Documentation Index
Fetch the complete documentation index at: https://orbit-docs.devotel.io/llms.txt
Use this file to discover all available pages before exploring further.
PCI DSS Compliance
If a prospect asks “Are you PCI DSS compliant?”, here’s the honest answer you can give without hand-waving.Short version: Devotel’s Orbit platform does not store, process, or transmit raw cardholder data. All card payments are handled by Stripe, a PCI DSS Level 1 Service Provider. Devotel completes SAQ A annually — the simplest PCI DSS questionnaire, available to merchants who fully outsource card handling. Devotel is not a PCI DSS Level 1 certified entity itself, and does not claim to be.That is the correct, defensible answer. Below is the detail you need to back it up.
What PCI DSS actually requires
PCI DSS (Payment Card Industry Data Security Standard) is a contractual standard the card brands (Visa, MasterCard, Amex, Discover, JCB) require of any organization that stores, processes, or transmits cardholder data. Compliance is proven via a Self-Assessment Questionnaire (SAQ) or, for the largest merchants, a Report on Compliance (RoC) from a Qualified Security Assessor (QSA). There are several SAQ levels. The one that applies to you depends on how your platform touches card data:| SAQ | Who it applies to |
|---|---|
| SAQ A | Card-not-present merchants who fully outsource card storage, processing, and transmission to a PCI-validated third party. No card data ever touches your systems. |
| SAQ A-EP | You redirect to a third party but your site serves the payment page (e.g., custom Stripe Elements forms hosted by you). |
| SAQ D | You store, process, or transmit cardholder data on your own infrastructure. The full 300+ control questionnaire. |
| Level 1 RoC | Required for merchants processing 6M+ card transactions/year, and for any organization that wants to market itself as “PCI DSS Level 1 compliant.” Requires annual on-site QSA audit. |
How Orbit handles payment data
1. Top-up payments (wallet funding)
When a customer adds credits to their Orbit wallet, Orbit opens a Stripe Checkout Session or Stripe Payment Element inside the dashboard. Everything from here is Stripe-hosted:- The card number, CVV, and expiry are entered into a Stripe-hosted iframe served from
js.stripe.com. - The card data goes directly from the browser to Stripe’s servers (TLS 1.3, Stripe’s PCI Level 1 cardholder data environment).
- Orbit’s backend never sees the PAN (primary account number), CVV, expiry, or cardholder name on the card.
- Stripe returns a tokenized Payment Intent ID (e.g.,
pi_3QABCXYZ...) to Orbit’s backend. Orbit stores only that token.
2. Saved payment methods
- When a customer “saves a card for future top-ups,” Stripe stores it. Orbit stores only a Stripe payment method ID (e.g.,
pm_1PXYZ...) and the display metadata Stripe returns (last 4 digits, brand, expiry month/year). Those display fields are not considered cardholder data under PCI DSS.
3. Subscription billing (future — not yet live)
- If Orbit introduces subscriptions, the same Stripe-hosted flow applies. No change to PCI posture.
4. What Orbit’s database contains
What’s stored: Stripe customer ID, payment method ID, payment intent ID, invoice ID, last-4, brand, expiry month/year. What’s not stored: PAN, CVV, full expiry with PAN, track data, PIN. Because Orbit stores only tokens and display metadata, the cardholder data environment (CDE) is entirely Stripe’s. That’s what qualifies Orbit for SAQ A.5. Non-card payment methods
Bank transfer, SEPA debit, ACH, BACS, Stripe Link — same story. Orbit holds Stripe tokens; Stripe holds the account data. No PCI scope expansion.Stripe’s PCI DSS status
Stripe is a PCI DSS Level 1 Service Provider, validated annually by an independent QSA and listed on Visa’s Global Service Provider Registry. Stripe’s attestation (AoC) is available on demand from Stripe’s compliance team and is renewed every year. By using Stripe, Orbit inherits its PCI-validated environment for the card data portion of every transaction.What Devotel does that counts for SAQ A
SAQ A has 22 applicable controls. The ones Devotel actively operates:- Policy and training — annual InfoSec policy review; engineers receive secure-coding and payment-handling training on hire and annually.
- Network segmentation — Orbit’s infrastructure is GCP-native (VPC isolation, private service connect, no direct internet egress from payment-handling paths).
- TLS enforcement — all Orbit endpoints require TLS 1.2+ (TLS 1.3 preferred), HSTS enabled, no mixed content.
- Access control — IAM-based role separation; production credentials are never exported to laptops; short-lived tokens only.
- Vulnerability management — quarterly external ASV scan on
orbit.devotel.ioandorbit-api.devotel.io; dependency CVE scanning on every CI run. - Incident response — documented IR playbook; 72-hour breach notification SLA.
