Security at Orbyt

Last updated: March 2026

Your job search data is personal and sensitive. At Orbyt, security is foundational to everything we build. This page describes the technical controls that protect your data.

Data Encryption

In transit: All connections use TLS 1.3. HSTS headers enforce HTTPS on every request. No fallback to unencrypted connections.
At rest: Database storage is encrypted using AES-256 via Supabase/AWS. Backups are encrypted with the same standard.
API keys (Unlimited plan):If you bring your own API keys on the Unlimited plan, they are stored exclusively in your browser's localStorage. They are explicitly stripped before any cloud sync and never leave your device.

Authentication

Password policy: 16-character minimum with bcrypt hashing. Brute-force protection via progressive lockout.
Passkeys (WebAuthn): Phishing-resistant passwordless login using device biometrics or hardware security keys.
Two-factor authentication: TOTP-based 2FA support for accounts that want an additional layer beyond passwords.
Session management: Cookie-based sessions with HttpOnly flags and 7-day refresh tokens. Sessions are validated server-side on every protected request.

Access Controls

Row Level Security: Every database table enforces Supabase RLS policies. Your data is accessible only to your authenticated session. No other user and no admin can access your data without the service role key.
Per-user storage isolation: Uploaded files (profile images, contact photos) are scoped to per-user folders with storage-level access policies.
Service role key: The Supabase service role key is server-side only and never exposed to the browser. It is used exclusively for account deletion and webhook processing.

Infrastructure

Vercel: Edge network hosting with automatic TLS termination, DDoS protection, and auto-scaling. No self-managed servers.
Supabase: Managed PostgreSQL on AWS infrastructure with encrypted storage, automated backups, and built-in auth.
Stripe: PCI DSS Level 1 compliant payment processing. Card data is collected and processed entirely by Stripe. Payment details never touch our servers.
Rate limiting: All API endpoints are rate-limited via Upstash Redis (with in-memory fallback) to prevent abuse.

AI Privacy

Free, Pro, and Ultra plans include hosted AI powered by Orbyt's server-side keys, with no API key setup needed. The Unlimited plan uses a Bring Your Own Key (BYOK) model for power users who want zero caps and full data privacy.

Hosted AI (Free, Pro, Ultra):AI prompts are processed through Orbyt's server-side API keys. We do not log, store, or inspect prompt content. Prompts are processed in real time and are not used to train AI models.
BYOK keys stay on your device (Unlimited): On the Unlimited plan, your API keys for OpenAI and Anthropic are stored in localStorage only. They are stripped before any Supabase write and are never persisted server-side. AI prompts are routed through our server-side proxy to protect your key from exposure in client-side network traffic.
No training on your data: Orbyt never uses your job search data or AI interactions for model training. Your data stays yours.
Voice recordings:When you use voice capture, audio is recorded in your browser and sent to OpenAI's Whisper API through Orbyt's edge proxy. On Free, Pro, and Ultra, voice data is processed through Orbyt's hosted OpenAI key. On Unlimited, it flows through your own API key. Audio is never stored on our servers. Only the resulting transcription text is used.

Application Security

Content Security Policy: Strict CSP headers prevent XSS, clickjacking, and unauthorized script execution.
Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on all responses.
Origin verification: All API routes verify the request origin to prevent CSRF attacks.
Input sanitization: All user input is validated and sanitized. No dynamic code execution or raw HTML injection anywhere in the codebase.
Webhook authentication: Supabase and Stripe webhooks are verified via HMAC signatures using constant-time comparison.
Microphone permission:Voice features use the browser's native Permissions API. Microphone access is requested only on user action (clicking the mic button) and can be revoked at any time. Orbyt never accesses the microphone in the background.

Monitoring

Sentry: Production error monitoring with privacy-safe defaults. All text is masked and all media is blocked in session replays. Error reports contain stack traces and device metadata only.
Audit logging: 17 audited event types covering authentication (login, logout, password change, passkey registration), billing actions (subscription create, cancel, reactivate, plan change, refund), and data operations (export, account deletion). Audit entries are stored in a service-role-only table (no client access) with 90-day retention and automatic purge.
Pre-commit sentinel: Every code change passes through a 12-check automated security scan covering missing auth, origin verification, hardcoded secrets, unsafe crypto patterns, and XSS vectors.

Uptime & Status

We monitor Orbyt's availability around the clock. View real-time and historical uptime data on our public status page.

