Your data security is our priority
ORbit is built with security-first architecture. We protect your operational data with enterprise-grade security while keeping compliance simple.
HIPAA Compliant by Design
ORbit is architected to avoid storing Protected Health Information (PHI). Cases are tracked by case number only — no patient names, medical record numbers, or clinical data are ever stored in our system.
Encryption Everywhere
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Your data is protected whether it's moving or stored.
Secure Infrastructure
ORbit runs on enterprise-grade cloud infrastructure with SOC 2 Type II certified data centers located in the United States. We use isolated database instances for each customer.
Access Controls
Role-based access control (RBAC) ensures staff only see data relevant to their role. Facility admins have full control over user permissions and can revoke access instantly.
Audit Logging
Every action in ORbit is logged with timestamps and user attribution. Comprehensive audit trails help you maintain compliance and investigate any concerns.
Data Retention & Deletion
You control your data. Export anytime in standard formats, and request complete deletion when needed. We retain data only as long as you need it.
No PHI. Simplified Compliance.
Unlike traditional healthcare software, ORbit tracks operational metrics without storing Protected Health Information. Cases are identified by case number only — never patient names or medical records. This means faster deployment, simpler compliance, and less risk.
Security FAQs
Is ORbit HIPAA compliant?
Yes. ORbit is designed to operate outside the scope of HIPAA by not storing Protected Health Information. We track cases by number only — no patient names, dates of birth, or medical record numbers are stored. This approach simplifies compliance while still providing full operational visibility.
Where is my data stored?
All data is stored in SOC 2 Type II certified data centers located in the United States. We use Supabase (built on AWS) for our database infrastructure, with dedicated instances for each customer.
Who can access my facility's data?
Only users you authorize. Each facility has complete control over who can access their data through role-based permissions. Our engineering team has limited access for support purposes only, and all access is logged.
Do you sign Business Associate Agreements (BAAs)?
Because ORbit does not store PHI, a BAA is typically not required. However, we're happy to discuss your specific compliance needs and can provide documentation of our security practices.
How do you handle security incidents?
We have a documented incident response plan. In the unlikely event of a security incident affecting your data, we commit to notifying affected customers within 72 hours with full details and remediation steps.