This is the question professional teams ask before handing a file system their work. We answer it plainly: how Orbifs is built, where data lives, how access is controlled, and how files recover. Where something is standard, we say so. Where it’s still being finalised, we mark it — and don’t claim it as done.
Orbifs is preparing for launch. The items marked being finalised below are genuinely not yet locked, and we will not present them as complete until they are. This whitepaper is versioned and dated; each update is published.
Customer data is stored in European data centres in the Paris (France) region, on infrastructure operated by a European cloud provider.
| Property | Detail |
|---|---|
| Hosting region | Paris, France (EU) |
| Provider | A European cloud provider — named in our subprocessor list, on request |
| Resilience | Replicated across multiple data centres for durability |
| Recovery | Immutable, tamper-resistant version history |
| Data transfer | No data-transfer fees for customers |
Full residency, jurisdiction and subprocessor detail is in the Data Residency & Sovereignty Statement.
| Layer | Current position |
|---|---|
| At rest | Standard Encryption at rest is standard for all customer data. |
| In transit | being finalised Expected to use standard TLS for client–service connections; being verified before any firm claim. |
| Key management | being finalised Model for key custody and any customer-managed-key option not yet finalised. |
| Zero-knowledge | Not offered today; tracked as a possible future capability, not a current claim. |
We will not assert end-to-end or zero-knowledge encryption unless the design genuinely provides it. This section is expanded with protocol versions, cipher configuration and the key-management model once confirmed.
Access to projects runs through user accounts, roles and per-project permissions in the admin console. Users and administrators get the access their role needs — no more.
Versions are kept immutable and tamper-resistant through your plan’s retention window. You can restore prior versions and deleted files — the basis for recovering from mistakes and ransomware.
Archi Systems AS is established in Norway, within the EEA, and applies the GDPR. Hosting customer data in France (EU) involves no transfer of personal data outside the EEA.
A Data Processing Agreement is available for customers, alongside our privacy policy and technical & organisational measures (TOMs).
Kept short and shared in full on request. Billing data is handled separately from your project files, which never leave EU storage.
Built with EU security frameworks in mind, including raised expectations on backup, recovery and access control.
For the full picture of where data lives and who can touch it, read the Data Residency & Sovereignty Statement →
A non-negotiable principle: do not claim a certification before it exists. Here is what we’re pursuing, and in roughly what order.
| Target | What it signals | Status |
|---|---|---|
| ISO/IEC 27001 | Mature information-security management system — our intended anchor. | pursuing |
| SOC 2 (Type I → II) | Audited security controls over time; valued by larger and international customers. | pursuing |
| Cyber Essentials | Baseline cyber hygiene — a lighter, quicker early signal. | candidate |
| ENS / SecNumCloud-adjacent | Public-sector and French sovereign-cloud expectations, per target market. | candidate |
No certifications are claimed yet. A short, EU-based subprocessor list keeps our scope simple, and the policy set behind this page — incident response, backup/restore, data residency, GDPR — is in place or under legal review. We’ll publish each certification only once formally achieved.
Need our DPA, subprocessor list or a completed security questionnaire? We keep an answer bank ready. Request security documents →
Every pilot includes a restore test: we restore a prior version and a deleted file so you see recovery work on your own data before you commit.