Security at orkestr

Every deployed container is locked down to the minimum permissions needed to run your app:

• Zero system access. Containers cannot mount filesystems, modify network rules, or access host hardware. All elevated permissions are stripped before your app starts.
• Privilege escalation blocked. Even if a dependency is compromised, processes inside your container cannot gain additional system access.
• Process limits. Each container has a hard cap on the number of processes it can run, preventing resource exhaustion from affecting other apps.
• Strict memory isolation. Memory is hard-limited per plan with no swap. One app can never consume resources allocated to another.

Your code is built in a fully sandboxed environment - isolated from the rest of the platform:

• Sandboxed builds. The build process runs in its own isolated container with no access to the host system, other apps, or the platform infrastructure.
• Automatic timeouts. Builds that run too long or consume too many resources are automatically killed. No runaway process can affect the platform.
• Network isolation. Build environments can only push to the internal image registry. They cannot reach other users' apps or platform services.
• Non-root by default. All auto-generated configurations run your application as a non-root user. Your app never has system-level access.

Before your code is even built, orkestr scans your dependencies for known supply-chain threats:

• Compromised packages. Known malicious packages are detected and blocked before the build starts - protecting you from supply-chain attacks.
• Typosquat protection. Catches fake packages that impersonate popular libraries with similar names, a common attack vector in open-source ecosystems.
• Malicious patterns. Scans your build configuration for crypto miners, privilege escalation attempts, and other suspicious patterns.
• Blocked automatically. Deployments with detected threats are rejected immediately. No malicious code ever reaches your production environment.

Every built image is automatically scanned for known security vulnerabilities:

• Dependency scanning. Your image's OS packages and application dependencies are checked against vulnerability databases for known security issues.
• Visible in deploy logs. Scan results appear directly in your deployment pipeline - you see findings in real time as your app deploys.
• Re-scan anytime. Re-scan any image from your project registry at any time to check for newly discovered vulnerabilities.
• Actionable findings. Each finding includes the vulnerability ID, affected package, severity level, and a description to help you prioritise fixes.

Your app is isolated from every other app on the platform - and from the platform itself:

• Per-project isolation. Each project runs on its own private network. Your app and its add-ons can communicate, but no other user's app can reach them.
• Platform separation. Your containers cannot access any platform infrastructure - databases, caches, or internal services are completely unreachable.
• Private image storage. Built images are stored in a private registry with no external access. Only the platform can read or write images.
• Minimal surface area. Only web traffic (HTTP/HTTPS) is exposed. All other ports and services are blocked at the firewall level.

Two layers of protection shield every app - edge-level DDoS mitigation and application-level threat detection:

• CDN DDoS protection. Large-scale traffic floods are absorbed at the CDN edge before they ever reach your server. Traffic is distributed globally to eliminate single points of failure.
• Community threat intelligence. Crowdsourced IP reputation data from thousands of servers worldwide. Known botnets, scanners, and brute-force attackers are blocked at the application layer.
• Attack pattern detection. Detects and blocks common attack patterns: SQL injection, XSS, path traversal, and known vulnerability exploitation attempts.
• Per-app rate limiting. Each app gets automatic rate limiting per source IP. Legitimate traffic is unaffected while abuse is throttled.
• IP allowlisting. Restrict access to any environment by IP or CIDR range. Perfect for locking staging environments, admin panels, or internal tools to specific office or VPN IPs. Available on Pro and Team.
• Enabled by default. Both layers of protection are active on every plan, including free. No configuration required.

Your data never leaves the European Union:

• EU infrastructure. All servers are located in Germany (Hetzner Nuremberg and Falkenstein data centers).
• No US data access. No data is processed by or transferred to US-based services. Your code, databases, and logs stay in the EU.
• Cookie-free analytics. We use self-hosted, open-source analytics - no cookies, no tracking pixels, no third-party data sharing.
• GDPR-compliant by design. Minimal data collection, encryption at rest, and the right to delete your account and all associated data at any time.