Security

Last updated: March 2026

At Orbit, security isn't an afterthought—it's foundational. Your job search data is personal and sensitive, and we treat it that way.

Infrastructure

  • Hosting: Orbit runs on Vercel (edge network, automatic TLS, DDoS protection).
  • Database: PostgreSQL on Supabase (AWS infrastructure, encrypted at rest, automated backups).
  • Rate limiting: All API endpoints are rate-limited via Upstash Redis to prevent abuse.

Data Protection

  • Encryption in transit: All connections use TLS 1.2+. HSTS headers enforce HTTPS on every request.
  • Encryption at rest: Database storage is encrypted using AES-256 via Supabase/AWS.
  • Row Level Security: Every database table enforces Supabase RLS policies. Your data is accessible only to your authenticated session—no other user, and no admin without the service role key.
  • Per-user storage isolation: Uploaded files (profile images, contact photos) are scoped to per-user folders with storage-level access policies.

Authentication

  • Supabase Auth: Email/password authentication with bcrypt password hashing and secure, HttpOnly session cookies.
  • Passkeys (WebAuthn): Phishing-resistant passwordless login using device biometrics or hardware keys.
  • Session management: Cookie-based sessions with automatic refresh. Sessions are validated server-side on every protected request.

Application Security

  • Content Security Policy: Strict CSP headers prevent XSS, clickjacking, and unauthorized script execution.
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on all responses.
  • Origin verification: All API routes verify the request origin to prevent CSRF attacks.
  • Webhook authentication: Supabase and Stripe webhooks are verified via HMAC signatures (constant-time comparison).

Payment Security

  • Stripe Elements: Card data is collected and processed entirely by Stripe. Your payment details never touch our servers—we are PCI-compliant by design.
  • Webhook signatures: All Stripe webhook events are verified via stripe.webhooks.constructEvent() before processing.

AI & API Keys

Orbit's AI features (resume tailoring, Scout chat, contact parsing) require you to provide your own API keys for OpenAI and/or Anthropic.

  • Keys stay local: Your API keys are stored exclusively in your browser's localStorage. They are never synced to the cloud—they are explicitly stripped before any Supabase write.
  • Server-side proxy: When you use an AI feature, your key is forwarded through our API route to the provider and discarded after the request. This prevents exposure in client-side network traffic.

Error Monitoring & Analytics

We use Sentry for production error monitoring and PostHog for product analytics and session replay. In both services, all text is masked and all inputs are masked in session replays—no personal data is visible. Error reports include stack traces and device metadata only. Analytics data is used solely for product improvement.

Automated Security Checks

Every code change goes through automated pre-commit security scanning that checks for:

  • Missing authentication on API routes
  • Missing origin verification
  • Hardcoded secrets or credentials
  • Unsafe cryptographic patterns
  • XSS vectors and injection risks

Uptime & Status

We monitor Orbit's availability around the clock. View real-time and historical uptime data on our public status page.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@orbitjobs.ai. We take all reports seriously and will respond promptly.

← Back to Orbit