Infrastructure and network security
Orb uses Amazon Web Services as its cloud infrastructure provider, and uses a virtual private cloud (VPC) for resource isolation. Orb does not store customer data on-site or on Orb machines, and inherits the secure design of AWS data centers. Amazon Web Services has extensive documentation on site security which can be found here; this includes continuous access logging, monitoring, and redundant availability practices.
Only authorized Orb employees have access to AWS Infrastructure at Orb through centrally configured IAM policies. Orb maintains an organization-wide role based access control list, and all permissions changes must be approved and audited.
Orb tracks changes to all infrastructure resources in its production environment via AWS Config, helping teams track the audit compliance of every resource and maintain standardized configuration. Orb retains audit logs of changes to its cloud environment, including permissions and infrastructure configuration changes. This audit log is regularly scanned for anomalies and is paired with reactive alarms to flag potential issues.
Machines in Orb’s infrastructure environment are managed centrally, allowing for vulnerability scans and proactive patch management. Orb makes heavy use of autoscaling and load balancing techniques, which ensures that machines can be rotated out of use as required without affecting service availability. In addition, Orb uses external application monitoring and host monitoring to continually assess the health of infrastructure hosts.
Orb employs separate isolated environments for local testing and production or beta clusters, and enforces that there is no production customer data in local development environments. Orb maintains a detailed network security diagram which can be provided upon request. In order to understand traffic flow in and out of VPC environment, Orb retains VPC flow logs.
Orb uses network protection solutions at multiple layers of its infrastructure stack:
- Cloudflare proxy: On select endpoints, Orb uses Cloudflare proxy to prevent denial of service attacks.
- AWS Web Application Firewall is used to protect externally available APIs, both from an availability and security standpoint. Orb employs standardly available rule sets, and opportunistically implements custom rules as required.
- AWS Security Groups and subnet configurations in concert ensure that only required connections are allowed to services. Orb performs regular audits of its Security group configuration, and ensures that changes to security group rules are tracked.
- AWS GuardDuty helps ensure that anomalous traffic patterns and behavior are detected and investigated as required. This helps Orb proactively monitor its network environment for suspicious traffic and potential threats to cloud resources.
Orb uses encryption at rest in order to protect customer data. Orb’s APIs and web application are offered over HTTPS using TLS, ensuring that data is encrypted in transit and users have a secure connection for sensitive data entry.
Orb uses an independent third-party security research firm to perform comprehensive penetration testing which includes reviewing development artifacts. Note that the engagement with the firm is governed under a standard NDA, and production customer data is not made available to the third-party firm. Our most recent report is available for review upon request, including a detailed and prioritized list of any findings.
Third party audit
As part of Orb’s SOC-2 Type II compliance program, Orb submits to a third party SOC-2 audit annually. This includes an audit of practices, policies, and procedures including vendor review, physical security, and data protection. Orb’s SOC-2 Report is available to customers upon request.
Orb hosts its application servers under a software as a service model, deploying changes continually to the web application and API.
Only authorized members on the engineering team have access to the Orb core application source code. The source code is hosted at GitHub, a SOC-2 compliant organization, under a private repository protected by multi factor authentication.
Every change to Orb’s codebase or security-sensitive modification to cloud infrastructure requires explicit approval and testing criteria. This approval is obtained in writing, and specific templates are in place to ensure that the format of each request is standardized. Orb maintains logs of every change to its application logic. The engineering team uses tools that proactively monitor the source code to uncover dependencies and libraries that need to be patched to address critical security vulnerabilities.
Orb employs security testing tools as part of its CI/CD pipeline to prevent the system from injection vulnerabilities and to verify that the code is safe to deploy. In addition, each incremental change to Orb’s codebase undergoes an extensive suite of unit and integration tests.
Orb maintains a list of subprocessors, and is responsible for ensuring that these subprocessors also follow security best practices to ensure that customer data is protected.
A full data processing addendum for Orb’s services is available on request by emailing email@example.com.
All production customer data within Orb’s infrastructure is encrypted at rest including S3 buckets for long-term storage, volumes attached to instances, and in production datastores. This encryption configuration is reviewed periodically across the stack by the engineering team, monitored continuously by compliance software, and also audited in penetration testing.
When Orb’s services are accessed through the public internet, data is encrypted in transit.
Data backups and retention
Orb backs up customer data using regular database snapshots with a 7-day retention period or long-term archival such as S3. These snapshots allow for point-time-recovery of the application.
On request, Orb is also able to delete customer data and provide evidence of deletion.
Corporate security practices
All employees at Orb undergo IT security training and annually review security policies as well as any updates in the interim. Orb has procedures in place to ensure that changes to its security posture or program are recorded and traceable. Orb’s corporate practices are designed to ensure that employees are best equipped to protect customer data and ensure the integrity of production systems:
Orb uses a centralized device management solution (MDM) to protect company hardware from breach and enforce best-practices such as password policies, encryption at rest, and firewall. Orb's MEM solution is installed on all company-issued hardware, and alarms are in place to detect non-compliance. Orb's security team has the ability to monitor the health of endpoints and remotely wipe them as necessary.
Vendor review process
Orb regularly reviews its list of in-use vendors and assesses their security posture, including obtaining compliance reports where appropriate. Vendors are assessed based on the risk they pose to Orb's system and which confidential data they have access to, if any. New vendors that have access to any customer data must go through an explicit documentation and approval process.
Access to internal data and vendors is clearly allocated by role, and determined only by the responsibilities of that role. Orb does not provide adhoc, unaudited permissions within its environment. Orb requires that employees use SSO or MFA to login to all company resources when available, and otherwise follows a standardized set of password requirements. All requests and changes to access are clearly documented.
Background checks and training
During the onboarding process, Orb conducts background checks for new hires, including identity verification and criminal records check. In addition, new employees receive security training that reinforces compliance procedures and understanding of security policies. Depending on their role within the organization, this may include role-specific training (e.g. engineering best practices) and an onboarding on company values.
Orb maintains a detailed incident response team and plan, as well as regular tabletop exercises that simulate risk scenarios for the business. These risk scenarios include natural disaster events, data loss of corruption, and risk posted by internal bad actors. On the engineering team, Orb regularly performs retrospectives on incidents to understand how systems response can be more efficient.
We encourage responsible disclosure of any concerns with Orb products; please contact firstname.lastname@example.org with any pertinent details. We take security issues extremely seriously and commit to providing a rigorous assessment of the issues and regular updates until the issues are verified and fixed.