Why Orbee · Compliance

Compliance built in. Updated centrally.
Inherited automatically.

SOC 2 Type II, CCPA, CPRA, GDPR, and the rapidly expanding set of state-specific privacy laws — all supported at the platform infrastructure layer. Your team builds audiences. Orbee enforces consent. Compliance happens automatically.

Visit Trust Center Contact compliance team
Frameworks Orbee operates under

SOC 2, CCPA/CPRA, GDPR, and the growing patchwork of state laws

New states are added centrally; dealer accounts in affected jurisdictions inherit updates without per-rooftop reconfiguration.

SOC 2 Type II

Independently audited annually for security, availability, and confidentiality controls. Full report available under NDA.

Audited annually

CCPA / CPRA

Service provider under CCPA. Access, delete, opt-out-of-sale, and limit-use rights supported. GPC signals honored.

California

GDPR

Lawful basis, DSAR, deletion, portability, breach timelines, cross-border transfer protections (SCCs where required).

EU

State frameworks

VCDPA, CPA, CTDPA, UCPA, TDPSA — and the ongoing wave. Centrally configured, dealer-inherited.

Multi-state
How compliance shows up in the platform

Consent state per record — enforced at every step

Tag firing, audience building, send time, ad sync. Every layer respects the consumer's current consent state.

Tag firing

Strict opt-in where required.

Native tag manager respects consent state at every event. Strict opt-in jurisdictions get strict opt-in behavior automatically.

  • Per-jurisdiction rules
  • Consent gates on collection
  • GPC signal honored
Audience build

Opt-outs filtered at build time.

Audiences exclude opt-out flagged records. Sold customers, do-not-call entries, and sensitive-PI restrictions filter automatically.

  • Suppression at build
  • Sensitive-PI restrictions
  • DNC enforcement
Send + sync

Consent re-checked at send.

Email and SMS check consent at send time. Audience pushes to Google, Meta, TikTok respect consent at sync time.

  • Send-time enforcement
  • Push-time enforcement
  • Downstream propagation
Service provider governance

Specific contractual restrictions on how we use your data

CCPA service-provider status carries obligations that we honor in writing and in architecture.

Process

Only on your behalf

We process customer data only on your behalf, only for purposes you've approved. We do not sell your customer data.

No retention

No outside-relationship use

We do not retain, use, or disclose customer data outside the direct business relationship.

Subprocessors

Disclosed publicly

We disclose subprocessors publicly and update the list before adding new ones. Service providers carry equivalent obligations.

Compliance built into the data layer

Audit-ready by default.

Full compliance documentation, subprocessor list, and SOC 2 report available on request.

Visit the Trust Center

SOC 2 Type II · CCPA · GDPR · State-specific · TCPA / 10DLC