Security at SafeOrbit360

We handle sensitive personal data — location, calls, messages. That responsibility shapes every engineering decision we make. Here is exactly how we protect your data.

Four Security Pillars

Encryption at Rest & in Transit

  • AES-256 encryption for all stored data
  • TLS 1.3 for all API and dashboard connections
  • End-to-end encrypted data pipelines
  • Database-level encryption with per-tenant key isolation

Access Control & Authentication

  • Multi-factor authentication (MFA) available for all accounts
  • JWT-based session tokens with 24-hour expiry
  • Role-based access control (RBAC) for enterprise accounts
  • All admin access logged with timestamp, IP, and action

Infrastructure & Hosting

  • Hosted on ISO 27001-certified data centers (EU + India)
  • Daily automated backups with 30-day retention
  • Geographic redundancy — primary EU, replica India
  • Cloudflare DDoS protection and WAF on all endpoints

Vulnerability Management

  • Quarterly third-party penetration testing
  • Automated dependency vulnerability scanning (Dependabot)
  • Responsible disclosure program at security@safeorbit360.com
  • Security patches deployed within 24 hours of CVE disclosure

Compliance & Certifications

TLS 1.3

Active

AES-256

Active

SOC 2 Type I

Certified — June 2025

GDPR

Compliant

CCPA

Compliant

ISO 27001 (DC)

Data center certified

Agent APK Security

APK Code Signing

Every release APK is signed with our private key. The device verifies the signature before installation. Tampered APKs are rejected.

Obfuscation & Anti-Tampering

Agent code is obfuscated using R8 and ProGuard. The agent detects if it has been modified and stops transmitting data.

Root Detection

The agent detects rooted devices and alerts the admin dashboard. Data collection on rooted devices can be disabled per policy.

Certificate Pinning

The agent only communicates with SafeOrbit360 servers by pinning our TLS certificate. Man-in-the-middle attacks are blocked.

EMM System-Level Protection

Installed as a Device Policy Controller (DPC) — the agent cannot be uninstalled via standard Settings without admin authorization.

Minimal Data Footprint

The agent only collects what is enabled by the admin. SMS monitoring, call recording, and microphone access are off by default.

Security Changelog

March 2026

Quarterly penetration test completed — 0 critical findings.

January 2026

SOC 2 Type II audit initiated. Expected completion Q3 2026.

November 2025

Cloudflare Zero Trust rolled out to all internal systems.

August 2025

Upgraded all API endpoints to TLS 1.3 exclusively.

June 2025

SOC 2 Type I certification achieved.

March 2025

Per-tenant database encryption keys implemented.

Found a Vulnerability?

We operate a responsible disclosure program. If you discover a security issue, please email us before public disclosure. We commit to acknowledging within 24 hours and resolving critical findings within 72 hours.

security@safeorbit360.com

We do not pursue legal action against good-faith security researchers.