Security

Enterprise-Grade Security

Your compliance data is among the most sensitive information in your organization. We protect it with the same rigor we help you apply to your AI models.

SOC 2 Type II

Annual audit by independent third-party assessor covering security, availability, and confidentiality.

ISO 27001

Certified information security management system covering all organizational controls.

GDPR Compliant

Full compliance with EU General Data Protection Regulation including DPA availability.

HIPAA Ready

BAA available for healthcare customers processing protected health information.

Security Architecture

Encryption at Rest & in Transit

All data encrypted with AES-256 at rest and TLS 1.3 in transit. Database encryption with customer-managed keys available on Pro plans.

Infrastructure Security

Hosted on AWS with VPC isolation, WAF protection, DDoS mitigation, and automated security patching. Multi-region availability for disaster recovery.

Access Controls

Role-based access control (RBAC), SSO/SAML 2.0 integration, multi-factor authentication, and session management with configurable timeouts.

Business Continuity

RPO of 1 hour and RTO of 4 hours. Automated backups, multi-AZ deployment, and tested disaster recovery procedures.

Vulnerability Management

We maintain a comprehensive vulnerability management program including automated scanning, third-party penetration testing (conducted annually), and a responsible disclosure program. Critical vulnerabilities are triaged within 4 hours and patched within 24 hours.

Employee Security

All Arrya employees undergo background checks and complete security awareness training upon hire and annually thereafter. Access to production systems follows the principle of least privilege with quarterly access reviews. All engineering laptops are encrypted with endpoint detection and response (EDR) software.

Data Handling

Customer data is logically isolated between tenants. We do not use customer data to train AI models. Data retention policies are configurable per customer, and data deletion requests are processed within 30 days. We provide data export in standard formats upon request.

Incident Response

Our incident response team follows a documented playbook with defined severity levels, escalation paths, and communication templates. Customers are notified of security incidents affecting their data within 72 hours per GDPR requirements, and sooner where contractually agreed.

Reporting a Security Issue

If you discover a potential security vulnerability, please report it to security@arrya.co. We appreciate responsible disclosure and will acknowledge your report within 24 hours.