Compliance

GDPR data export: Export all your data as JSON at any time from Settings. Full data portability with one click.
Right to deletion: Delete your account from Settings. Cascade deletes remove all database records, uploaded files, and stored credentials.
No tracking cookies: Orbyt uses cookies exclusively for authentication (Supabase session cookies). No advertising or third-party tracking cookies.
Data Processing Agreement: See our Privacy Policy for our full DPA covering sub-processors, retention, and breach notification.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@orbytjobs.ai. We take all reports seriously and will acknowledge receipt within 48 hours. We will not take legal action against researchers who follow responsible disclosure practices.

← Back to Orbyt

Data Encryption

In transit: All connections use TLS 1.3. HSTS headers enforce HTTPS on every request. No fallback to unencrypted connections.

At rest: Database storage is encrypted using AES-256 via Supabase/AWS. Backups are encrypted with the same standard.

API keys (Unlimited plan):If you bring your own API keys on the Unlimited plan, they are stored exclusively in your browser's localStorage. They are explicitly stripped before any cloud sync and never leave your device.

Authentication

Password policy: 16-character minimum with bcrypt hashing. Brute-force protection via progressive lockout.

Passkeys (WebAuthn): Phishing-resistant passwordless login using device biometrics or hardware security keys.

Two-factor authentication: TOTP-based 2FA support for accounts that want an additional layer beyond passwords.

Session management: Cookie-based sessions with HttpOnly flags and 7-day refresh tokens. Sessions are validated server-side on every protected request.

Access Controls

Row Level Security: Every database table enforces Supabase RLS policies. Your data is accessible only to your authenticated session. No other user and no admin can access your data without the service role key.

Per-user storage isolation: Uploaded files (profile images, contact photos) are scoped to per-user folders with storage-level access policies.

Service role key: The Supabase service role key is server-side only and never exposed to the browser. It is used exclusively for account deletion and webhook processing.

Infrastructure

Vercel: Edge network hosting with automatic TLS termination, DDoS protection, and auto-scaling. No self-managed servers.

Supabase: Managed PostgreSQL on AWS infrastructure with encrypted storage, automated backups, and built-in auth.

Stripe: PCI DSS Level 1 compliant payment processing. Card data is collected and processed entirely by Stripe. Payment details never touch our servers.

Rate limiting: All API endpoints are rate-limited via Upstash Redis (with in-memory fallback) to prevent abuse.

AI Privacy

Hosted AI (Free, Pro, Ultra):AI prompts are processed through Orbyt's server-side API keys. We do not log, store, or inspect prompt content. Prompts are processed in real time and are not used to train AI models.

BYOK keys stay on your device (Unlimited): On the Unlimited plan, your API keys for OpenAI and Anthropic are stored in localStorage only. They are stripped before any Supabase write and are never persisted server-side. AI prompts are routed through our server-side proxy to protect your key from exposure in client-side network traffic.

No training on your data: Orbyt never uses your job search data or AI interactions for model training. Your data stays yours.

Voice recordings:When you use voice capture, audio is recorded in your browser and sent to OpenAI's Whisper API through Orbyt's edge proxy. On Free, Pro, and Ultra, voice data is processed through Orbyt's hosted OpenAI key. On Unlimited, it flows through your own API key. Audio is never stored on our servers. Only the resulting transcription text is used.

Application Security

Content Security Policy: Strict CSP headers prevent XSS, clickjacking, and unauthorized script execution.

Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on all responses.

Origin verification: All API routes verify the request origin to prevent CSRF attacks.

Input sanitization: All user input is validated and sanitized. No dynamic code execution or raw HTML injection anywhere in the codebase.

Webhook authentication: Supabase and Stripe webhooks are verified via HMAC signatures using constant-time comparison.

Microphone permission:Voice features use the browser's native Permissions API. Microphone access is requested only on user action (clicking the mic button) and can be revoked at any time. Orbyt never accesses the microphone in the background.

Monitoring

Sentry: Production error monitoring with privacy-safe defaults. All text is masked and all media is blocked in session replays. Error reports contain stack traces and device metadata only.

Audit logging: 17 audited event types covering authentication (login, logout, password change, passkey registration), billing actions (subscription create, cancel, reactivate, plan change, refund), and data operations (export, account deletion). Audit entries are stored in a service-role-only table (no client access) with 90-day retention and automatic purge.

Pre-commit sentinel: Every code change passes through a 12-check automated security scan covering missing auth, origin verification, hardcoded secrets, unsafe crypto patterns, and XSS vectors.

Compliance

GDPR data export: Export all your data as JSON at any time from Settings. Full data portability with one click.

Right to deletion: Delete your account from Settings. Cascade deletes remove all database records, uploaded files, and stored credentials.

No tracking cookies: Orbyt uses cookies exclusively for authentication (Supabase session cookies). No advertising or third-party tracking cookies.

Data Processing Agreement: See our Privacy Policy for our full DPA covering sub-processors, retention, and breach notification.