Security

Cloud Infrastructure

The Orbipay suite of applications are hosted on a Virtual Private Cloud on Amazon Web Services. This provides a secure and scalable technology platform to ensure we can provide you services securely and reliably. We use multiple Availability Zone deployments for high availability.

Perimeter Security

We have deployed Defence in Depth Architecture using network firewall, web application firewall, Managed DDoS protection, and a content delivery network with the goal of providing high availability and performance by distributing the service spatially relative to end users.

Our infrastructure is launched in compliance with the AWS Well Architected Framework. We have adopted NIST 800-53 Risk Management Framework controls that support the development of secure and resilient systems.

We have Architecture which incorporates best practices from various standards and certifications.

We have strict network segmentation and isolation of environments and services in place.

Host Security

We use industry leading solutions around anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and prioritized patching.

Data Security

We employ separation of environments and segregation of duties and have strict role-based access control (RBAC) on a documented, authorized, need-to-use basis. We use key management services to limit access to data based on the job functionality.

Stored data is protected by encryption at rest and sensitive data by application level encryption.

We use data replication for data resiliency, snapshotting for data durability and backup/restore testing for data reliability and availability.

Incident and change management

We have deployed mature processes around Change Management which enables us to release thoroughly tested features reliably and securely enabling you to enjoy the product experience with maximum assurance.

We have a very aggressive stance on Incident Management on both systems downtime and security. We have a Security Operations Center and an Information Security Management System in place which quickly reacts, remediates, or escalates any incidents arising out of planned or unplanned changes.

Vulnerability Assessment and Penetration Testing

We have an inhouse network security team which uses industry leading products to conduct manual and automated VA/PT activities. We employ both static application security testing and dynamic application security testing which is incorporated into our continuous integration / continuous deployment pipeline. We also leverage industry leading 3rd party vendors to perform periodic external security assessments and audits.

Standards and Attestations

We are a PCI DSS v3.2.1 attested company, which means we have implemented applicable industry standard security controls governed by the PCI security council that helps us protect all our customers’ card data in a highly secure environment. The security controls are audited by Qualified Security Assessors (QSA) that have been qualified by the PCI Security Standards Council to validate adherence to PCI DSS.

Responsible Disclosure

Alacriti is committed to our customers' data security and privacy. We blend security at multiple steps within our products with a security-first mindset to ensure our systems maintain the strongest security standards.

The overall data and privacy security design allows us to defend our systems against low hanging issues up to sophisticated attacks.

If you are a security enthusiast or a researcher and you have found a possible security vulnerability on Orbipay suite of products, we encourage you to report the issue to us as soon as possible

You could submit a bug report to us at security.grc@alacriti.com with detailed steps required to reproduce the vulnerability

We are committed to investigating and fixing the legitimate issues in a reasonable time frame, meanwhile, requesting you not to publicly disclose it.