Built on a single idea: don't store what you don't need.

Your leads, contacts, calls, and recordings stay where they already live: your CRM and your dialer. On our side: account identity (name, email, auth credential), the ticker definitions you give us, routing rules, schedule queues, and a per-account action log. That's it.

We treat your data as a liability, not an asset. Less stored data means a smaller attack surface, fewer places where something can go wrong, and a simpler answer when your customers ask where their information lives.

The marketing pages of chooseorbit.com (homepage, about, this page) are static. No login, no PII collected, no analytics scripts, no marketing pixels. The only outbound touchpoint is the "Book a call" link, which routes to Calendly (their privacy policy applies).

The customer portal (sign-in, dashboard) stores the minimum to make sign-in work: your name, email, and either a hashed password (scrypt) or a Google OAuth token if you signed in that way. Sessions live in HTTP-only secure cookies. The account layer sits in a managed Postgres database (Neon, US-East), encrypted at rest, TLS in transit. Baseline, not bragging.

Once you're onboarded, Orbit operates through OAuth tokens or scoped API keys that you issue to usagainst your CRM, dialer, calendar, and email. You control what we can read and write. You can revoke access from your own admin panel at any time and we'll have nothing on our side that depends on it.

Every ticker firing, routing decision, and action Orbit takes is logged in your CRM's native audit trail. Visible to you, owned by you. If you off-board, the integration tokens get revoked, our access ends, and your data continues living where it already lived.

Production access is limited to the founding team. That includes any system that can touch a customer integration. Authentication uses single sign-on with hardware-backed 2FA enforced across every service in the path. Credentials live in a managed password vault, never in plaintext, never in shared docs.

Least-privilege access isn't a paragraph in a policy document here. It's enforced by the size of the team and the fact that fewer hands on a system means fewer ways for an account to leak. We'll grow this practice with discipline as the team grows, and publish updates on this page when it changes.

Orbit is a young company. We don't yet have SOC 2 Type II, ISO 27001, or formal third-party penetration testing reports, and we're not going to pretend we do. As we scale, those certifications are the next investment. We'll publish them on this page when they're real, not as roadmap claims.

If your industry has specific compliance requirements like HIPAA, PCI DSS, FINRA, or state-level financial regulation, raise them on the intro call. We'll tell you straight whether we can meet them today, what architectural changes would be needed, or whether the fit isn't there yet.