Orbit Intelligence

Security

How we secure Orbit Intelligence.

We're honest about where we are: a small team building on well-known managed services. We use the security primitives our platforms provide, harden what we expose, and don't make claims we haven't earned.

What we do

Identity

Managed auth with email verification

Email + password, magic link, and SSO. Sessions are JWTs over httpOnly cookies, refreshed by server-side middleware. Email verification is required before any paid checkout.

Authorization

Row-level access controls

User-owned data (watchlists, alerts, notifications, profiles) is restricted to the owning user at the database. Shared datasets are read-only to authenticated users; premium depth is gated server-side, never on the client.

Secrets

Server-only credentials

Database, payments, AI, and data-provider credentials never reach the browser. Ingestion endpoints require a bearer token; payment webhooks are signature-verified.

Transport

HTTPS everywhere, no third-party trackers

All traffic is TLS. We use first-party analytics only — no third-party advertising scripts, no session replay, no cookies beyond what authentication needs.

Payments

Externally-hosted checkout

Card details never touch our infrastructure. Our system sees only a customer reference and subscription state; upgrades, downgrades, payment methods, and cancellation are handled by the payment processor's portal.

Observability

Errors and access are logged

Application errors are captured by managed monitoring. An internal audit log records administrative actions (data corrections, review-queue approvals, role changes) with actor, target, and timestamp.

Data handling

  • Customer personal data (email, name, billing reference) is stored in a managed Postgres database with at-rest encryption and row-level access controls.
  • We do not include customer personal data in prompts sent to AI providers.
  • Email contents (briefings, alerts) are delivered through our transactional email provider and retained per its default policy.
  • Account deletion is supported on request and removes the profile, watchlists, alerts, and notification history.

Sub-processors

The current list of vendors that process customer data is published in our privacy policy. Material changes are notified in advance for plans covered by a DPA.

Responsible disclosure

Found something? We want to know.

Email security@orbitintelligence.com with reproduction steps and any impact assessment. We acknowledge inside 24 hours and won't pursue legal action against good-faith research that avoids data exfiltration, service disruption, or third-party harm.

Email security@Privacy policy

Updated as the product evolves. For a point-in-time security review, contact us — we'll share our current questionnaire response.