In plain English

When someone in your family sends a message on Orbit, their phone scrambles it before it leaves. The only phones that can unscramble it are the ones belonging to the family: the people in the conversation and the trusted adults on both sides, when there are children involved. Our servers move the scrambled message between those phones like a post office that can see the envelope but never open the letter inside.

This is called end-to-end encryption. It's the same idea behind apps like Signal and iMessage. The difference with Orbit is the family circle: when a child is in the chat, the grown-ups looking after them are inside the lock-and-key circle too, and their phones also have the key. You get to see what's being said, and the server doesn't.

When we say "we can't read your messages," we mean it structurally, not as a promise. The keys that unscramble messages never leave your family's phones. If someone broke into our servers, or served us a subpoena, or if we wanted to (we don't), the thing we'd be looking at is still scrambled.

The short version:

Messages get locked on the sender's phone and only unlocked on the receiver's phone. We carry the locked package. We don't hold the key.

The technical bits

For curious or technical readers. Skip this section if you don't want to go into the weeds.

The protocol: X3DH + Double Ratchet

Orbit uses the Signal Protocol, the same end-to-end encryption protocol behind Signal, WhatsApp, and Facebook Messenger's secret conversations. It's open, well-audited, and widely peer-reviewed. We didn't invent our own crypto.

X3DH (Extended Triple Diffie-Hellman) is how two phones that have never met establish a shared secret the very first time they talk, even if one of them is offline. Double Ratchet is how they keep rotating keys forward as they chat, so that if any one key is ever compromised, it doesn't unlock earlier or later messages. This property is called forward secrecy and post-compromise security.

The keys: Curve25519

Every device has three kinds of keys, all generated on the device itself:

  • Identity key: a long-lived Curve25519 key pair that identifies the device. The private half never leaves the phone.
  • Signed prekey: a medium-lived key, signed by the identity key, that starts new conversations.
  • One-time prekeys: a batch of single-use keys that get consumed as new conversations begin, giving extra forward secrecy for the opening handshake.

Our server stores the public halves of these so your friends' phones can look them up to start a conversation. The private halves never leave the device where they were generated.

Per-device sessions

If a user has multiple devices (an iPhone and an iPad, say), each device has its own independent identity key and its own encryption session with every peer. A message sent to Emma isn't encrypted "to Emma". It's encrypted separately for each of Emma's devices. If one device gets compromised, the others aren't.

What our server handles

The server is responsible for routing, not reading. It:

  • Holds public key bundles so phones can find each other and start conversations.
  • Stores encrypted message blobs until the recipient's phone is online to fetch them.
  • Manages accounts, the family graph (who's in which family, who's approved to talk to whom), and Mack's moderation settings, which are pushed to the child's device so Mack can run locally, on both messages the child sends and messages the child receives.
  • Broadcasts delivery notifications (metadata only: "a message arrived for you") so phones know when to sync.

It does not, and structurally cannot, decrypt the message contents.

Sign-out wipes local state

When someone signs out of Orbit, every piece of crypto state on that device is wiped: identity key, session state, message cache. A re-login generates a fresh identity and starts new sessions. If a phone is lost, the device can be revoked from the account's Devices screen: the server immediately stops delivering to it, deletes its key material and any messages queued for it, and tells every peer to stop encrypting to it. Whatever was already on the lost phone stays protected by the phone's own passcode and disk encryption, like any other app's data.

Mack and end-to-end encryption

A common question: if Orbit can't read messages, how does the AI safety check work?

The answer is Mack, our AI safety guard. Mack runs on the child's phone, never on our servers, and never in the cloud, and Mack checks the chats between children (conversations with a trusted adult in them aren't Mack's job, and the Open supervision level switches Mack off entirely). There are two moments where Mack does its check. When your child sends a message, the phone briefly holds the message before locking it for delivery, and Mack reads it in that moment. When your child receives a message, the phone unlocks it to display, and Mack reads it before the words appear on screen. Both of those moments, phones holding unlocked messages on either end, are how every end-to-end encrypted messenger has always worked. We just use them, on your child's own phone, to give Mack a look. Our servers only ever see the locked-up version of the message and, if Mack flags something, a small alert (which version of Mack, which categories were flagged). The words themselves never reach our servers. End-to-end encryption is not weakened.

