Security

OrbitNest Studio follows industry-standard security practices aligned with SOC 2, ISO 27001, and the OWASP Top 10. We design the platform so that security is the default, not an optional upgrade.

• Email + OTP for passwordless sign-in with 4–6-digit codes, 10-minute expiry, and per-address rate limits.
• Passkeys (WebAuthn) for phishing-resistant sign-in bound to a device or hardware key.
• OAuth (Google, GitHub) with signed, short-TTL state parameters and nonces consumed once to prevent CSRF and replay.
• Short-lived JWTs with refresh-token rotation and per-session server-side invalidation.
• Account protections: login rate limits, lockout after repeated failures, and mandatory email verification for new accounts.

• Each project runs in an isolated PostgreSQL instance or schema with its own roles, passwords, and RLS policies.
• Production databases are deployed in private networks that are unreachable from the public internet; only the API tier can connect.
• Edge functions execute in isolated sandboxes with per-project environment variables and no access to sibling projects.
• Object-storage buckets default to private and require signed URLs unless explicitly marked public.

• Input validation at the edge with parameterised SQL everywhere — no string concatenation, no dynamic table names from untrusted input.
• Strict CORS allowlists per project and a platform-wide allowlist for Studio origins.
• Content Security Policy, X-Frame-Options, and Referrer-Policy headers on all Studio responses.
• Dependency scanning runs on every pull request; critical vulnerabilities block merges until resolved.
• Automated tests cover authentication, authorisation, and data- access paths; integration tests run against real PostgreSQL instances rather than mocks.

Every auth event, administrative action, function invocation, and API key use is logged. Logs are retained for up to 12 months and exposed to the project owner in the Studio under Logs.

Platform-wide alerting covers error rates, latency, suspicious traffic patterns, failed-login spikes, and certificate expirations. Security-relevant incidents trigger on-call paging.

Project databases are backed up daily with a 30-day rolling retention. Point-in-time recovery is available on Pro and Enterprise tiers. Backups are encrypted and stored in a separate region from the primary instance.

We regularly test restore procedures. Our target recovery-point objective (RPO) is 24 hours and recovery-time objective (RTO) is 4 hours for standard incidents.

Production access is limited to a small on-call engineering team using short-lived credentials, mandatory MFA, and auditable access logs. Engineers do not routinely access customer content; any access is logged and reviewed. We follow the principle of least privilege and revoke access on role change or departure.

We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@orbitnest.io with a description, steps to reproduce, and any supporting material. We commit to:

• Acknowledge your report within 3 business days.
• Provide a status update within 10 business days.
• Work with you in good faith, credit you publicly (with your consent), and not pursue legal action for research conducted in line with this policy.

Please avoid accessing data that isn't yours, degrading service quality, or disclosing the issue publicly before a fix is deployed.

For security questions, vulnerability reports, or to request our sub-processor list and compliance documentation: security@orbitnest.io. For general privacy questions see our Privacy Policy.