Legal

Security policy

1. Scope and purpose

This policy governs how Orbital Bedrock manages information security for Orbital Parallax, an AI-powered financial statements review platform. It applies to all systems, services, subprocessors, and data processed by Orbital Bedrock on behalf of clients.

The objective is to protect the confidentiality, integrity, and availability of client data — including raw financial statement documents, extracted financial data, AI-generated review findings, and generated reports.

2. Information Security Officer

The Chief Information Officer (CIO), or in their absence the Chief Executive Officer (CEO), is designated as the Information Security Officer (ISO). The ISO is responsible for maintaining this policy, overseeing reviews of the risk register, and leading incident response activities.

Security enquiries and responsible disclosure reports: [email protected]. We commit to acknowledging reports within 5 business days.

3. Access control

All access to systems that transmit, process, or store client data is subject to the following controls:

  • Unique credentials. Every user account requires a unique identifier and credential. Shared accounts are not permitted.
  • Multi-factor authentication (MFA). TOTP-based MFA is available to all platform users. Organisation administrators may mandate MFA for all members of their organisation. MFA is required for all production system access by Orbital Bedrock staff.
  • Least privilege. The application database role holds only the privileges required for normal operation. Direct production console and database access is restricted to the ISO. Access is reviewed monthly; stale access is revoked.
  • Session controls. Sessions expire after 8 hours of inactivity by default. Organisation administrators may reduce this to 1 or 4 hours. Re-authentication is required before sensitive account changes (email address, password, MFA disable, organisation ownership transfer).
  • Remote access. All remote access to production systems requires MFA. No third party holds standing access to production systems or client data.
  • Staff access to client data. Orbital Bedrock personnel may access client data only in the following circumstances: (a) to respond to a support request you have made — we will ask for your express consent before accessing your account; (b) to resolve an error that has stopped an automated process partway through — we access the minimum amount of personal data necessary to fix the issue and aim to remediate the root cause to prevent recurrence; (c) to safeguard Orbital Bedrock, including reviewing logs and metadata as part of security operations and abuse investigations; or (d) to the extent required by applicable law.

4. Acceptable use

Orbital Bedrock's use restrictions policy governs acceptable and prohibited uses of the Parallax platform by clients and their teams. It applies to all accounts and is incorporated into this security policy by reference.

5. Data handling and retention

Client data is hosted on AWS for compute and database, and on Cloudflare R2 for raw financial statement PDFs and generated report files. A full subprocessor list is maintained and available on request.

Encryption at rest: RDS PostgreSQL uses AES-256 encryption. Cloudflare R2 uses server-side encryption. Sensitive application-layer fields (such as MFA secrets) use Rails native column-level encryption.

Encryption in transit: TLS 1.2 or higher is enforced for all connections between clients and the application, and between the application and subprocessors.

Retention: Audit logs are retained for a minimum of 3 to 6 months. Client financial data is retained for the duration of the client relationship and any contractually or legally required period thereafter. Client data can be deleted in full on written request within 30 days.

AI data handling: Document content is sent to the Anthropic API for structured extraction and qualitative review. Anthropic does not train on API customer data. All document content is treated as untrusted input and wrapped in structural delimiters before API submission to prevent prompt injection. No other AI provider receives client data unless explicitly disclosed and authorised in advance.

6. Password policy

  • A minimum of 12 characters is required for all user accounts.
  • Passwords are checked against known breach databases at registration and on every password change using the HaveIBeenPwned k-anonymity API. Passwords appearing in known breach databases are rejected. The plaintext password is never transmitted — only the first 5 characters of its SHA-1 hash are sent.
  • Login and password reset attempts are rate-limited to prevent brute-force and credential stuffing attacks.

7. Change management

All changes to production systems are subject to the following controls:

  • All code changes are implemented via a reviewed pull request on the main branch and must pass automated CI checks before deployment.
  • CI includes static security analysis and dependency vulnerability scanning. High-confidence findings and CVEs with known patches block deployment. Dependency updates are monitored continuously via automated tooling.
  • Dependencies are monitored continuously and reviewed on every pull request. Critical CVEs are remediated within 5 business days of identification.
  • An annual automated vulnerability scan is run against the staging environment. High and medium findings are remediated before proceeding.

8. Production data and testing environments

Production data is never used in test or staging environments. All testing uses synthetic or anonymised datasets. Staging and production are logically separated environments.

9. Multi-tenant data isolation

All client data is logically isolated by organisation at the database layer. No API request can return data belonging to a different organisation. An immutable audit log records all material access to and changes in client data; audit logs are exportable as CSV by organisation administrators and retained for a minimum of 3 to 6 months.

Parallax is a shared-infrastructure SaaS. Physical infrastructure isolation is provided by AWS; logical isolation at the application and data layer is provided by Orbital Bedrock.

10. Incident response

In the event of a confirmed or reasonably suspected breach of customer data, Orbital Bedrock will notify affected clients and channel partners within 72 hours of becoming aware of the incident. Notification will include:

  • The nature of the incident
  • Data categories and approximate number of records affected
  • Likely impact on affected individuals or organisations
  • Remediation steps taken or planned

Runtime errors are monitored continuously. Security events are recorded in the immutable audit log. Incidents and suspected incidents should be reported to [email protected].

11. Policy review

This policy is reviewed quarterly by the ISO and updated whenever material changes occur to the technical environment, the regulatory landscape, or the risk profile of the service.

Version 1.0 · Effective 21 June 2026 · Owner: Chief Information Officer, Orbital Bedrock