Why both directions? Mack is set up by the parent of the phone Mack is running on. If your child receives a harmful message from another family whose Mack is switched off or set up differently, your settings, the ones you chose, need to catch it on your child's phone. Mack-on-receipt is what makes that work, and it keeps the privacy promise intact: the only phones that ever unlock the message are the ones on each end of the chat anyway.

Contrast this with products that scan messages on a server, which need to unlock them at some point or get the words from the messaging app. Orbit does neither. Mack is on the phone, not in the cloud.

What the server sees when Mack flags something

When Mack flags a message on the phone, our server gets:

  • Which categories were flagged (like "bullying" or "self-harm").
  • Which version of Mack did the flagging.
  • The time, and which child the alert belongs to (so it reaches the right parent).
  • A sealed copy of the flagged message, locked on the child's phone so that only the linked parents' phones can open it. That's what lets you read the message inside the alert on your own device, while our servers carry it without ever being able to read it.

To us, it's a category and a locked box. The words are readable only on your phone.

If you choose to share a message to help train Mack

You can tap a Mack alert and tell us it was wrong. Separately, there's an option to share that one message's wording with us so we can use it to make the next Mack better. This is off unless you turn it on for that one message. If you do, the message is locked up on the phone using a key only your Orbit app can open, sent to us, and then your Orbit app strips off everything that identifies your family before it's used: no name, no email, no chat name. There's no way for us to trace a shared message back to the family that sent it.

What we store (and what we don't)

On our servers

  • Account basics (parent email, child display name, who's in your family)
  • Lock-and-key info that lets your phones find each other (no private keys)
  • Locked-up messages waiting for the other phone to come online and pick them up
  • Routing info: who sent a message to whom, when, and to which phone
  • Your Mack settings (mode, which categories are on, watchlist words)
  • Mack alerts: which category was flagged, which version of Mack, and the time, plus a sealed copy of the flagged message that only the right parent's phones can open (we can't)
  • Reports your child chooses to make ("I don't like this message"): the reason category, plus the reported message and your child's note sealed so only their own parents' phones can open them
  • Single messages you've chosen to share with us to help train Mack (with everything identifying your family stripped off: no name, no email, no chat name)

Never on our servers

  • The actual words of any message your family sends
  • The private half of your phone's locks (it lives on the phone that made it)
  • Contacts from your phonebook or your social media
  • Ad trackers, third-party analytics
  • Anything sold or shared with marketers

What parents can actually see

Orbit treats the family as the unit of privacy. When someone sends a message, their phone locks it once for every phone in the family circle: the other person in the chat, plus the trusted adults on both sides whenever a child is involved. The server passes the locked message along; each family phone unlocks it when it arrives.

How much a parent sees is set per child by the supervision level you choose, from reading everything (Guarded), to flagged messages and the contact list only (Standard), to a fully private account with no monitoring at all (Open). What grown-ups in the family can see and control (when a child is part of the chat, at the levels that include it):

  • The messages themselves. At Guarded supervision, every message sent or received can be unlocked on a parent's phone. You see the conversation in your own Orbit app.
  • Who the children are talking to. The list of active conversations and the grown-up on the other end.
  • Approval for new contacts. A child can't add a new friend without the grown-ups on both sides agreeing.
  • Mack alerts. When Mack flags a message on the child's phone, you get an alert telling you which categories were flagged, with the flagged message inside it, sealed on the child's phone so only your phone can open it. The server relays the alert without ever being able to read the message.
  • Reports from your child. A child can long-press a message they've received and tap "I don't like this message", picking a reason and adding a note if they want. The report reaches you (and any other parent) as an alert, with the message and the note sealed so only your phones can read them. The sender is never told, nothing in the chat changes, and the report always gets through, whatever filter settings you've chosen, even with Mack's filtering off.
  • Approval requests. In "Hold for approval" mode, flagged messages are paused on the child's phone until you sign off. You read the message in your own Orbit app, and the server never sees the words.
  • Watchlist alerts. A notification when a watchlist word appears in your child's messages. Notification only, nothing is stopped.
  • Activity info. When chats happen, how often, with whom.

