Security Statement.

This Security Statement applies to the CalBrix OS Service, the infrastructure on which it runs, and the administrative systems used by Montford Orbis to operate the Service. It does not describe controls implemented by Customers within their own workspace, which remain the Customer’s responsibility.

Security is managed by the founding engineer in the capacity of technical and security lead. Policies, procedures, and controls are documented internally and reviewed at least annually or upon material change. Customers on enterprise plans may request the long-form security whitepaper and the most recent independent penetration-test attestation letter under a mutually acceptable non-disclosure agreement.

• In transit — all external endpoints are served over TLS 1.2 or higher, with HTTP Strict Transport Security (HSTS) set to a two-year maximum age and includeSubDomains. Only modern cipher suites are permitted. Internal service-to-service traffic is scoped to localhost or a private network and is never exposed to the public internet.
• At rest — database storage volumes are encrypted at the disk level. Encrypted off-host backups use AES-256 with symmetric keys stored separately from the backup artefacts.
• Secrets — environment-level secrets are scoped to the process requiring them, never committed to source control, and rotated on a documented schedule. Payment-processor, error-monitoring, and email-delivery credentials are compartmentalised.

• User authentication uses short-lived access tokens and rotating refresh tokens. Passwords are hashed with bcrypt and a per-user salt.
• Role-based access control (RBAC) governs every sensitive action within the Service. Administrative operations require elevated roles; a documented and auditable break-glass procedure is in place for emergency access.
• Privileged infrastructure access is limited to a named operator list, key-based only (no password SSH), and backed by multi-factor authentication at the identity-provider layer.
• Customer administrators are responsible for provisioning and de-provisioning Users within their own workspace in a timely manner.

• Host firewalls restrict inbound traffic to the minimum set of required ports. Application services bind to localhost and are reached only through a hardened reverse proxy.
• A Web Application Firewall running the OWASP Core Rule Set is active at the edge.
• Abuse protection includes community threat-intelligence feeds with a firewall bouncer, fail2ban jails on SSH and authentication endpoints, and application-layer rate limits on sensitive API routes.
• Multi-tenant separation is enforced at the workspace layer. Single-tenant deployment is available as a contractual option for Customers with strict isolation requirements.

• Source code is maintained in a version-controlled repository with protected branches, mandatory review, and signed commit history.
• Continuous-integration pipelines enforce secret scanning, static analysis, dependency and filesystem vulnerability scanning, and automated test suites.
• Deployments are produced from immutable build artefacts and are traceable from commit to production environment.
• Material changes to data schemas, access controls, or security-critical components are reviewed before merge.

• Operating-system and platform updates are applied on an automated schedule, with expedited application of critical security patches out of cycle.
• Dependency vulnerabilities are reviewed on an ongoing basis; critical advisories are triaged, and remediation or mitigations are tracked to closure.
• Independent penetration testing is performed on a defined cadence; remediation plans are produced for findings rated medium severity or higher, and attestation letters are made available to enterprise Customers on request.

• Application logs, access logs, WAF audit logs, and system logs are centralised, rotated, and retained consistent with operational and legal requirements.
• Alerting covers service availability, error-rate anomalies, authentication anomalies, unusual privileged activity, and capacity thresholds.
• Incident response follows a documented runbook with severity classifications, communication timelines, and post-incident review. Personal Data Breach notifications are provided in accordance with the Data Processing Agreement.

• Encrypted database backups are produced at least daily using symmetric AES-256 encryption with keys stored separately from the backup artefacts.
• Backup integrity is verified by periodic test restoration into an isolated environment.
• Recovery Point Objective (RPO) is no greater than twenty-four (24) hours, and Recovery Time Objective (RTO) is no greater than four (4) hours, on the standard plan. Stricter objectives are available under contractual arrangement.
• Offsite copies are supported via provider-agnostic object storage in an approved region.

Montford Orbis maintains continuity procedures covering infrastructure failure, personnel unavailability, and supplier disruption. Continuity arrangements are reviewed periodically and exercised where feasible. A summary can be made available to enterprise Customers under confidentiality.

• Personnel with access to production systems or Customer Data are bound by written confidentiality obligations and are trained on the security and privacy policies applicable to their role.
• Third-party suppliers (including sub-processors) are engaged only where necessary, under written agreements imposing equivalent security and confidentiality obligations, and are reviewed for security posture.

If you believe you have identified a security vulnerability affecting CalBrix OS, please report it by email to philip.montford@calbrixos.com with sufficient detail to reproduce the issue. We ask researchers to (a) refrain from accessing data belonging to other parties, (b) avoid degrading the availability of the Service, and (c) allow a reasonable period for remediation before public disclosure. We aim to acknowledge reports within two (2) business days and to provide a remediation timeline within five (5) business days. Good-faith security research conducted in accordance with this policy will not be subject to legal action by Montford Orbis.

• Promptly provisioning and de-provisioning User access within the workspace;
• Selecting appropriate roles and permissions for Users;
• Safeguarding User credentials and, where available, enabling multi-factor authentication;
• Configuring integrations and API keys in accordance with the principle of least privilege;
• Reviewing audit logs within the workspace consistent with the Customer’s quality and compliance programs;
• Notifying Montford Orbis of any suspected compromise or misuse of the Service.

This Security Statement is reviewed periodically and updated to reflect material changes in our controls. The effective date above will be updated accordingly. This Statement is provided for information and does not constitute a warranty. Montford Orbis’s contractual obligations with respect to security are set out in the Terms of Service and the Data Processing Agreement.