The security posture behind the security platform.

Yes. Every user must confirm they are authorised to test the target domain before a scan can be created. This confirmation is captured client-side in the assessment wizard today. We are rolling out server-side enforcement for all tiers so the confirmation is cryptographically logged against the assessment record, not just a checkbox on screen.

CyberOrbit blocks all private and internal IP ranges at the infrastructure level: scans cannot be directed at your own internal network or cloud metadata endpoints. For external targets, the platform relies on the authorisation confirmation above. Any misuse violates our Terms of Service and we will terminate the account. We log the target URL, timestamp, and acting user ID for every assessment started.

All traffic between your browser, our API, and our scan workers uses TLS 1.3. Findings, evidence, and all customer data are encrypted at rest with AES-256. Database backups run on a Daily, Weekly, and Monthly schedule; each backup is encrypted with a separate key. Scan workers operate in isolated job processes: your findings never share memory with another customer's assessment.

Findings and reports are retained for the life of your subscription. On account closure, data is deleted within 30 days. You can export your full report (PDF + JSON) at any time from the dashboard. If you need earlier deletion, contact us via the legal form on our Privacy page.

Not today. Current assessments are unauthenticated (blackbox): CyberOrbit does not ask for, transmit, or store your target application's username, password, or session tokens. Authenticated (whitebox) scanning is on our roadmap. When built, credentials will be handled via single-use, in-memory handoff and will never be written to logs or persistent storage.

Findings are scoped to your organisation. No other customer, no third party, and no CyberOrbit staff member can query your findings via the product. Our internal staff access policy requires a support ticket and explicit customer consent before any engineer can inspect customer data. MSP accounts have a separate visibility boundary: MSP admins see their clients' attributions, not raw findings.

Assessment jobs are queued and processed sequentially: one job runs at a time per worker. Your job does not share execution context with another customer's assessment. Finding data is strictly org-scoped at the database layer with RBAC enforced on every API endpoint. We do not use a separate container per assessment today; full container-level isolation is on the infrastructure roadmap.

Today, scans are directed at the single target URL you specify. The platform blocks private IP ranges, cloud metadata endpoints, and loopback addresses at assessment creation. A formal per-assessment scope allowlist (approved hostname/CIDR list with hard enforcement) is on the roadmap, especially relevant for MSP engagements.

The full list is published in the Sub-processors section of this page and updated before any vendor change takes effect. Core customer data (findings, assessments) is hosted on managed PostgreSQL with one replica per region across US West, US East, EU West, and Southeast Asia. Scan worker infrastructure runs on Railway in the same four regions. Payment processing is handled by Stripe.

MSP admins have a dedicated dashboard showing all assessments attributed to each client, with the ability to view and manage them centrally. Today, any user with access can initiate a scan directly. A pre-scan approval gate, where an MSP admin must approve a scan request before it runs, is on our roadmap.

Every assessment, finding, and report is tagged with an organisation ID. All API endpoints enforce org-scoped RBAC: a user in Organisation A cannot read, modify, or delete data belonging to Organisation B under any circumstances. MSP admins can see attribution metadata for their own clients only.

Yes. CyberOrbit is GDPR compliant. We process personal data only as necessary to deliver the service, maintain a sub-processor list (published on this page), provide a Data Processing Agreement on request, and support data subject rights including access, rectification, and erasure. Our Privacy Policy details what data we collect, why, and how long we retain it. If you need a DPA before starting a trial, contact us via the Privacy page form.

We are a pre-certification company. We do not currently hold SOC 2, ISO 27001, or equivalent certifications. We apply the same security practices we recommend to customers: encrypted data at rest and in transit, principle of least privilege, dependency scanning, and vulnerability remediation SLAs. SOC 2 Type I is on our near-term roadmap as we scale toward enterprise contracts.

Yes. We will execute a mutual NDA and a DPA before any trial or paid engagement that requires one. Contact us via the legal form on our Privacy page and we will turn them around within two business days.