Security

Cloud Infrastructure

The Orbipay suite of applications is hosted within a Virtual Private Cloud (VPC) on Amazon Web Services (AWS). This setup offers a secure and scalable technology environment, ensuring we deliver services to you reliably and safely. We utilize multiple Availability Zones to achieve high availability.

Perimeter Security

We follow a Defense-in-Depth architecture that incorporates network firewalls, web application firewalls, advanced DDoS protection, and a content delivery network (CDN). This approach is aimed at maintaining high performance and availability by geographically distributing our services closer to end users.

Our infrastructure is built in alignment with the AWS Well-Architected Framework. We implement NIST 800-53 Risk Management Framework controls to support the creation of secure and resilient systems.

Our architectural approach is informed by best practices derived from multiple industry standards and certifications.

We enforce strict network segmentation and ensure isolation between environments and services.

Host Security

We deploy industry-leading solutions to address host-level security, including anti-virus, anti-malware, intrusion prevention systems (IPS), intrusion detection systems (IDS), Data Loss Prevention (DLP), file integrity monitoring (FIM), application control, centralized logging, and prioritized patch management.

Data Security

We maintain environment separation and enforce segregation of duties. Role-Based Access Control (RBAC) is implemented rigorously, based on documented and approved need-to-access criteria. Key management services are used to restrict data access according to job responsibilities.

Data at rest and during transit is encrypted, and sensitive information is further secured using application-level encryption.

We use data replication for data resiliency, snapshotting for data durability and backup/restore testing for data reliability and availability.

Incident and Change Management

Our organization has well-defined Change Management processes that enable the deployment of thoroughly tested features in a secure and reliable manner, ensuring consistent product experience.

We maintain a proactive approach to Incident Management for both system outages and security events. Our Security Operations Center (SOC) and Information Security Management System (ISMS) are structured to respond, remediate, and escalate incidents effectively, whether arising from planned or unplanned changes.

Vulnerability Assessment and Penetration Testing

Our internal Security Operations team conducts ongoing Vulnerability Assessment and Penetration Testing (VA/PT) using a combination of industry-standard tools and manual techniques. Both static and dynamic application security testing are integrated into our CI/CD pipeline. We also engage top-tier third-party vendors for periodic external assessments and audits.

Standards and Attestations

Alacriti has adopted the NIST Risk Management Framework to conduct organization-wide risk assessments, ensuring alignment with key NIST standards such as SP 800-30, SP 800-53, SP 800-88, among others. Our compliance posture is validated through independent third-party audits and attested certifications, including:

• PCI DSS v4.0.1 – The latest global security standard designed to protect payment card data.
• HIPAA/HITECH – Establishes national standards to safeguard sensitive health information through privacy, security, and breach notification requirements.
• SOC 1 Type 2 – Evaluates internal controls over financial reporting (ICFR) within a service organization.
• SOC 2 Type 2 – Assesses controls related to security, availability, processing integrity, confidentiality, and privacy of customer data.
  

 

These attestations are issued by qualified third-party auditors/CPA firms following comprehensive assessments. In addition, Alacriti provides self-attestations to demonstrate compliance with key operational and regulatory areas, including:

• NACHA – Governs the ACH Network with rules and standards for secure and efficient electronic payments in the U.S.
• RTP – A U.S. payment system enabling instant, 24/7 clearing and settlement between participating banks.
• FedLine – The Federal Reserve’s secure delivery channel for accessing services like Fedwire, ACH, and check processing.
• BCP/DRE/Pandemic Preparedness – Ensures business continuity and resilience through tested plans for disruptions, disasters, and health emergencies.
• ADA/WCAG – Accessibility standards ensuring that digital and physical environments are inclusive and usable by individuals with disabilities.

 

Responsible Disclosure

Alacriti is fully committed to safeguarding customer data and privacy. Security is embedded throughout our product lifecycle, driven by a security-first mindset to ensure adherence to the highest security standards.

Our overall security design is robust enough to defend against both basic and advanced attack vectors.

If you are a security researcher or enthusiast and have identified a potential vulnerability in any Orbipay product, we welcome responsible disclosure. Please report the issue to us at security@alacriti.com with detailed reproduction steps.

We are committed to investigating and addressing valid reports within a reasonable timeframe, and we request that findings are not publicly disclosed until resolved.