Security Whitepaper

Last updated: August 23, 2025

Executive Summary

ArX AI is built for secure document analysis and retrieval‑augmented generation (RAG). This whitepaper details our technical controls, operational processes, and compliance posture to protect customer data across its lifecycle.

Architecture Overview

• Segregated services: Web/API (Laravel), AI vector service (FastAPI), and storage layers operate with least‑privileged identities
• Data flows: Inbound uploads → extraction/optional OCR → chunking → embeddings → vector DB. Personally identifiable information is minimized
• Isolation: Per‑user or per‑organization namespaces in the vector store; queries filtered by user/project scope

Data Security Controls

• Transport security: TLS 1.2+ everywhere
• Encryption at rest: Provider‑managed keys (AES‑256 or equivalent) for databases and object storage
• Key management: Secrets injected via environment variables, rotated on compromise or personnel changes
• Backups: Encrypted, access‑controlled, and periodically tested restores

Identity, Authentication, and Authorization

• User auth: Tokens via Sanctum; optional phone verification (SMS OTP) for sensitive features
• Admin auth: Separate guard and credentials, admin‑only endpoints, and access logging
• Authorization: RBAC and plan‑based entitlements enforced server‑side

Application Security

• Secure coding: Input validation, parameterized queries/ORM, CSRF protections where applicable
• Rate limiting: Multi‑tier limits prevent brute force and abuse
• File handling: Strict MIME/type validation, limited parsers, and sandboxed processing

AI/Vector Layer Security

• Embeddings: Multiple embedding providers supported with transmitted over TLS; only vectors and necessary metadata stored
• Vector DB: Namespaced collections, query‑time filters by user and document IDs, and minimal payloads
• Provider selection: Models invoked via secured APIs; no training on customer data unless contractually agreed

Operational Security and Monitoring

• Access control: Role‑based cloud/IAM, short‑lived credentials, and logging for administrative actions
• Change management: Code reviews, CI/CD, and staged rollouts. Dependencies patched regularly
• Observability: Health checks, structured logs, anomaly detection, and on‑call escalation

Compliance Posture

ArX AI is designed to be compliant‑ready and to integrate with customer security requirements.

• GDPR: DSR support (access, erasure), purpose limitation, data minimization
• Pakistan (PECA 2016, PDPA draft): Security safeguards, lawful processing basis, breach response cooperation
• Enterprise readiness: DPAs, audit support, and data residency options (where available)

Incident Response

• Preparation: Runbooks for service isolation, credential rotation, and customer communications
• Detection/Analysis: Alerts triaged by severity; forensic logs retained per policy
• Containment/Eradication/Recovery: Phased response; post‑incident reviews to drive improvements

Shared Responsibility Model

Contact Information

For security and compliance inquiries, vulnerability reports, or data processing agreements:

This whitepaper is informational and describes our current security implementation. It is not a contractual commitment. For legally binding security terms, please refer to your service agreement or data processing agreement.