Last updated: March 29, 2026
Security is a core part of how Orchid is built, not an afterthought. Here is how we protect your data and your clients' data.
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. API keys and secrets are stored as environment variables, never in code.
Every database table enforces Row Level Security via Supabase. You can only ever read or write data that belongs to your account — even if someone guesses a record ID.
Authentication is handled by Supabase Auth with bcrypt-hashed passwords, secure session tokens, and automatic token rotation. We never store plaintext passwords.
All key actions (invoice creation, payment processing, settings changes) are written to an immutable audit log with timestamps and IP addresses.
API endpoints are rate-limited to prevent abuse. AI endpoints allow 20 requests/minute per user. Payment endpoints allow 10 requests/minute.
All API inputs are validated with Zod schemas. Outputs are sanitised before storage. SQL injection and XSS are prevented at the framework level.
Orchid sets the following HTTP security headers on all responses:
If you discover a security vulnerability, please disclose it responsibly by emailing bernard@vgoshinfo.com. We will acknowledge receipt within 24 hours and work to resolve confirmed issues promptly.