Built for the most demanding security requirements
CODA applies security-first principles across every product — from managed commercial services to fully air-gapped sovereign deployments. Every architecture decision prioritizes zero trust, auditability, and defense in depth.
Compliance & Certifications
CODA meets the authorization requirements for the most demanding government programs. Documentation is available through the Orbis Trust Center.
FedRAMP Moderate
CODA cloud components operate under FedRAMP Moderate authorization, meeting the security controls required for federal agency adoption.
Impact Level 4 (IL4)
IL4 ReadyArchitecture and controls meet DoD IL4 requirements for Controlled Unclassified Information (CUI), enabling deployment across defense networks.
ISO 27001
Information security management systems certified to ISO/IEC 27001:2022, demonstrating systematic controls across people, processes, and technology.
SOC 2 Type II
Annual third-party audit confirms ongoing operational controls for security, availability, and confidentiality across the CODA platform.
FIPS 140-2 Encryption
All cryptographic operations use FIPS 140-2 validated modules. Data at rest and in transit is protected using approved algorithms throughout the stack.
Defense Base Act Coverage
Orbis personnel operating in overseas and high-risk environments maintain full Defense Base Act insurance coverage as required for US Government contractors.
Architecture Principles
Security is not layered on after the fact. These principles are load-bearing assumptions in every CODA design decision.
Zero Trust by Default
Every request — whether from a human operator, a service, or a partner organization — is authenticated, authorized, and audited. No implicit trust is granted based on network location or prior session state. Least-privilege access is enforced at the data layer, not just the perimeter.
Cryptographic Sovereignty
Customers hold their own encryption keys. Orbis never has access to key material, and keys never leave customer-controlled infrastructure. Catalyst's data fabric enforces cryptographic access controls that make policy violations technically impossible, not merely procedurally prohibited.
Air-Gap Compatible (Catalyst)
Catalyst is designed from the ground up to operate without internet connectivity. The full Catalyst deployment — including data federation and the service mesh — runs in fully disconnected environments with no phone-home requirement and no cloud-resident data path. Discovery and Pulse are managed commercial services and do not offer air-gapped deployments.
Audit Everything
Every data access, policy decision, and administrative action is immutably logged. Audit logs are tamper-evident, exportable to SIEM platforms, and retained according to customer policy. Security teams have full visibility into who accessed what data, when, and why — in real time and historically.
Data protection across every deployment model
Orbis applies strict data protection principles across all CODA products — but the implementation reflects each product's deployment model.
Catalyst deploys entirely within customer-controlled infrastructure. Your data never leaves your environment, no telemetry is sent to Orbis, and there are no outbound data paths. For air-gapped deployments, the installer is fully self-contained — no internet access is required after delivery, including for updates and license validation.
Discovery and Pulse are managed commercial services operated by Orbis on your behalf. Customer data is never used for model training, never shared across customers, and is protected under contractual data handling commitments. Query privacy is enforced at the application layer — your investigations remain yours.
Access the Trust Center
Security questionnaires, audit reports, penetration test summaries, and detailed architecture documentation are available through the Orbis Trust Center. NDA-protected materials are available to qualified program offices upon request.