · DPA | User authentication, session management, multi-factor authentication, and organization membership. | US | account, auth |
| Stripe · DPA | Payment processing, subscription billing, invoice generation, and tax computation. Cardholder data never traverses Orbit systems. | US / EU (multi-region) | billing |
| Telnyx · DPA | Inbound SMS and voice termination on DIDs purchased from Telnyx. Outbound (MT) traffic does NOT flow through Telnyx. | US / EU (multi-region) | inbound only |
| DIDWW · DPA | Inbound voice and SMS termination on DIDs purchased from DIDWW. Outbound (MT) traffic does NOT flow through DIDWW. | EU (Latvia) | inbound only |
| Twilio · DPA | One-shot import path only — used at customer request to migrate phone numbers and historical message data into Orbit. No live traffic. | US | metadata |
| Deepgram · DPA | Real-time speech-to-text transcription for voice agents and call recordings. | US | content |
| Cartesia | Low-latency text-to-speech synthesis for voice agents. | US | content |
| ElevenLabs · DPA | High-quality text-to-speech synthesis for voice agents (alternate provider). | US | content |
| LiveKit · DPA | WebRTC media plane for live voice agent sessions (SIP trunked from Jambonz). | EU / US (multi-region) | content, metadata |
| PostHog · DPA | Product analytics, session replay (opt-in), and feature-flag evaluation. PII-redaction enabled by default. | EU (Frankfurt) | telemetry |
| Sentry · DPA | Application error and performance monitoring. PII scrubbed before transmission. | US | telemetry |
| Resend · DPA | Outbound transactional and platform-managed marketing email delivery. Customers are billed at cost plus markup; no BYO SMTP. | US | content, metadata |
| Meta Platforms (WhatsApp Cloud API) · DPA | WhatsApp Business Cloud API for inbound and outbound WhatsApp messaging. Tenants connect their own WABA (BYO). | US / global | content, metadata |
| Qdrant Cloud · DPA | Vector database for retrieval-augmented generation (RAG) over agent knowledge bases. Chunk content encrypted at rest with AES-256-GCM (enc:v1 envelope). | EU (Frankfurt) | content |
SOC 2 control mappings
Below is the mapping of major Trust Services Criteria to Orbit controls. A formal SOC 2 Type II audit is in planning; this table reflects the controls as implemented in the platform today. "Implemented" = control is live in code or infrastructure; "documented, audit pending" = control is operational but awaiting independent attestation.
| Criterion | Description | Status |
|---|---|---|
| CC6.1 | Logical and physical access controls — Clerk SSO, MFA, per-tenant API keys with rotation. | implemented |
| CC6.2 | Encryption at rest — AES-256-GCM enc:v1 envelope on PII, OAuth tokens, webhook secrets, RAG chunks. | implemented |
| CC6.3 | Encryption in transit — TLS 1.2+ on every public endpoint and every internal hop. | implemented |
| CC6.6 | Vulnerability management — dependency CVE scanning, container image scanning, quarterly review. | implemented |
| CC7.1 | Detection and monitoring — Sentry error monitoring, PostHog product telemetry, GCP audit logs. | implemented |
| CC7.2 | Security event identification — automated alerting on auth anomalies, audit-log chain breaks, secret access. | documented, audit pending |
| CC7.3 | Incident response evaluation — runbooks for provider outages, data exposure, account takeover. | documented, audit pending |
| CC7.4 | Incident response actions — post-incident review with redacted RCA published within 10 business days. | documented, audit pending |
| CC8.1 | Change management — pull-request review, pre-submit gate, blue-green Cloud Build deploys. | implemented |
Documents
- Data Processing Agreement (DPA)
- Privacy Policy
- Terms of Service
- Service Level Agreement (SLA)
- Acceptable Use Policy
- Subprocessor list (standalone)
- Security overview
For a counter-signed DPA, security questionnaire response (CAIQ, SIG-Lite), penetration-test summary, or any other artifact, please email trust@devotel.io.