Security
Security at Orbitable
We take the security of your data and GTM intelligence seriously. Here's what we do to protect it.
🔒Data Encryption
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Database-level encryption on all tenant data
- Secure HMAC-SHA256 signed session tokens
🏗️Tenant Isolation
- Isolated database schemas per tenant — no cross-tenant data access
- Per-tenant workspace directories with filesystem isolation
- Separate API key storage per customer world
- Rate limiting enforced per tenant per billing period
🔑Authentication
- OIDC/PKCE flow with industry-standard providers
- JWT sessions with HMAC-SHA256 signing (7-day expiry)
- httpOnly, Secure, SameSite cookies — no client-side token access
- CSRF protection with HMAC-signed state parameters on OAuth flows
🤖AI Data Handling
- Your data is never used to train AI models
- Conversations are processed by Anthropic Claude under their API terms which prohibit using API inputs/outputs for model training
- AI outputs are stored in your isolated workspace — not shared or aggregated
- No third-party model providers receive your data without explicit integration consent
☁️Infrastructure
- Deployed on managed cloud infrastructure with automated scaling
- Neon Postgres with automated daily backups and point-in-time recovery
- Stripe PCI-DSS compliant billing — we never see or store card numbers
- All third-party integrations (Apollo, LinkedIn, Resend) use OAuth or API key auth
📋Compliance RoadmapPlanned
- GDPR — Data Processing Agreement (DPA) available on request
- SOC 2 Type II — on our roadmap, not yet achieved
- ISO 27001 — on our roadmap, not yet achieved
- Sub-processors: Anthropic (AI processing), Stripe (billing), Neon (database), Replit (hosting), Resend (email), Apollo.io (contact enrichment), LinkedIn (OAuth publishing)
Have security questions?
[email protected]