Security

How we protect your data

Our Security Commitment

At OrbitalMCP, security is foundational to everything we build. We understand that you're trusting us with your data, and we take that responsibility seriously. This document outlines the security measures we employ to protect your information.

Infrastructure Security

Encryption in Transit

All connections to OrbitalMCP are encrypted using TLS 1.3. We enforce HTTPS for all API endpoints and web interfaces.

Encryption at Rest

All data stored in our databases is encrypted using AES-256 encryption. This includes your documents, embeddings, and metadata.

Secure Infrastructure

Our servers are hosted in secure data centers with 24/7 physical security, biometric access controls, and redundant power systems.

Data Isolation

We implement strict multi-tenant data isolation at the database level:

  • Each organization has a unique identifier that is enforced on every database query
  • API keys are scoped to specific organizations and cannot access other tenants' data
  • Database queries are parameterized to prevent SQL injection attacks
  • Row-level security policies ensure data cannot leak between tenants

Authentication & Access Control

API Key Security

  • • API keys are generated using cryptographically secure random number generators
  • • Keys are hashed using SHA-256 before storage - we never store plaintext keys
  • • Each key can have granular read/write permissions
  • • Keys can be revoked instantly from the dashboard

Password Security

  • • Passwords are hashed using bcrypt with a cost factor of 12
  • • We enforce minimum password complexity requirements
  • • Failed login attempts are rate-limited to prevent brute force attacks

Network Security

  • Firewall rules restrict access to only necessary ports and services
  • DDoS protection is enabled at the infrastructure level
  • Regular vulnerability scanning and penetration testing
  • Intrusion detection systems monitor for suspicious activity

Backup & Recovery

  • Automated daily backups with 30-day retention
  • Point-in-time recovery capability
  • Backups are encrypted and stored in geographically separate locations
  • Regular backup restoration testing

Audit Logging

We maintain comprehensive audit logs of all API access and administrative actions. These logs include timestamps, IP addresses, and action details, and are retained for compliance and security analysis purposes.

Incident Response

In the event of a security incident, we follow a structured response process:

  1. Immediate containment and assessment
  2. Investigation and root cause analysis
  3. Customer notification within 72 hours if data is affected
  4. Remediation and implementation of preventive measures
  5. Post-incident review and documentation

Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please email security@orbitalmcp.com. We commit to acknowledging reports within 48 hours and working with you to address valid findings.

Questions?

If you have questions about our security practices or would like to request additional information, please contact our security team at security@orbitalmcp.com