Trust

Security at Base

Agencies trust Base with sensitive client relationships and business data. Here's how we protect it. For a full security pack under NDA, email conor@orbitlane.co.

Security is not a compliance checkbox for us — it's a design constraint that affects how we build, deploy, and operate every part of Base. This page summarizes our current posture. We update it as our controls mature.

Infrastructure and hosting

  • Base is hosted on leading cloud infrastructure (currently AWS and Supabase) with redundancy and availability monitoring.
  • All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
  • Production systems are isolated in a dedicated environment with network-level access controls and no direct public access to databases.
  • We use automated vulnerability scanning on dependencies and maintain a process for applying security patches promptly.

Authentication and access control

  • Users authenticate with email and password (bcrypt hashed, never stored in plaintext). We support SSO for enterprise customers — ask during onboarding.
  • Multi-factor authentication (MFA) is available and recommended for all Base accounts.
  • Role-based access control (RBAC) within Base restricts what each team member can see and do. Agency owners control seat and permission assignments.
  • Our own team uses SSO and MFA for all internal systems. Access to production data is restricted to personnel with a documented business need and is audited.
  • Sessions expire after inactivity and can be revoked by account owners at any time.

Data isolation and handling

  • Each Base workspace is logically isolated — your data is not accessible to other customers.
  • Client data you connect through integrations (CRM, billing, project tools) is used solely to power your Base workspace. We don't aggregate or profile your client data across accounts.
  • Subprocessors who touch customer data are reviewed before onboarding and are bound by data processing agreements (DPAs). Request our current subprocessor list at conor@orbitlane.co.

Backup and recovery

  • Database backups run daily with point-in-time recovery capability. Backups are encrypted and stored in a separate region from primary data.
  • We test restoration procedures regularly to confirm backups are usable.
  • Our target recovery time objective (RTO) is under 4 hours for critical systems; recovery point objective (RPO) is under 24 hours. These targets will tighten as we scale.

Application security

  • Code changes go through peer review before merging to production. We use automated linting, static analysis, and dependency auditing in our CI/CD pipeline.
  • We follow OWASP top-10 guidance and perform internal security reviews on new features that handle sensitive data.
  • We conduct third-party penetration tests periodically. Results drive a tracked remediation process. Summaries are available to enterprise customers under NDA.
  • API access uses short-lived, scoped tokens. Keys can be rotated or revoked by account owners from the dashboard.

Employee security

  • Team members receive security awareness training and follow a documented acceptable use policy.
  • Access to customer data in production is role-limited, logged, and reviewed. We access customer data only when necessary to investigate a support issue or incident, and with the minimum scope needed.
  • Offboarding procedures immediately revoke access across all systems.

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, and recovery. If a security incident affects your data, we will notify you as required by applicable law and our contractual obligations — and faster where we can. We aim to provide meaningful updates, not just boilerplate notices.

Post-incident, we conduct a root cause analysis and share relevant learnings with affected customers.

Compliance

Base is currently working toward SOC 2 Type II. We are designed to support customers' GDPR and CCPA obligations — Data Processing Agreements (DPAs) are available on request for customers subject to those regulations. Email conor@orbitlane.co to get a DPA.

Your responsibilities

Security is a shared responsibility. As a Base customer, you control who has access to your workspace and what third-party data you connect. We recommend:

  • Enable MFA for all Base users in your agency.
  • Review seat and permission assignments regularly, especially after team changes.
  • Revoke access for departing staff promptly through the workspace settings.
  • Ensure you have appropriate rights and permissions for any client data you connect to Base, including any DPAs required by your own clients.

Report a vulnerability

We welcome responsible disclosure. If you believe you've found a security vulnerability in Base, email conor@orbitlane.co with a description and steps to reproduce. Please don't publicly disclose an issue until we've had a chance to investigate and respond. We aim to acknowledge reports within 2 business days.

We don't currently operate a formal bug bounty program, but we take every report seriously and will credit researchers who help us improve Base's security with their permission.