Security & Trust

Built for your InfoSec team to approve.

This page contains the information your InfoSec team, legal counsel, and DPO will need to complete a first-pass review. If something is missing, email security@aarvion.ai.

Architecture

Aarvion operates a two-plane model. The control plane is managed by Aarvion. The data plane is customer-hosted in your VPC.

What crosses the VPC boundary

—Policy evaluation results (allow/deny) — no payload
—Aggregated cost metrics — no line items
—Manifest schema definitions — no data
—Anonymized telemetry (opt-in only)

What stays inside your VPC

—Every prompt and model response — full fidelity
—All PII, credentials, and customer data
—The raw evidence ledger (signed at record time)
—Per-call token and cost data

Certifications & roadmap

SOC 2 Type II

In progress

ETA: Q2 2026

Audit period started January 2026. Report available under NDA.

ISO 27001

Planned

ETA: Q4 2026

Gap assessment complete. Remediation in progress.

AICPA AI Addendum

Planned

ETA: Q1 2027

Covers AI-specific trust service criteria for SOC 2.

Data handling

What Aarvion collects

Billing data, account metadata, and anonymized telemetry (opt-in). We do not collect prompts, model responses, customer PII, or business data. All of that lives in your VPC.

Retention

Control plane data retained for the duration of your subscription plus 90 days. You can request deletion at any time. Data plane data (in your VPC) is under your retention policy entirely.

Data residency

Control plane available in US East, EU West, and APAC Southeast. Data plane runs wherever you deploy your VPC. Regional options for IN, UAE, and SG available on Enterprise tier.

Sub-processors

We maintain a live subprocessor list. Current sub-processors: AWS (infrastructure), Stripe (billing), Resend (transactional email). We notify you of changes 30 days in advance.

View subprocessors

Cryptography

—

Signing keys. Per-tenant HSM-backed ECDSA P-256 keys. Keys are generated in the HSM and never exported. The HSM is located in your cloud region on Platform/Enterprise tiers.

—

Evidence ledger. Append-only hash-chained log. Each record includes: SHA-256 hash of previous record + timestamp + record body. Tamper-evidence is verifiable by any party with the public key.

—

Optional notarisation. Enterprise tier supports anchoring the ledger root hash to a public blockchain (Ethereum mainnet or a permissioned chain of your choice) for third-party-verifiable non-repudiation.

—

TLS. TLS 1.3 everywhere. Certificate pinning available for enterprise on-prem deployments. We support mTLS between the control plane and your data plane.

—

Encryption at rest. AES-256 for all data at rest in the control plane. Data plane encryption is under your cloud provider's key management (AWS KMS, Azure Key Vault, GCP Cloud KMS).

Vulnerability disclosure

We operate a coordinated disclosure policy. If you discover a security vulnerability in Aarvion, please report it to security@aarvion.ai.

Response SLAInitial acknowledgment within 24 hours. Triage within 72 hours.

Disclosure window90-day coordinated disclosure. We will notify you before any public disclosure.

ScopeAll production services at *.aarvion.ai and the Aarvion GitHub organization.

PGP keyAvailable on request. Key fingerprint published on our GitHub security advisory page.

DPO contactdata-protection@aarvion.ai — for GDPR Article 37 inquiries.

Need more for your questionnaire?

Enterprise evaluations receive a full security package under NDA: architecture diagrams, shared responsibility model, SOC 2 readiness report, penetration test summary, and a dedicated call with our security lead. Typical turnaround is 5 business days from signed NDA.

Request security package security@aarvion.ai