Encryption at Rest

All data stored in PostgreSQL is encrypted at rest using AES-256. Database backups are also encrypted. Encryption keys are managed through Azure Key Vault and rotated regularly.

Encryption in Transit

All API and web traffic is encrypted with TLS 1.2+ (HTTPS). We enforce HSTS headers and maintain an A+ TLS rating. Internal service-to-service communication within the deployment is also encrypted.

Authentication

  • Password Hashing: All passwords are hashed with BCrypt at cost factor 10, with automatic rehashing when the cost increases
  • JWT Tokens: Short-lived access tokens (24h default) signed with a configurable secret. Refresh tokens implement rotation and automatic revocation
  • Account Lockout: Accounts are locked for 30 minutes after 10 consecutive failed login attempts
  • Multi-Factor: TOTP-based MFA support for all accounts
  • SSO: OpenID Connect integration with Microsoft Entra ID, Google Workspace, and Okta

Authorization & RBAC

Orbio implements role-based access control with four tiers: Requester, Agent, Client Admin, and MSP User. Every API request is authenticated and authorized at the controller level. Data is isolated by tenant ID to prevent cross-tenant access.

Infrastructure Security

  • Deployed in isolated Docker containers on Render's Frankfurt region
  • Database hosted on Supabase with network-level isolation and IP restrictions
  • Automated security scanning of dependencies via Dependabot
  • Rate limiting (100 req/min/user when Redis enabled)
  • CORS enforcement with explicit origin allow lists
  • SQL injection protection via parameterized queries (EF Core)
  • File upload validation: allowed types, extensions, and 10MB size limit

Audit Logging

Every security-relevant action is logged to an immutable audit trail: logins, logouts, password changes, role assignments, ticket state changes, and data exports. Audit logs are retained for a minimum of 12 months and are accessible to tenant admins and MSP super admins.

Compliance & POPIA

Orbio is designed for full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA), South Africa's primary data protection law. Our compliance features include:

  • POPIA Registered: Our platform supports organization-level POPIA registration status tracking
  • Information Officer: Designate your Information Officer and Deputy Information Officer with contact details displayed on the PAIA Manual
  • Lawful Basis Tracking: Every consent record captures the lawful basis for processing (consent, contractual necessity, legal obligation, legitimate interest)
  • Data Subject Rights: Built-in DSAR (Data Subject Access Request) workflows for access, correction, deletion, portability, and objection
  • Marketing Consent Center: Granular opt-in/opt-out management with full audit trail and one-click unsubscribe
  • Breach Notification: Automated breach logging, severity classification, regulatory notification tracking, and remediation workflows
  • Data Processing Register: Maintain a register of all processing activities including data categories, subjects, retention periods, and cross-border transfer safeguards
  • Vendor / Sub-Processor Register: Track all third-party vendors with contract dates, data categories shared, and safeguards
  • Staff Training Records: Track POPIA and data protection training for all staff members
  • Data Retention: Configurable retention periods (default 7 years per POPIA prescription period) with automated purge workflows
  • Cross-Border Transfers: Document transfer countries and safeguards for any data transferred outside South Africa
  • Data Processing Agreements (DPAs) available on request
  • Audit Trail: Every consent change, DSAR action, and breach update is logged to an immutable audit trail
  • Privacy-by-design architecture with tenant-level data isolation

Vulnerability Disclosure

If you discover a security vulnerability in Orbio, please report it privately to security@orbio.io. We commit to acknowledging your report within 24 hours and providing a fix timeline within 72 hours. We participate in coordinated disclosure and welcome responsible security research.