Orbas CRM
ENTERPRISE SECURITY

Security is our
first priority

Enterprise-grade security built into every layer of the Orbas platform. SOC 2 certified, GDPR compliant, and penetration tested by CREST-accredited firms.

Certifications & Compliance

Independently verified and externally audited

SOC 2 Type II

Annual third-party audit by accredited auditors

Certified

ISO 27001

Information security management system certification

Certified

GDPR Compliant

Full EU General Data Protection Regulation compliance

Compliant

Cyber Essentials

UK Government-backed cybersecurity certification

Certified

Security Architecture

Multiple layers of protection at every level

End-to-End Encryption

All data encrypted at rest with AES-256 and in transit with TLS 1.3. Encryption keys are rotated regularly.

AES-256 at rest · TLS 1.3 in transit

Multi-Factor Authentication

TOTP and hardware key support for all user accounts. Admins can enforce MFA across their workspace.

TOTP · WebAuthn · SMS

Infrastructure Security

Hosted on AWS with dedicated VPCs, private subnets, WAF, and DDoS protection. Zero-trust network architecture.

AWS · Private VPC · WAF · DDoS protection

Penetration Testing

Annual CREST-accredited penetration tests plus continuous automated vulnerability scanning.

Annual CREST pen test · Continuous scanning

Backup & Recovery

Automated daily backups with point-in-time recovery to 5-minute granularity. Cross-region replication.

Daily backups · PITR 5-min · Cross-region

Incident Response

24/7 security operations team. SLA for critical vulnerabilities under 4 hours. Customers notified within 72 hours.

24/7 SOC · 4hr critical SLA · 72hr notification

Uptime & Reliability

99.9% uptime SLA with real-time status monitoring

99.98%

30-Day Uptime

142ms

Avg Response Time

0

Incidents (30d)

99.9%

SLA Guarantee

Dec 25

99.98%

Jan 26

100%

Feb 26

99.97%

Mar 26

99.99%

Apr 26

100%

May 26

99.98%

GDPR & Data Privacy

Orbas is fully GDPR compliant and committed to protecting the personal data of you and your customers. We act as a Data Processor, and you retain full ownership and control of your data.

Data Processing Agreements (DPAs) available for all customers

Data residency options: UK, EU, and US regions

Right to erasure (right to be forgotten) enforced within 30 days

Data portability: export your data at any time in standard formats

Privacy by design: data minimisation and purpose limitation built in

Subprocessor list published and kept up to date

Have security questions?

Our dedicated security team is available to answer your questions, share compliance documentation, and support your own security review process.