OrbytSign in

Security

Last updated: March 12, 2026

1. Our Commitment

Orbyt handles sensitive household data — finances, schedules, and personal contacts. We treat security as a core product requirement, not an afterthought. This page describes the measures we take to protect your data.

2. Infrastructure

  • Hosting: Orbyt is hosted on Vercel with automatic TLS certificates and global edge distribution.
  • Database: All data is stored in Supabase (managed PostgreSQL) with encrypted connections and automated backups.
  • Authentication: Handled by Supabase Auth with support for email/password, Google OAuth, and Microsoft OAuth. Passwords are hashed using bcrypt. OAuth tokens are encrypted at rest.

3. Encryption

  • In transit: All traffic is encrypted via TLS 1.2+ with HSTS enforced across all endpoints.
  • At rest: Sensitive credentials (OAuth tokens, Plaid access tokens) are encrypted using AES-256-GCM before storage.
  • Database: Supabase provides encryption at rest for all stored data.

4. Data Isolation

Orbyt uses Row-Level Security (RLS) policies at the database level to enforce strict data isolation between households. Every query is scoped to the authenticated user's household — there is no application-level bypass.

5. API Security

  • All API inputs are validated and sanitized using Zod schema validation via tRPC.
  • Content Security Policy (CSP), X-Frame-Options, and other security headers are enforced on all pages.
  • Rate limiting is applied to authentication endpoints.

6. Third-Party Integrations

  • Plaid: Bank credentials are never transmitted to or stored by Orbyt. Plaid handles all bank authentication directly. We only receive account metadata and transaction data via secure API.
  • Google & Microsoft: Calendar integrations use OAuth 2.0 with minimal scopes (read/write calendar events only). Tokens are encrypted at rest and can be revoked at any time from Settings.

7. Access Controls

Household members can only access data belonging to their household. There is no cross-household data access. Administrative operations (inviting members, managing integrations) are scoped to household owners.

8. Monitoring & Incident Response

  • Application errors are monitored via Sentry with automated alerting.
  • Infrastructure is monitored for uptime and performance anomalies.
  • In the event of a security incident, affected users will be notified within 72 hours with details and remediation steps.

9. Data Deletion

You can disconnect any third-party integration at any time from Settings. Upon account deletion, all personal data and household data you own is permanently removed from our systems. For data deletion requests, contact us at the email below.

10. Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly. Contact us at:

admin@orbythq.com

Please include a description of the vulnerability, steps to reproduce, and any relevant evidence. We aim to acknowledge reports within 48 hours.