Trust & security
OrbitalReg is engineered for the kind of due-diligence that kills competitor deals. Every claim on this page links to evidence — a config flag, a doc, a roadmap item — so your security team can verify rather than take our word for it.
01 — Compliance posture
No vapourware. Status reflects today, not aspirations. Items in progress have a target window and a public roadmap reference.
Evidence engine shipped — every controllable assertion in Trust Services Criteria has a corresponding artifact in the product. Auditor selection in progress. Trust Service Criteria targeted: Security, Availability, Confidentiality.
Pre-audit evidence pack available under NDA — request via info@orbitalreg.com.
Annex A controls mapped to product features and operational
practice. Mapping documented in
docs-site/compliance/iso27001/
— every control points to the OrbitalReg artifact that satisfies it.
Certification is on the medium-term roadmap; mapping is the prerequisite. Mapping document available under NDA.
EU-only data residency. Data Processing Agreement (/legal/dpa) ready to counter-sign at contract time. Privacy policy at /datenschutz. Right-to-erasure and data-export procedures documented.
Single sub-processor: IONOS Cloud (Frankfurt) for hosting + SMTP. Listed in DPA appendix.
Every release artifact carries Sigstore signatures, an SBOM, and build-info provenance (CI run, commit SHA, builder identity). Customers can verify before deploy without trusting us.
Verification recipes in migration docs and the customer portal.
02 — Security architecture
OrbitalReg's security features are part of the product, not an upcharge tier. The list below is what every install gets, day one.
TLS 1.3 for all in-transit traffic. At-rest encryption is operator-controlled — OrbitalReg ships with documented recipes for LUKS-encrypted artifact volumes and Postgres volume encryption, including KMS-backed key management.
SAML 2.0 / OIDC for the OrbitalReg core admin (Azure Entra, Okta, Keycloak — verified). Token-based auth for the artifact API with scoped grants. Magic-link auth for the customer portal — no passwords stored. Every action attributable to a principal.
First-class operational mode — flips egress to deny-all in one config line. Vendored CVE feeds, signed update bundles delivered out-of-band, no build-time assumption of internet access.
Structured JSON, SIEM-ready out of the box (Loki, Splunk, Elastic recipes shipped). Every admin action, token issuance, and policy change carries actor, timestamp, and request ID for forensic reconstruction.
Cryptographic signature verification before any artifact leaves the registry — CMS, OpenPGP, RSA, Sigstore. Pulls of unverified artifacts are blocked at the gate. Per-repo policy.
Trivy and Grype scan every artifact at upload and on demand. Results stay on customer hardware — no upstream phone-home. Auto-quarantine policy available for newly-discovered CVEs on artifacts already in the registry.
03 — Supply-chain posture
SolarWinds-grade questions about "how do we know the binary you shipped is the binary you built?" — answered with cryptography, not assertions.
cosign verify.
Supply-chain case studies
Retrospective analyses of major incidents. Each one names the specific OrbitalReg feature that would have caught it — and the caveats where the defence stops short.
npm · Sept & Nov 2025
Shai-Hulud worm →
Self-replicating npm worm. CVE-gate + pull-block + air-gap promotion.
xz-utils · March 2024
CVE-2024-3094 backdoor →
Source vs tarball divergence. Build-info provenance + reproducible-build gate.
log4j · December 2021
Log4Shell — CVE-2021-44228 →
Cross-repo CVE search + pull-gate on critical + SBOM transitive index.
node-ipc · March 2022
When the maintainer is the attacker →
Pull-gate + patch-version quarantine + behavioural diff (roadmap).
SolarWinds · December 2020
SUNBURST & verifiable vendor builds →
How we built OrbitalReg to make a SolarWinds-class compromise of us externally verifiable.
CodeCov · April 2021
curl | bash and SHA-pinning →
Mirror vendor scripts as content-addressable artifacts; promote on diff review.
04 — Data protection & residency
OrbitalReg's product runs on your infrastructure — your hardware, your jurisdiction, your control. The OrbitalReg-operated services listed below are limited to what's strictly required to deliver licences and support.
All OrbitalReg-operated services (customer portal, software distribution, magic-link mail) run in IONOS Frankfurt. EU-only, no third-country transfers, GDPR-aligned by infrastructure choice.
Single sub-processor: IONOS Cloud (Frankfurt) for hosting + SMTP. No US-cloud, no third-country routing. Full list in the DPA appendix.
Customer-portal data limited to: email, optional display name, optional company, login timestamps, license-request use-case text. No artifact content, no usage telemetry, no metering.
Customer-portal records deleted within 30 days of contract termination on written request. Audit logs retained 12 months for security forensics, then purged.
05 — Documents & contacts
Document
GDPR Art. 28 DPA, ready to counter-sign. Sub-processor list, TOMs, breach-notification SLA.
Document
Datenschutzerklärung. What we collect, why, how long, and your rights as a data subject.
Document
End-User License Agreement covering installed-software terms, warranties, and termination.
Procurement support
Need a security questionnaire filled, an architecture diagram, a custom DPA clause, or a pre-audit evidence pack?
Email
info@orbitalreg.com
with subject line
Procurement review support
— typical turnaround under 48 hours.