Two-factor authentication, role-based team access, an audit log you can actually search, and tokenised payments. No add-ons, no plugins, no extra bill at the end.
Accounts & access
Two-factor
Turn on 2FA with any TOTP authenticator app — Google Authenticator, 1Password, Authy — plus ten one-time backup codes to keep somewhere safe. Platform admins are required to have it on; your staff can opt in per account.
Permissions
Invite staff with scoped permissions — view-only, edit, or full admin — down to specific parts of the store. Invitations expire on a timer, so a forgotten email isn't a back door. Remove access in one click when someone leaves.
Audit log
Every change in the dashboard is logged with the user, the action, and when — searchable per store. See who changed the price, who refunded the order, who invited the new staff member.
Lockout
After a handful of failed logins from the same browser, the next sign-in attempt is gated behind a password reset. Stops automated guessing without locking the whole account — other devices keep working.
Data protection
Your data is protected at every layer — from the hash in the database to the TLS on the wire. Here’s where it matters.
Staff and customer passwords are hashed with bcrypt before they hit the database. Even we can't read them — a password reset is the only way back in.
TOTP secrets and other sensitive credentials are encrypted with AES-256-GCM before they are stored. A database snapshot on its own is not enough to impersonate a user.
Every storefront gets TLS with certificates renewed automatically — subdomain or custom domain, same treatment. No expiry scares, no cron jobs to forget, no plugin to update.
Payments & compliance
Card details are tokenised by our payment processor at the point of checkout — your store database never holds the raw number, and neither do we. The processor carries PCI-DSS Level 1, the top certification for handling card data, which means your store qualifies for SAQ-A — the lightest-touch PCI requirement there is.
Export the data you hold on a customer (Article 15), anonymise it, or delete it (Article 17) — from the customer's profile in the dashboard. Every email sent from the platform is logged against the account for the same reason.
Part of the deal
Shopify keeps advanced security behind Plus. WooCommerce leaves you to bolt it on yourself with plugins. Everything on this page — 2FA, audit log, encryption at rest, tokenised payments, GDPR tools — is in every Orbit plan, including the one you start on.
See pricingThe honest answers — what we do today, what's on the roadmap, and where to reach us if you find something.
No credit card required. Setup takes minutes.