Legal

Security Policy

Last updated: June 2026

Encryption

All data in transit is encrypted with TLS 1.2+. Data at rest uses AES-256. License keys use ECDSA P-256 signatures.

Access control

Role-based access (Admin, Staff, Client) limits what each user can see and do. Every action is logged in an immutable audit trail.

Monitoring

We run automated vulnerability scans, dependency audits, and anomaly detection on all production services.

Responsible disclosure

We operate a coordinated vulnerability disclosure programme. Researchers who report issues in good faith will not face legal action.

Our security commitments

Security is a first-class concern at Palladium Innovations. The Orbilex platform is designed with a defence-in-depth approach: multiple independent controls so that the failure of any single control does not result in a breach.

Key commitments:

  • TLS 1.2 or higher on all network connections
  • AES-256 encryption for data at rest
  • ECDSA P-256 signed license keys — cannot be forged
  • Immutable audit logs for every platform action
  • Role-based access control with the principle of least privilege
  • Automated dependency vulnerability scanning on every build
  • SOC 2 Type II audit in progress (expected Q4 2026)
  • GDPR-compliant data handling and DPA available on request

Vulnerability disclosure

If you discover a security vulnerability in Orbilex, we ask that you disclose it to us responsibly before making it public. We commit to:

  • Acknowledging your report within 2 business days
  • Providing regular updates on our progress
  • Fixing confirmed vulnerabilities within 90 days (critical: 14 days)
  • Crediting you in our public changelog (unless you prefer anonymity)
  • Not taking legal action against researchers acting in good faith

To report a vulnerability, email security@orbilex.io with a detailed description, steps to reproduce, and your assessment of impact. Please encrypt sensitive reports using our PGP key (available on request).

Out of scope

The following are explicitly out of scope for vulnerability reports:

  • Issues that require physical access to a user's device
  • Denial-of-service attacks against our infrastructure
  • Social engineering of Palladium Innovations employees
  • Vulnerabilities in third-party dependencies where we are blocked on upstream fixes
  • Issues in software versions older than 2 major releases

Infrastructure security

Orbilex is designed to be self-hosted. When you deploy on your own infrastructure, you are responsible for hardening the host OS, firewall rules, and access controls. Our installation guide includes a security checklist covering:

  • Firewall configuration (only ports 80/443 publicly exposed)
  • Non-root Docker execution
  • Environment variable handling for secrets
  • Automatic TLS via Let's Encrypt
  • Database access restricted to internal Docker network

Contact

Security matters: security@orbilex.io

General legal matters: legal@orbilex.io

Privacy Policy·Terms of Service·Cookie Policy