In plain English

When someone in your family sends a message on Orbit, their phone scrambles it before it leaves. The only phones that can unscramble it are the ones belonging to the family — the people in the conversation and the trusted adults on both sides, when there are children involved. Our servers move the scrambled message between those phones like a post office that can see the envelope but never open the letter inside.

This is called end-to-end encryption. It's the same idea behind apps like Signal and iMessage. The difference with Orbit is the trust circle: when a child is in the chat, the grown-ups looking after them are cryptographic participants too. You get to see what's being said, and the server doesn't.

When we say "we can't read your messages," we mean it structurally — not as a promise. The keys that unscramble messages never leave your family's phones. If someone broke into our servers, or served us a subpoena, or if we wanted to (we don't), the thing we'd be looking at is still scrambled.

The short version:

Messages get locked on the sender's phone and only unlocked on the receiver's phone. We carry the locked package. We don't hold the key.

The technical bits

For curious or technical readers. Skip this section if you don't want to go into the weeds.

The protocol: X3DH + Double Ratchet

Orbit uses the Signal Protocol — the same end-to-end encryption protocol behind Signal, WhatsApp, and Facebook Messenger's secret conversations. It's open, well-audited, and widely peer-reviewed. We didn't invent our own crypto.

X3DH (Extended Triple Diffie-Hellman) is how two phones that have never met establish a shared secret the very first time they talk — even if one of them is offline. Double Ratchet is how they keep rotating keys forward as they chat, so that if any one key is ever compromised, it doesn't unlock earlier or later messages. This property is called forward secrecy and post-compromise security.

The keys: Curve25519

Every device has three kinds of keys, all generated on the device itself:

  • Identity key — a long-lived Curve25519 key pair that identifies the device. The private half never leaves the phone.
  • Signed prekey — a medium-lived key, signed by the identity key, that starts new conversations.
  • One-time prekeys — a batch of single-use keys that get consumed as new conversations begin, giving extra forward secrecy for the opening handshake.

Our server stores the public halves of these so your friends' phones can look them up to start a conversation. The private halves never leave the device where they were generated.

Per-device sessions

If a user has multiple devices (an iPhone and an iPad, say), each device has its own independent identity key and its own encryption session with every peer. A message sent to Emma isn't encrypted "to Emma" — it's encrypted separately for each of Emma's devices. If one device gets compromised, the others aren't.

What our server handles

The server is responsible for routing, not reading. It:

  • Holds public key bundles so phones can find each other and start conversations.
  • Stores encrypted message blobs until the recipient's phone is online to fetch them.
  • Manages accounts, the family graph (who's in which family, who's approved to talk to whom), and Mack's moderation settings, which are pushed to the sending device so Mack can run locally.
  • Broadcasts delivery notifications (metadata only — "a message arrived for you") so phones know when to sync.

It does not — and structurally cannot — decrypt the message contents.

Sign-out wipes local state

When someone signs out of Orbit, every piece of crypto state on that device is wiped: identity key, session state, message cache. A re-login generates a fresh identity and starts new sessions. If a phone is lost, a remote sign-out via the parent account achieves the same thing.

Mack and end-to-end encryption

A common question: if Orbit can't read messages, how does the AI moderation work?

The answer is Mack — our on-device AI safety agent. Mack runs on the sending device, never on our servers, and never in the cloud. The child's phone is the sender; it sees the plaintext of the outgoing message in the moment before it is encrypted. We use that window to give Mack a look — locally, on the device — before the message is locked and sent. The server receives only ciphertext and, when Mack fires, a small alert payload (model version, which labels were triggered). No message text ever reaches our servers as part of moderation. End-to-end encryption is not weakened.

Contrast this with server-side scanning products, which require either decrypting messages on the server or gaining access to a copy of the plaintext via the messaging provider. Orbit does neither. Mack is on the phone, not in the cloud.

What the server sees from a Mack event

When Mack fires an alert on the device, the only data the server receives is:

  • Which labels were triggered (e.g. bullying, self_harm).
  • The model version of Mack that produced the result.
  • The timestamp and the parent-child link identifier (so the alert can be routed to the right parent).

No message text. No ciphertext. The alert is metadata about the classification, not about the content.

Feedback loop — if a parent opts in

Parents can flag a Mack alert as inaccurate. There is an additional, separate opt-in to share the message text to help train the next version of Mack; this is off by default and requires an explicit per-message decision. If a parent opts in, the child's device encrypts the message text to the parent's identity key at classification time. Only the parent's own device can decrypt it. When the corpus row is written on our server, it is stripped of all identifiers — no parent ID, no child ID, no conversation ID. There is no way to trace a corpus row back to the family that contributed it.

