Why Orbee · Security

Enterprise-grade security.
Audited annually. Built for dealer trust.

Orbee's security architecture is built around the same expectations enterprise IT applies to any vendor handling customer data at scale. SOC 2 Type II, ISO certified, AWS-backed infrastructure, encryption in transit and at rest, role-based access controls, and MFA enforced for elevated roles.

Request security documentation Visit Trust Center
Infrastructure

AWS-backed, isolated, managed at the security-critical layers

Production environments separated at the account level from staging and development.

AWS-managed

IAM, KMS, encryption, audit logs.

Orbee leans on AWS managed services for the security-critical layers — IAM, KMS, encryption at rest, network isolation, audit logging.

  • Multi-region availability
  • Managed encryption
  • Centralized secrets management
Isolation

Production separated from non-prod.

Account-level boundaries between production and staging/dev. VPC configuration for private networking, with cross-VPC tunneling where required.

  • Account-level boundaries
  • VPC + private networking
  • Tenant data isolation
Encryption

TLS 1.2+ in transit. AES at rest.

Internal service-to-service traffic encrypted via mutual TLS where appropriate. Database encryption applies to ClickHouse, Postgres, and managed object stores.

  • TLS 1.2+ + mTLS
  • Hashed PII (SHA-256)
  • Server-side event collection
Access controls

RBAC. MFA. SSO. Audit logs.

Granular role definitions, scoped to account, rooftop, or specific data classes — with full audit trails.

RBAC

Role-based access

Read-only, audience-builder, journey-manager, admin, and custom roles. Scoped to specific accounts, rooftops, or data classes.

MFA + SSO

MFA enforced for elevated roles

SAML/OIDC SSO support for customers who require centralized identity provider integration.

Audit

Every action logged

Administrative action, configuration change, audience build, data export — logged for the audit trail your security team needs.

Vulnerability + incident response

Tested, monitored, and ready to respond

Annual third-party penetration testing, continuous vulnerability scanning, documented incident response.

Pen testing

Annual third-party penetration testing, with summaries available under NDA.

Annual

Vulnerability management

Continuous dependency scanning and infrastructure monitoring. Critical vulnerabilities remediated under SLA.

Continuous

Incident response

Documented plan covering detection, containment, customer notification, and post-incident review.

Runbook

Bug bounty

Coordinated disclosure for security researchers. Submit reports to security@orbee.com.

Disclosure
Built for dealer trust

Get the security documentation your IT team needs.

SOC 2 Type II report, penetration testing summaries, and architectural diagrams available under NDA.

Request security documentation

SOC 2 Type II · ISO · AWS-backed · MFA enforced