Encryption at Rest
All data stored in PostgreSQL is encrypted at rest using AES-256. Database backups are also encrypted. Encryption keys are managed through Azure Key Vault and rotated regularly.
Encryption in Transit
All API and web traffic is encrypted with TLS 1.2+ (HTTPS). We enforce HSTS headers and maintain an A+ TLS rating. Internal service-to-service communication within the deployment is also encrypted.
Authentication
- Password Hashing: All passwords are hashed with BCrypt at cost factor 10, with automatic rehashing when the cost increases
- JWT Tokens: Short-lived access tokens (24h default) signed with a configurable secret. Refresh tokens implement rotation and automatic revocation
- Account Lockout: Accounts are locked for 30 minutes after 10 consecutive failed login attempts
- Multi-Factor: TOTP-based MFA support for all accounts
- SSO: OpenID Connect integration with Microsoft Entra ID, Google Workspace, and Okta
Authorization & RBAC
Orbio implements role-based access control with four tiers: Requester, Agent, Client Admin, and MSP User. Every API request is authenticated and authorized at the controller level. Data is isolated by tenant ID to prevent cross-tenant access.
Infrastructure Security
- Deployed in isolated Docker containers on Render's Frankfurt region
- Database hosted on Supabase with network-level isolation and IP restrictions
- Automated security scanning of dependencies via Dependabot
- Rate limiting (100 req/min/user when Redis enabled)
- CORS enforcement with explicit origin allow lists
- SQL injection protection via parameterized queries (EF Core)
- File upload validation: allowed types, extensions, and 10MB size limit
Audit Logging
Every security-relevant action is logged to an immutable audit trail: logins, logouts, password changes, role assignments, ticket state changes, and data exports. Audit logs are retained for a minimum of 12 months and are accessible to tenant admins and MSP super admins.
Compliance & POPIA
Orbio is designed for full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), South Africa's primary data protection law. Our compliance features include:
- POPIA Registered: Our platform supports organization-level POPIA registration status tracking
- Information Officer: Designate your Information Officer and Deputy Information Officer with contact details displayed on the PAIA Manual
- Lawful Basis Tracking: Every consent record captures the lawful basis for processing (consent, contractual necessity, legal obligation, legitimate interest)
- Data Subject Rights: Built-in DSAR (Data Subject Access Request) workflows for access, correction, deletion, portability, and objection
- Marketing Consent Center: Granular opt-in/opt-out management with full audit trail and one-click unsubscribe
- Breach Notification: Automated breach logging, severity classification, regulatory notification tracking, and remediation workflows
- Data Processing Register: Maintain a register of all processing activities including data categories, subjects, retention periods, and cross-border transfer safeguards
- Vendor / Sub-Processor Register: Track all third-party vendors with contract dates, data categories shared, and safeguards
- Staff Training Records: Track POPIA and data protection training for all staff members
- Data Retention: Configurable retention periods (default 7 years per POPIA prescription period) with automated purge workflows
- Cross-Border Transfers: Document transfer countries and safeguards for any data transferred outside South Africa
- Data Processing Agreements (DPAs) available on request
- Audit Trail: Every consent change, DSAR action, and breach update is logged to an immutable audit trail
- Privacy-by-design architecture with tenant-level data isolation
Vulnerability Disclosure
If you discover a security vulnerability in Orbio, please report it privately to security@orbio.io. We commit to acknowledging your report within 24 hours and providing a fix timeline within 72 hours. We participate in coordinated disclosure and welcome responsible security research.