Trust

Security & Transparency

We built Sovereign Orbital for operators who take sovereignty seriously. Your data gets the same treatment as your orbit.

Your Data, Your Orbit

We are a pre-launch company collecting intent from serious operators. We are not an ad platform, a data broker, or a surveillance product. We collect the minimum required to run this platform, protect it with cryptographic controls, and give you full control over your own data. This page explains exactly how.

How Your Account Is Protected

🔐

PBKDF2-SHA512 Password Hashing

100,000 iterations with a random salt per user. Your password is never stored in plaintext. We cannot recover it — only you can reset it.

🎫

JWT Sessions — 7-Day Expiry

Sessions are cryptographically signed with HMAC-SHA256. Tokens expire after 7 days. Signing out invalidates your session immediately.

🔑

Optional TOTP Two-Factor Authentication

Enable 2FA from your account page using any authenticator app (Google Authenticator, Authy, 1Password, etc.). RFC 6238 compliant, zero external dependencies.

🔒

TLS Everywhere

All connections to sovereignorbital.org are encrypted in transit via TLS 1.2+. HTTP traffic is automatically redirected to HTTPS.

Data Isolation

Each account sees only its own data. There is no shared state between users.

API routes validate your session on every request. Pre-orders, subscriptions, and account details are scoped to your email and user ID. No cross-account queries are possible through normal platform access.

Sessions are cryptographically signed — a tampered or forged session token is rejected at the server.

What We Collect and Why

Data	Reason	Retention
Name	Order fulfillment	Until deletion request
Email	Account + communications	Until deletion request
Country	Launch planning	Mission fulfillment period
IP / logs	Security / debugging	30 days (Vercel infra)

What We Never Do

✗Sell your data to anyone

✗Run advertising or ad tracking

✗Share data with third parties without consent

✗Store payment information (none collected yet)

✗Use behavioral profiling or retargeting

✗Log your passwords (only hashes stored)

Cookies

We use exactly one cookie:

so_session

Purpose: Authentication only

Expiry: 7 days

Flags: httpOnly · Secure · SameSite=Lax

No tracking. No analytics. No advertising.

Your Controls

You are in control of your data at all times:

Delete your account
Email hello@sovereignorbital.org
Export your data
Email hello@sovereignorbital.org
Enable / disable 2FA
Account page → Security section
Cancel your intent
Account page or email us
Correct your information
Email hello@sovereignorbital.org

Infrastructure

Vercel

Web hosting & CDN

Edge CDN with automatic TLS. All traffic served over HTTPS. DDoS mitigation built in.

Turso (ChiselStrike)

SQLite database

Encrypted at rest. Replicated for reliability. Data stored in the United States.

Resend

Transactional email

Used only to send order confirmation and account emails. No marketing emails without explicit opt-in.

Responsible Disclosure

Found a security vulnerability? We want to hear from you.

Email engineering@sovereignorbital.org with a description of the issue. We respond within 48 hours. We ask that you give us reasonable time to investigate and patch before public disclosure.

We do not currently offer a bug bounty program, but we will acknowledge your contribution.

Compliance

GDPREuropean Union General Data Protection Regulation

CCPACalifornia Consumer Privacy Act

See our Privacy Policy for full details on rights and data handling.