What Orbit cannot do: read those messages on our servers, hand them to anyone outside your family, or show them to another family's parent. Only the phones in your family can unlock them.

Transparency & current state

We believe you should be able to check what we claim. Honest status as of today:

  • Orbit is currently in pre-launch / early beta. The security design described here is in place; polish and audits are ongoing.
  • We plan to commission a third-party security review before a broad public launch and publish the report.
  • Found a security issue? Use the form below. We take responsible disclosure seriously and will credit researchers who report issues privately first.

No tracking. We'll only use your email, if you provide one, to ask follow-up questions about this report.

Technical FAQ

Does Mack break end-to-end encryption?

No. Mack runs on the child's phone: on outgoing messages before they're encrypted, and on incoming messages after they're decrypted locally on the child's device. Only endpoint devices ever hold plaintext, which is true for every E2EE messenger ever built; we just use those existing on-device windows to give Mack a look. The server receives only ciphertext plus a small alert payload (which labels fired, model version, and the flagged message re-encrypted on the child's device to the linked parents' keys, readable by the parent, never by the server). End-to-end encryption is unchanged. This is architecturally different from any server-side scanning approach, where the service provider necessarily sees the plaintext. Mack stays on the device; nothing is sent to the cloud for moderation.

What happens, cryptographically, when my child reports a message?

The same thing as a Mack alert, but initiated by the child instead of the AI. When a child taps "I don't like this message" on something they've received, their phone encrypts the reported message, the reason, and any note they add directly to their own linked parents' device keys, and sends that sealed bundle to our server for delivery. The server stores and relays it without being able to read it; only the child's own parents' phones can open it. The sender's device is never contacted, the sender's family is never notified, and nothing changes in the conversation. Reports bypass filter preferences entirely: they reach the parent even if Mack's filtering is set to Off.

Why not just tell families to use Signal or iMessage?

Those apps nail the encryption but not the rest of the problem for children: anyone with a phone number can message them, there's no parental approval for new contacts, and no on-device, per-child AI moderation like Mack. Orbit reuses the same battle-tested encryption protocol and wraps a family-specific product around it.

What if the Orbit server is compromised?

An attacker with full server access would get: encrypted message blobs (unreadable without device keys), public key material, account metadata, and the family graph. They would not get message plaintext, private keys, or any way to decrypt past or future conversations. This is the whole point of end-to-end encryption: the server is untrusted by design.

Do you support perfect forward secrecy?

Yes. The Double Ratchet construction provides forward secrecy and post-compromise security. Each message uses a fresh symmetric key derived from a rotating ratchet, so compromising one key does not expose earlier or later messages.

Can I see the source code?

Orbit's application code is closed source today. The cryptographic core, however, is built on open, audited libraries, namely the Signal Protocol implementation (libsignal), Curve25519, and standard primitives, rather than anything proprietary we rolled ourselves. So the parts of the system that have to be trusted to keep your messages private are the parts that have already been peer-reviewed by the wider security community.

How are keys verified between devices?

Each device publishes a signed prekey tied to its long-lived identity key. A recipient device verifies the signature before starting a session. Out-of-band identity verification (safety numbers, QR scan) is on the roadmap for parents who want belt-and-suspenders confirmation.

What happens to messages when a device is added or removed?

New devices generate their own identity key and prekeys and register them with the server; future messages are encrypted for the new device as well as the old ones. Removed devices stop being included in new sessions; their local state is wiped on sign-out.