- Physical security — not applicable; Devotel runs no on-premise payment-handling infrastructure. GCP handles physical security for all hosted compute.
- Vendor management — Stripe’s AoC is on file and reviewed annually; other vendors (logging, monitoring) are scoped out of the CDE and documented as such.
What Devotel does not do (be honest)
So you don’t accidentally overclaim:- Not PCI DSS Level 1 certified. Level 1 requires a full on-site QSA audit; Orbit has not undergone one because our card-data scope doesn’t require it. Saying “we’re Level 1” would be false.
- No SOC 2 Type II report covering payment data specifically — Devotel has a SOC 2 Type I audit in progress (target: 2026-Q3); Type II follows 6–12 months later.
- Not HITRUST certified.
- Not FedRAMP authorized.
What to say in a client meeting
Use this. It’s accurate and it passes the sniff test for any reasonable compliance reviewer:Orbit is the messaging and voice layer. For payments we integrate with Stripe, which is a PCI DSS Level 1 Service Provider. Card data goes directly from the customer’s browser to Stripe — it never touches our servers, and we only store Stripe’s tokens. That places us in SAQ A scope, the simplest PCI DSS category for fully outsourced card handling. We complete SAQ A annually and can share our Attestation of Compliance on request under NDA.If they push for more (typical from finance/insurance/healthcare prospects):
Happy to share Stripe’s PCI Level 1 Attestation of Compliance — they update it yearly and it covers the cardholder data environment we rely on. Our own internal control documentation is available under NDA.If they specifically ask “Are you Level 1 certified?” — the answer is no, and the reason is that our scope doesn’t require it. Most SaaS companies that integrate Stripe are in this same position. Shopify, Intercom, Pipedrive, and most B2B SaaS vendors run on SAQ A.
Related compliance artifacts
Orbit publishes or has in progress:| Artifact | Status | Scope |
|---|---|---|
| PCI DSS SAQ A Attestation of Compliance | Renewed annually (current: 2026) | Payment handling |
| Stripe PCI Level 1 AoC (inherited) | Current | Card data environment |
| GDPR compliance statement | Published | Personal data of EU residents |
| HIPAA Business Associate Agreement (BAA) | Available for healthcare tenants | PHI on Orbit |
| SOC 2 Type I | In audit (target 2026-Q3) | Security, availability |
| SOC 2 Type II | Planned 2027-Q1 | 6-month observation window |
| ISO 27001 | Planned 2027 |
Requesting compliance documentation
- Stripe AoC: available from Stripe directly, or via compliance@devotel.io.
- Orbit SAQ A AoC: compliance@devotel.io — NDA required for enterprise prospects; standard access for existing paid tenants.
- Custom vendor assessment questionnaires (Whistic, SecurityScorecard, OneTrust): compliance@devotel.io — typical turnaround 5 business days.
FAQ
Can I process credit cards through the Orbit API directly?
Can I process credit cards through the Orbit API directly?
No. Orbit has no endpoint that accepts a PAN. All card capture goes through Stripe-hosted UI. This is intentional — it keeps you out of PCI scope too.
What if my customer pays my business by card and I want to charge them on Orbit's rails?
What if my customer pays my business by card and I want to charge them on Orbit's rails?
Orbit doesn’t offer merchant-of-record services. Use Stripe Connect directly, or any other PCI-certified payment processor. Orbit’s billing is for your consumption of Orbit services, not for you to bill your own customers.
Does receiving credit card numbers over SMS or WhatsApp count?
Does receiving credit card numbers over SMS or WhatsApp count?
If a customer types their card number into a WhatsApp or SMS conversation that arrives in Orbit’s inbox, that message contains cardholder data and is in scope — Orbit’s general-purpose messaging store is not a PCI CDE. Mitigations: (a) redact card-like patterns at ingest (available in Settings → Channels → Data Redaction, default ON), (b) train agents not to request card numbers over messaging, (c) use a Stripe payment link or hosted page for any actual collection.
Is Orbit's webhook delivery of invoice/payment events PCI-scoped?
Is Orbit's webhook delivery of invoice/payment events PCI-scoped?
No. Those webhooks carry Stripe IDs and amounts, not card data. They’re fine to store, log, and replay.
How do I prove this to a customer's procurement team?
How do I prove this to a customer's procurement team?
Three documents: (1) Stripe PCI Level 1 AoC (public knowledge, we provide link), (2) Devotel SAQ A AoC (under NDA), (3) a 1-page Orbit Data Handling Overview describing the card-data flow. Email compliance@devotel.io and we’ll prepare the packet.
What if we offer crypto payment in the future?
What if we offer crypto payment in the future?
Crypto is out of PCI scope by definition. If we add it, we’ll publish a companion note.