Security & Compliance

Keeping our customers’ data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out through your sales rep or account manager.

Our security team is comprised of both senior leadership and developers all dedicated to improving the security of our organization. Our team have been trained in security through real world experience, courses and training. Our employees are trained on security incident response and are on call 24/7.

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Amazon Web Services, Google Cloud Platform and Microsoft Azure. They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here:

If you would like to understand more about our infrastructure can view a system architecture diagram here.

We carry out regular audits inline with the company audit plan against all of our sub processors, if you would like to review this you can see it here: View List

On-site Security

The above cloud providers on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security and controls

Orlo’s offices require card access which is logged and the building requires a separate pass and is manned 24hrs a day. No platform data is stored on site.

Data hosting

We host all of our data in UK and EU data zones to comply with GDPR, if you would like to read more about data privacy and protection please see our Privacy and Data Protection resource.

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution. You can read more about them here and their security:

Encryption in transit: All data sent to, from or between our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).

All our assets such as HTML, CSS and the likes are served over encrypted (TLS 1.2+) which are rated “A” by sssllabs, you can see the report here here: https://goo.gl/36EK48.

When using our web or mobile application all data is encrypted during transit to and from our servers (TLS 1.2+) you which is graded “A” by sssllabs, you can see the report here here: https://goo.gl/ZujYmH

All data is encrypted at rest using the corresponding platform’s block device encryption support.

Password encryption: All passwords are stored using industry standard hashing algorithms (currently: bcrypt).

We retain your data for as long as you have an active contract with us after which we will delete all your data. Your data will be removed from our various backups 4 weeks after deletion.

If you would like to read more about data privacy and protection please see our resource here

Admins can request the removal of usage data by contacting support@orlo.tech Read more about our privacy settings at orlo.tech/privacy-policy/.

Uptime

Orlo maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events. We also monitor all our upstream providers which can be found here as well.

Backups

We back up all our critical assets to separate servers using encryption in transit.

We manually document and audit the backups weekly through our audit plan to ensure they are valid and working and annually attempt to restore our entire system including the backups fully to guarantee a fast recovery in the unlikely event of disaster.

Disaster Recovery

Orlo holds and reviews regularly a business continuity policy and disaster recovery plan in the unlikely event of a disaster to ensure minimal disruption for our customers. This is tested fully yearly and updated on changes to infrastructure. We also review all social networks for up and coming changes as part of our audit plan to ensure our customers are not left behind or without service due to changes.

Redundancy

Orlo as a company is ISO 22301 certified. From a infrastructure perspective Orlo maintains highly available databases where possible meaning that if a server was to go offline our service would continue with no interruption or no data loss. Where we’re not able to put inplace highly available databases we have hot slaves databases ready to go in the unlikley event of server failure. All our networks are highly available (provided by cloud providers) and API servers are auto scaling.

We have procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offering.

We have procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offering.

At Orlo, we logically separate our databases as traditional databases and techniques do not allow for the level of failover, live replication and most importantly, the scale of data involved in social media and digital messages. We, however, at Orlo have taken very serious steps to ensure security for our customers from the very start such that no data is to leak. We use automated testing of our code to verify every change before it is released and have a core fundamental permissions system that handles access that has been written from day one and is well tested. Any updates to this will go through additional scrutiny (such as code reviews) to ensure correctness. Our code is also subject to testing via our internal testing team, which looks for possible breaches. Furthermore, once a year, we have external CREST accredited penetration testers evaluate every endpoint on our servers and look for any vulnerabilities (results can be seen here 2022, 2021, 2020, 2019).

To date, we have had no occurrences of this. However, we are well-practised and have both policies and procedures to ensure that we can react appropriately and quickly if the problem was to arise.

We use the following best practices to ensure the highest level of security in our software:

Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.

You can report vulnerabilities by contacting support@orlo.tech. Please include a proof of concept. We will respond as quickly as possible to your submission.

2-factor authentication

We provide a 2-factor authentication mechanism, minimum password complexity and SSO to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.

Account takeover protection

We protect our users against data breaches by monitoring and blocking brute force attacks. You also have the ability to logout remotely any session if a device has gone missing or otherwise.

Single sign-on

Single sign-on (SSO) SAML is offered for our enterprise customers. Single sign-on (SSO) is available using your Google account.

Role-based access control

Role-based access control (RBAC) is offered on all our accounts and allows our users to define roles and permissions. You can read more about this in our documentation here: Support Portal

ISO 27001/22301

ICO Registration

Orlo is registered on the data protection public register with the ICO under reference number #ZA181887 as SocialSignIn Ltd. You can download our latest certificate here: ICO Certificate

Cyber Essentials Plus

We are Cyber Essentials Plus accredited, you can download our current certificate from here: Cyber Essentials Plus Certificate

Cyber Essentials

We are Cyber Essentials accredited, you can download our current certificate from here: Cyber Essentials Certificate

PCI Compliance

We do not process any payment information and hence we do not need PCI compliance

GDPR

We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Please see our privacy policy for more information.

We engage with privacy by design and work closely with the social networks and legal teams to make sure that we’re doing our utmost to make sure that we do not unfairly use data collected and that it is used only for the purpose of providing you (the customer) our service. You can find out more from our Privacy and Data Protection Page.