Compliance and Security

Orbit takes security, privacy, and accessibility seriously. Membership organizations trust us with their members' data, and we've built the platform with strong security practices, privacy-by-design principles, and a commitment to accessibility.

This page provides a high-level overview. For full details, see our dedicated compliance documents linked below.

Security

Orbit is built on a secure, modern infrastructure with multiple layers of protection:

  • Tenant isolation — every organization operates in a completely isolated database environment using PostgreSQL schema-based multi-tenancy. One organization's data is never accessible to another.
  • Encryption in transit — all data is encrypted using TLS 1.2+ (HTTPS) with HSTS enforcement.
  • Encryption at rest — all databases and file storage use AES-256 encryption. Sensitive integration tokens are individually encrypted at the application level.
  • PCI DSS compliance — all payment processing is handled by Stripe (PCI DSS Level 1 certified). Card details never touch our servers.
  • SOC 2 aligned controls — we've implemented controls aligned with SOC 2 Security Trust Service Criteria, covering access control, change management, system operations, and data protection.
  • Infrastructure — hosted on managed cloud infrastructure (Heroku/AWS) with CDN, DDoS protection, and Web Application Firewall via Cloudflare.
  • Access control — production access is restricted to authorized personnel on a need-to-know basis with periodic access reviews.
  • Code review — all changes go through pull request review before merging to production.

For complete details, see our Security Practices.

GDPR Compliance

Orbit is designed for GDPR compliance, with privacy built into the platform from the ground up:

  • Data processor role — we act as a data processor on behalf of organizations (data controllers) and provide a Data Processing Agreement (DPA) to all customers.
  • Data subject rights — self-service tools for users to access, update, export, and delete their personal data.
  • Privacy-first analytics — built-in analytics use server-side tracking with no client-side scripts. IP addresses are used only to derive a country code and are immediately discarded.
  • Essential cookies only — the platform uses only essential cookies (session and CSRF tokens) by default, with no third-party tracking cookies.
  • Sub-processor transparency — we maintain a list of sub-processors and provide 30 days' advance notice before adding new ones.
  • Data portability — data can be exported in structured, machine-readable formats.
  • Right to erasure — users can delete their accounts through self-service, with personal data permanently removed.
  • CCPA and PIPEDA aligned — we also align with California and Canadian federal privacy requirements.

For complete details, see our GDPR Compliance documentation.

Accessibility (WCAG)

Orbit is committed to accessibility for all users, including people with disabilities. We are working toward conformance with WCAG 2.1 Level AA:

  • Semantic HTML — the platform uses semantic HTML5 elements and ARIA attributes for assistive technology support.
  • Keyboard navigation — all interactive elements are reachable and operable via keyboard, with visible focus indicators and keyboard shortcuts.
  • Responsive design — fully responsive with support for content reflow at all viewport sizes, including 320px width. Text can be resized up to 200% without loss of content.
  • Form accessibility — inline validation errors with descriptive messages.
  • No flashing content — the platform contains no content that flashes more than three times per second.
  • Accessible dialogs and notifications — modals use role="dialog" and notifications use role="alert" for screen reader support.

WCAG 2.1 Level AA meets the requirements of Section 508 (US), ADA (US), the European Accessibility Act, and AODA (Canada).

We are actively working on further improvements including skip navigation, enhanced ARIA support for dynamic content, and a formal color contrast audit. Organizations are responsible for ensuring the accessibility of their own content (image alt text, color contrast in custom themes, video captions).

For complete details, see our WCAG Compliance documentation.

Contact

  • Security inquiries: security@orbitams.com
  • Privacy and GDPR: privacy@orbitams.com
  • Accessibility feedback: accessibility@orbitams.com

See how Orbit can work for you

Get a personalized walkthrough and see how associations like yours are simplifying their operations.

Talk to our team

Get tips on running a better association — delivered to your inbox.

Stay as long as you’d like. Unsubscribe anytime.