Institutional-grade security, on every plan.
Every firm runs on dedicated resources, with access tied to a live session and work held inside the environment selected for that firm. Pro is a managed isolated deployment. Enterprise runs the same platform in a cloud account your firm owns, in your region, with sign-in through your identity provider and encryption keys you hold.
At a glance
Enterprise controls, on every plan.
The security foundation is the same whether you start on Pro or deploy into your own account on Enterprise.
Isolation
Dedicated resources per organization
Every organization runs on its own database, document storage, and execution roles. Nothing is pooled across firms.
Access
Session-tied, expiring access
The platform holds no long-lived credential to your data. Every database request carries a short-lived pass, minted against the live session and gone in fifteen minutes.
Identity
Re-verified on every request
Every request runs on a live, signed-in session that each service re-verifies before it acts. On Enterprise, sign-in runs through your own identity provider.
Privacy
Your work stays inside your environment
Your files, prompts, and outputs serve your deals and stay inside your environment, exclusively yours. They never train any model.
Deployment
Your own cloud, on Enterprise
On Enterprise, the platform deploys into a cloud account your firm owns, in your region, with encryption keys you hold.
Control
Your team audits and revokes
Audit every access path with the tools your security team already runs. Revoke from your side at any time, without routing through Cap Orbit.
Pro and Enterprise
Strong on Pro. In your own account on Enterprise.
Pro is a fully isolated, managed deployment; Enterprise moves that same platform inside your own control boundary.
Pro
A secure managed deployment
For funds and investment teams up to fifty people. Every firm runs on its own dedicated resources, with access tied to the live session and expiring in fifteen minutes. Live deals within twenty-four hours, the full security foundation managed for you.
Enterprise
In the account your firm owns
The same platform, deployed into your own cloud account, in your region. Single sign-on, private connectivity, customer-held encryption keys, and your own choice of AI inference provider, built against your security and architecture review.
Firm isolation
Every organization runs on its own dedicated resources.
Each organization owns its database, its document storage, and its execution roles. Separation is enforced by the database grant rules, not by convention.
Own database
A dedicated database per organization
Each firm gets its own database. Its writer account has privileges only on that database, and broad default access has been explicitly revoked.
Own storage
Dedicated document storage
Each firm’s files, drafts, and work product sit in storage reachable only by that firm’s own access roles. One firm’s materials are never visible to another.
Own roles
Dedicated execution permissions
Each organization has its own execution roles. One firm’s deals run in a completely separate environment from every other firm’s.
Per deal
Each deal in its own workspace
Inside a firm, each deal runs in its own workspace with its own files attached, keeping work product clean and separate across every transaction.
Enforced below
Enforced by database grant rules
Separation is enforced at the database level by its own grant rules. The database refuses cross-firm access outright, a structural guarantee rather than a convention.
Guarded
Collisions designed out
The mapping from a firm to its database is uniquely constrained. Two firms cannot resolve to the same store by any path.
Data access
Short-lived, session-tied, re-checked on every request.
The platform holds no standing credential to your data. Every database request goes through a gatekeeper that re-confirms the live sign-in and issues a pass that expires in fifteen minutes.
- 01
01
Verify the live session
The gatekeeper re-checks the live sign-in on each call, trusting only a session that is still valid. On Enterprise, that check runs against your own identity provider.
- 02
02
Issue a time-limited pass
On a valid session, the gatekeeper issues a pass tied to one firm’s database and user. It is good for fifteen minutes, then it expires automatically.
- 03
03
Cross-check the pass
The pass is checked against the firm’s own record of which database it should be for. A mismatch is rejected before any data is touched.
- 04
04
Reach the data
Only then does the request reach the database, on a credential minted for this request alone. No long-lived key sits anywhere in the data path.
Your work is used only for your deals.
Everything you bring into Cap Orbit, and everything you produce in it, stays inside your environment. Your files, prompts, and outputs are not used to train models.
Your files
Rent rolls, T-12s, leases, and term sheets are read to do the work. They belong to your environment and to no one else.
Your prompts
The directions you give shape your deal. They stay inside your environment, not pooled across any shared system.
Your outputs
The models, the memos, and the work product are yours. They live in your environment and advance your deals.
Audit and control
You audit every access path, and you can revoke at any time.
On Enterprise, oversight uses the tools your security team already runs. The credentials and the kill switch are yours.
Your logs
Every access path is yours to see
Deployed in your account, every resource, log, and access path is yours to audit with the logging and monitoring your team already operates.
Your revoke
Revoke from your side, any time
Access can be cut from your side at any time. The credentials are yours, so the decision to revoke never routes through Cap Orbit.
Set once
Onboarding secrets are fixed at the start
The shared secret that authenticates a new firm’s setup is set once and is immutable. It is an onboarding handshake, separate from anything that reaches your data.
Vendor review
The questions a vendor-risk team asks.
What counts as our data, and where does it live?
Your deal files, the models and memos you produce in it, your team’s activity, and your work product of any kind. On Pro it lives on dedicated resources belonging to your firm; on Enterprise it lives inside a cloud account you own, in the region you choose. It is never pooled with another firm’s, and it stays exclusively yours.
Who can access our data, and how?
Only a live, signed-in user from your organization. The platform holds no standing key; every database request is a short-lived pass that a gatekeeper issues only after re-verifying the live session, and it expires automatically in fifteen minutes. On Enterprise, sign-in runs through your own identity provider, so access follows your directory.
Can we deploy Cap Orbit in our own cloud account?
Yes, on the Enterprise tier. The same platform deploys into a cloud account your firm owns, with customer-held encryption keys and private connectivity, built against your security and architecture review. Cap Orbit holds no credential that can write into your account.
How is one firm’s data kept separate from another’s?
Each organization gets its own database, its own document storage, and its own execution roles. The separation is enforced by the database’s own grant rules as a structural guarantee: the database refuses cross-firm access outright.
Can we audit access and revoke it ourselves?
Yes. On Enterprise every resource, log, and access path is yours to audit with the tools your team already runs, and access can be cut from your side at any time without routing through Cap Orbit.