Security Overview

Last updated: August 23, 2025

Our Security Principles

• Security by design: Minimal access, least privilege, auditability, and defense in depth
• Privacy first: Only collect data required to provide the service; configurable data retention
• Transparency: Clear data flows, storage locations, and subprocessors

Data Protection

• Encryption in transit: All traffic over TLS 1.2+
• Encryption at rest: Databases and object storage encrypted using provider-managed keys (AES‑256 or equivalent)
• Secret management: Application secrets stored in environment variables and rotated per environment
• Data residency & backups: Backups are encrypted and retained per policy; configurable retention windows

Application Security

• Authentication: Token-based auth (Sanctum) with optional multi-factor verification (phone/SMS OTP)
• Authorization: Role-based access controls and plan-based feature gating
• Rate limiting & abuse protection: Tiered rate limits per plan to protect from brute force and abuse
• Input validation: Strict validation on all endpoints; server-side allowlisting for uploads
• Logging & monitoring: Structured logs, error tracking, and anomaly alerts for security‑sensitive operations

AI & Vector Security

• Isolation: Vector namespaces are isolated per user/organization
• Content handling: Uploaded documents are processed in ephemeral workers; only extracted text and metadata required for RAG are stored
• Provider security: Third‑party LLM/embedding providers are accessed strictly over TLS with API keys scoped per environment

Operational Security

• Least privilege: Separate IAM roles for app, storage, and backups; production access is restricted and logged
• Change management: Version control and CI/CD with required reviews for production changes
• Vulnerability management: Regular dependency updates and security patches; periodic security reviews

Compliance & Legal

ArX AI follows industry best practices and is designed to be compliance‑ready. We can support customer assessments and data processing agreements upon request.

• GDPR‑ready: Data subject rights tooling; data export/deletion on request; subprocessor transparency
• Pakistan regulations: Aligned with Prevention of Electronic Crimes Act (PECA) 2016, State Bank of Pakistan (SBP) cybersecurity guidelines, and Personal Data Protection Bill principles for collection, purpose limitation, and security safeguards
• Security controls: Access control, encryption, audit logs, and incident procedures aligned with common frameworks (ISO 27001 alignment)

Customer Controls

• Configurable token limits, rate limits, and phone-verification requirements
• Per‑user token/session management and forced revocation from the dashboard
• Project/document scoping for searches; organization‑level namespaces for business plans

Incident Response

• Detection: Continuous monitoring and alerting for anomalies
• Containment and recovery: Defined runbooks for isolating affected components, rotating credentials, and restoring from clean backups
• Notification: We notify affected customers in a timely manner when legally required

Contact Information

For security inquiries, vulnerability disclosures, or data processing agreement requests, please contact us:

This document describes our current security posture and may evolve without prior notice. For contractual commitments, refer to your service agreement or data processing agreement.