O
OrbisStack

Legal

Security Policy

Our approach to security, including access controls, data protection, and incident response.

Last updated: November 1, 2024

1. Security Philosophy

Security is built into everything we do at OrbisStack. We follow a defense-in-depth approach, implementing multiple layers of security controls to protect client systems and data. We do not treat security as an afterthought or a checkbox — it is a core engineering principle.

Our security practices are informed by industry standards including NIST Cybersecurity Framework, CIS Controls, and OWASP guidelines. We continuously review and improve our security posture.

2. Access Control

We follow the principle of least privilege. Engineers only have access to the systems and data they need to perform their work. Access is granted on a per-project basis and revoked when no longer needed.

All access to client systems is authenticated using multi-factor authentication (MFA). We use password managers for credential storage and never share credentials via email or chat.

Access to production systems is logged and monitored. We conduct regular access reviews to ensure only authorized personnel retain access.

3. Data Protection

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent. For client systems, we ensure encryption is enabled at the database, storage, and backup levels.

We do not store sensitive client data on local devices. All work is performed on managed workstations with disk encryption enabled. Client data resides in client-controlled infrastructure.

Backups are encrypted and tested regularly. An untested backup is not a backup — we verify restoration procedures on a scheduled basis.

4. Code Security

All code is reviewed before deployment. We use static analysis tools to detect security vulnerabilities in code. Dependencies are scanned for known vulnerabilities (CVEs) and updated promptly.

We follow secure coding practices including input validation, output encoding, parameterized queries, and proper session management. We use OWASP guidelines as our baseline for web application security.

Security testing, including penetration testing and vulnerability scanning, is conducted before major releases and on a regular schedule for maintained systems.

5. Infrastructure Security

Infrastructure is managed using Infrastructure as Code (Terraform) with security configurations version-controlled and reviewed. We use security groups and network ACLs to restrict access to only necessary ports and IPs.

All production environments are behind firewalls and use private networks where possible. Database access is restricted to application servers and bastion hosts with MFA.

We use Cloudflare for DDoS protection, WAF, and bot management on all client websites and applications.

6. Incident Response

We maintain an incident response plan that defines roles, responsibilities, and procedures for security incidents. Incidents are classified by severity and responded to according to defined SLAs.

In the event of a security incident affecting client systems, we will: immediately isolate affected systems, investigate the scope and impact, notify the client within 24 hours of discovery, and implement remediation measures.

Post-incident, we conduct a review to identify root causes and prevent recurrence. A written incident report is provided to the client.

7. Compliance

We have experience working with SOC 2 and PCI DSS compliance requirements. For clients in regulated industries, we implement the specific controls required by their compliance framework.

We do not store, process, or transmit payment card data directly. Payment processing is handled through PCI-DSS compliant providers such as Stripe.

For clients in regulated industries such as finance and legal, we implement compliance safeguards including encryption, audit logging, access controls, and data isolation.

8. Employee Security

All OrbisStack engineers undergo security training upon onboarding and annually thereafter. Training covers secure coding practices, social engineering awareness, and incident reporting procedures.

Background checks are conducted for all employees before they are granted access to client systems. Employees are bound by confidentiality agreements.

We use managed devices with endpoint protection, automatic security updates, and remote wipe capabilities.

9. Vulnerability Disclosure

If you believe you have found a security vulnerability in a system maintained by OrbisStack, please report it to our security team. We ask that you give us reasonable time to investigate and remediate before public disclosure.

Security reports can be sent to hello@orbisstack.com with the subject line "Security Report". We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

10. Contact

For security questions or concerns, contact us at hello@orbisstack.com.

Questions about this policy? Contact us at hello@orbisstack.com.