An operating system for working businesses
concorbit.
one system
·
not a stack of tools
last shipped Sun 24 May

Built to keep your customers' data yours.

you're trusting us with your whole business — your customers, your tickets, your invoices, your passwords. here's how that data is kept separate, encrypted, and accounted for. no jargon, and we say so plainly where something is still in progress.

last reviewed 2026-05-21 · want the deeper detail? email security@concorbit.com under nda.

Keeping data apart

Your data is walled off from everyone else's.

every customer is a separate tenant. every row of data carries a tenant id, and the platform automatically filters every query to the tenant making it — there's no path that returns another customer's records. a test in our build fails if anyone tries to widen that.

the sensitive stuff — names, emails, vault entries, integration credentials — is encrypted with a key derived per tenant, so one tenant's data can't be read with another's key. the database sits on an encrypted disk, and the master key lives on the host, never in the database.

Signing in
Multi-factor and passkeys
authenticator apps (totp) and fido2 / webauthn passkeys, on every tier. you can require mfa per role.
Microsoft 365 single sign-on
sign in with your microsoft account over your own domain. no extra charge for it — sso isn't a tax here.
Sessions you control
secure, http-only cookies, configurable timeouts, and a list of your active sessions you can sign out remotely.
Roles and permissions
system roles plus your own custom ones, with fine-grained per-module permissions. api access uses scoped bearer tokens.
The paper trail

Every change is logged, and the log can't be quietly edited.

state-changing actions write to an audit log where each entry is cryptographically chained to the one before it. tamper with a row and the chain breaks, so quiet edits are detectable. the keys are per tenant, the log is tenant-scoped, and it's exportable to csv or json. the vault keeps its own separate access log.

Where your data lives

everything runs in the uk. traffic is tls 1.3 end to end, behind cloudflare for tls, ddos and waf. the database is backed up nightly to encrypted uk storage with 30-day retention.

we act as your data processor for your customers' data, and controller only for your own account and billing details. a data processing agreement is available on request. a few specialist sub-processors handle the plumbing:

Cloudflare
tls, edge caching, ddos and waf · global edge
UK hosting
compute, primary storage, encrypted nightly backups · uk
Stripe
payments and subscription billing
Postmark
transactional email delivery
Telling us about a problem

found something? email security@concorbit.com or read security.txt. we work to a 90-day disclosure window and we won't take legal action against good-faith researchers.

we're an independent uk company, not a big vendor with a compliance department — so we'll be straight with you about what we have and don't. we're working towards cyber essentials and soc 2, and we'll say so here when they land. if a particular certification is a hard requirement for your procurement, email security@concorbit.com and we'll tell you honestly whether we're the right fit yet.