Trust & Safety
Security at
Orionix
Security is foundational at Orionix. We take a defence-in-depth approach to protecting the data and services entrusted to us. This page outlines our security programme and how to report vulnerabilities responsibly.
1. Our approach to security
Security is built into every layer of our product and organisation. We follow a defence-in-depth model — multiple independent security controls mean no single point of failure can compromise your data. Our programme is guided by ISO/IEC 27001, NCSC Cyber Essentials, and the OWASP Top 10. We maintain a continuous cycle: assess, implement, test, review.
2. Infrastructure security
Hosting and cloud environment
Orionix services are hosted on enterprise-grade cloud infrastructure with ISO 27001 and SOC 2 Type II certifications. Our infrastructure provider maintains physical security, power redundancy, and environmental controls at all data centre facilities.
Network security
- TLS 1.3 enforcement: all communications are encrypted in transit. TLS 1.0 and 1.1 are disabled.
- HTTPS everywhere: all web traffic is served over HTTPS with HSTS enabled (minimum one-year max-age).
- DDoS protection: web application firewall (WAF) and DDoS mitigation at the network edge.
- Network segmentation: production, staging, and development environments are fully isolated.
- Firewall rules: strict ingress and egress filtering; only required ports and protocols are permitted.
Availability
Our infrastructure is designed for high availability with redundancy across multiple availability zones. We publish and honour uptime SLAs (see our pricing plans). Scheduled maintenance is communicated in advance via our status page.
3. Data protection
Encryption at rest
All customer data is encrypted at rest using AES-256. Database backups are also encrypted. Encryption keys are managed using a dedicated KMS with regular key rotation.
Encryption in transit
All data transmitted between users, our APIs, and internal services uses TLS 1.3. Internal service-to-service communication is also encrypted.
Data residency
UK and European customer data is stored in data centres in the United Kingdom or European Economic Area by default. Enterprise customers may request specific data residency arrangements.
Backups
Automated daily backups with a minimum 30-day retention period. Backups are stored in a separate, geographically distinct location, encrypted, and tested quarterly.
Data isolation
Customer data is logically isolated at the database level using tenant-specific encryption contexts. One customer cannot access another’s data.
4. Application security
Our SDLC incorporates security at every stage:
- Secure coding standards: all engineers follow OWASP Secure Coding Practices with mandatory security code review.
- Static analysis (SAST): automated tools scan every commit for vulnerabilities, insecure dependencies, and secrets in code.
- Dependency scanning: continuous CVE monitoring with rapid patching.
- Penetration testing: independent pen tests at least annually and after significant architectural changes.
- OWASP Top 10 alignment: our programme addresses all top 10 web application security risks.
- Content Security Policy (CSP): strict CSP headers to mitigate XSS attacks.
- Input validation and output encoding: all user input is validated and sanitised; outputs are encoded to prevent injection attacks.
5. Access controls
Employee access
- Access to production systems and customer data is granted on a least-privilege, need-to-know basis.
- All privileged access requires multi-factor authentication (MFA).
- Access is reviewed quarterly and revoked immediately on employee departure.
- All privileged sessions are logged and auditable.
Customer account security
- Passwords are hashed using bcrypt with an appropriate work factor; plaintext passwords are never stored or logged.
- MFA is available and strongly recommended for all customer accounts.
- Session tokens are rotated on authentication and invalidated on logout.
- Brute-force protection and account lockout policies are enforced on all login endpoints.
Physical security
Our office security policy requires clean-desk practices, screen locking, and encrypted laptops. Full-disk encryption is mandatory on all devices used to access production systems.
6. Monitoring and incident response
Monitoring
We operate a 24/7 security monitoring programme covering infrastructure, application, and access logs. Anomalous behaviour triggers automated alerts for investigation.
Incident response
We maintain a documented Incident Response Plan tested annually. Our process:
- Detection and triage: incident identified, categorised by severity, incident commander assigned.
- Containment: immediate steps taken to limit impact.
- Investigation: root cause analysis performed.
- Remediation: vulnerability addressed.
- Notification: affected customers and, where required, the ICO notified within 72 hours for personal data breaches under UK GDPR.
- Post-incident review: lessons learned documented to prevent recurrence.
7. Compliance and certifications
| Standard / Regulation | Status | Scope |
|---|---|---|
| UK GDPR & DPA 2018 | Compliant | All personal data processing |
| NCSC Cyber Essentials | Certified | Core technical controls |
| ISO/IEC 27001 | In progress | Information security management |
| SOC 2 Type II | In progress | Security, availability, confidentiality |
| PCI DSS | Via certified provider | Payment card data |
Enterprise customers may request our security questionnaire, Data Processing Agreement (DPA), or certification evidence at security@orionix.uk.
8. Vulnerability disclosure programme
If you discover a security vulnerability in any Orionix system, we ask that you:
- Report it to us before disclosing publicly or to any third party.
- Provide sufficient detail to reproduce and understand the issue.
- Allow us reasonable time to investigate and remediate before disclosure.
- Avoid accessing, modifying, or deleting data that does not belong to you.
- Not conduct denial-of-service testing or social engineering against our staff.
We commit to: acknowledging receipt within 2 business days; providing regular updates; not pursuing legal action against researchers acting in good faith; and crediting researchers in our security acknowledgements (if desired).
Report a vulnerability: Email security@orionix.uk with subject line [SECURITY REPORT]. Request our PGP public key for sensitive disclosures.
Out of scope: volumetric attacks, social engineering, physical attacks, vulnerabilities in third-party services not under our control, and reports requiring physical device access.
9. Protecting your own security
- Use a strong, unique password for your Orionix account (minimum 12 characters).
- Enable multi-factor authentication (MFA) on your account.
- Keep your operating system, browser, and software up to date.
- Be vigilant about phishing — Orionix will never ask for your password by email or phone.
- Review your account activity regularly and report suspicious activity immediately.
- Use a reputable password manager.
If you believe your account has been compromised, contact security@orionix.uk immediately or use our contact page.
10. Security contact
- Email: security@orionix.uk
- Response: within 2 business days for general enquiries; 24 hours for critical incidents.
For general enquiries not related to security, please use our contact page.