What we store (and what we don't)

On our servers

  • Account basics (parent email, child display name, family graph)
  • Public keys (so phones can find each other)
  • Encrypted message blobs awaiting delivery
  • Metadata needed for routing: who sent to whom, when, and to which device
  • Your Mack settings (mode, per-label toggles, watchlist terms)
  • Mack alert metadata: label(s) fired, model version, timestamp — never the message text
  • Training corpus rows (only if a parent explicitly opts in per-message; fully anonymised — no parent, child, or conversation IDs)

Never on our servers

  • Plaintext of any message your family sends
  • Private encryption keys — they live on the device that made them
  • Contacts from your phonebook or social graphs outside Orbit
  • Ad identifiers, tracking pixels, third-party analytics
  • Any data sold or shared with marketers

What parents can actually see

Orbit treats the family as the unit of privacy. When someone sends a message, their phone encrypts one copy per device in the family trust circle — the others in the conversation, plus the trusted adults on both sides whenever a child is involved. The server relays ciphertext; each family device decrypts locally.

What grown-ups in the family can see and control (when a child is part of the chat):

  • The messages themselves. Every message sent or received is decryptable on a parent's device. You see the conversation in your own Orbit app.
  • Who the children are talking to. The list of active conversations and the grown-up on the other end.
  • Approval for new contacts. A child can't add a new friend without the grown-ups on both sides agreeing.
  • Mack alerts. When Mack flags a message on the child's device, the parent receives an alert showing which labels fired. The underlying message text is readable on the parent's own device (they are a cryptographic participant in the conversation), but the alert itself contains only metadata.
  • Approval requests. In "Hold for approval" mode, flagged messages are held on the child's device pending your sign-off. The message text reaches you via your own decryption, not via the server.
  • Watchlist notifications. A notification when a watchlisted word appears in your child's messages — notification only, no blocking.
  • Metadata. When conversations happen, how often, with whom.

What Orbit cannot do: read those messages on your behalf server-side, hand them to anyone outside your family, or show them to another family's parent. The encryption is scoped to your family — no one else.

Transparency & current state

We believe you should be able to check what we claim. Honest status as of today:

  • Orbit is currently in pre-launch / early beta. The security design described here is in place; polish and audits are ongoing.
  • We plan to commission a third-party security review before a broad public launch and publish the report.
  • Found a security issue? Use the form below. We take responsible disclosure seriously and will credit researchers who report issues privately first.

No tracking. We'll only use your email — if you provide one — to ask follow-up questions about this report.

Technical FAQ

Does Mack break end-to-end encryption?

No. Mack runs on the child's phone before the message is encrypted. The server receives only ciphertext plus a small alert payload (which labels fired, model version) — never the message text. End-to-end encryption is unchanged. This is architecturally different from any server-side scanning approach, where the service provider necessarily sees the plaintext. Mack stays on the device; nothing is sent to the cloud for moderation.

Why not just tell families to use Signal or iMessage?

Those apps nail the encryption but not the rest of the problem for children: anyone with a phone number can message them, there's no parental approval for new contacts, and no on-device, per-child AI moderation like Mack. Orbit reuses the same battle-tested encryption protocol and wraps a family-specific product around it.

What if the Orbit server is compromised?

An attacker with full server access would get: encrypted message blobs (unreadable without device keys), public key material, account metadata, and the family graph. They would not get message plaintext, private keys, or any way to decrypt past or future conversations. This is the whole point of end-to-end encryption: the server is untrusted by design.

Do you support perfect forward secrecy?

Yes — the Double Ratchet construction provides forward secrecy and post-compromise security. Each message uses a fresh symmetric key derived from a rotating ratchet, so compromising one key does not expose earlier or later messages.

Can I see the source code?

Orbit's application code is closed source today. The cryptographic core, however, is built on open, audited libraries — the Signal Protocol implementation (libsignal), Curve25519, and standard primitives — rather than anything proprietary we rolled ourselves. So the parts of the system that have to be trusted to keep your messages private are the parts that have already been peer-reviewed by the wider security community.

How are keys verified between devices?

Each device publishes a signed prekey tied to its long-lived identity key. A recipient device verifies the signature before starting a session. Out-of-band identity verification (safety numbers, QR scan) is on the roadmap for parents who want belt-and-suspenders confirmation.

What happens to messages when a device is added or removed?

New devices generate their own identity key and prekeys and register them with the server; future messages are encrypted for the new device as well as the old ones. Removed devices stop being included in new sessions; their local state is wiped on sign-out.