Privacy Policy

Last updated: March 2026

1. Introduction

Arbitium is an AI-driven autonomous cybersecurity execution platform that enables organizations to detect, respond to, and remediate security threats at machine speed. This Privacy Policy explains how Arbitium ("we," "us," "our," or "Company") collects, uses, processes, and protects information when you use our platform, website, and related services.

We are committed to transparency regarding our data practices, particularly regarding the security telemetry we process within customer environments. This policy applies to all users and customers of Arbitium, including those who interact with our website and those who deploy our autonomous security platform within their infrastructure.

2. Information We Collect

We collect information from multiple sources to provide and improve our services:

Contact and Account Information: When you request a demo, contact us, or create an account, we collect your name, email address, phone number, company, job title, and any other information you provide in forms or communications.

Security Telemetry from Customer Environments: Once deployed, Arbitium collects and processes security signals from your infrastructure, including:

  • SIEM alerts and logs (security events, anomalies, threats)
  • EDR (Endpoint Detection and Response) data (process execution, file activity, network connections)
  • IAM events (authentication, authorization, user access changes)
  • Cloud signals (infrastructure events, configuration changes, security findings)
  • Email metadata (headers, sender/recipient info, threat indicators) from email security gateways

Platform Usage Data: We collect information about how you interact with the Arbitium platform, including actions executed, configurations applied, and response workflows triggered.

Website Analytics: We use analytics tools to understand how visitors interact with our website, including page views, click patterns, session duration, and device information.

Communication Data: We may collect email addresses and communication records when you contact us via email, contact forms, or support channels.

3. How We Use Your Information

We use the information we collect for legitimate business purposes:

Service Delivery: To provide autonomous security execution services, detect threats, execute remediation actions, and maintain platform functionality within your environment.

AI Model Development: To improve our AI reasoning and detection models, we analyze de-identified and aggregated security telemetry. This helps us enhance threat detection accuracy, reduce false positives, and develop more effective autonomous response capabilities. Individual customer data is anonymized before use in model training.

Customer Support: To respond to your inquiries, provide technical support, and troubleshoot issues with the platform.

Compliance and Audit: To maintain immutable audit trails, comply with legal obligations, meet regulatory requirements (SOC 2, ISO 27001, HIPAA, PCI-DSS), and support compliance audits and investigations.

Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraud, and unauthorized access to our systems.

Marketing and Communications: To send you information about Arbitium services, product updates, and relevant content (you may opt-out at any time).

Analytics and Improvement: To analyze platform usage patterns and improve our products, features, and user experience.

4. Data Processing and Security Telemetry

On-Premises and Customer-Cloud Processing: Arbitium's core architecture is designed to process security telemetry within customer-controlled infrastructure. Our AI models operate on-premises or within your cloud environment, minimizing data exfiltration and ensuring that raw security signals remain within your security boundary.

Telemetry Retention in Customer Infrastructure: Security telemetry data is retained within your infrastructure according to your retention policies and customer agreements. Arbitium does not copy raw telemetry to external systems unless explicitly configured for hybrid deployments.

Data Minimization: We collect only the security signals necessary to perform threat detection and response. We do not capture full packet data, raw file contents, or personal user data beyond what is required for security analysis.

Aggregated Intelligence: Insights and threat indicators derived from security telemetry may be aggregated across customers (in anonymized form) to improve collective threat intelligence and detection models, with your consent or as permitted by our service agreements.

Customer Data Isolation: Each customer's security data is logically isolated. Access controls and encryption ensure that one customer cannot access another customer's telemetry or security events.

5. Data Retention

Security Telemetry: Security telemetry data is retained according to the terms specified in your customer agreement with Arbitium. Typical retention periods range from 30 days to 2+ years, depending on your configuration and compliance requirements. You control retention policies for data within your environment.

Contact and Account Information: We retain contact information for as long as your business relationship with Arbitium continues and for a reasonable period afterward to fulfill legal obligations and respond to inquiries. You may request deletion of your contact information at any time.

Audit and Compliance Logs: Audit trails and compliance logs are retained per compliance framework requirements (SOC 2, ISO 27001, HIPAA, PCI-DSS). These are typically retained for 3-7 years depending on regulatory obligations.

Website Analytics: Website analytics data is typically retained for 12-24 months unless you request deletion.

Deleted Account Data: Upon account deletion or contract termination, we securely delete or de-identify personal and telemetry data, except where retention is required by law.

6. Data Security

Encryption: All data in transit between customer environments and Arbitium systems is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent standards where applicable.

Zero-Trust Architecture: Arbitium employs zero-trust security principles for all platform access, requiring continuous authentication and authorization verification regardless of network location.

Immutable Audit Trails: All actions taken by the platform, including autonomous responses and administrative changes, are logged in immutable audit trails that cannot be modified or deleted without detection.

Access Controls: Access to customer data is restricted to authorized personnel based on role-based access control (RBAC) and the principle of least privilege. Multi-factor authentication is required for all administrative access.

SOC 2 Type II Compliance: Arbitium maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, and confidentiality controls.

ISO 27001 Certification: Our information security management system is ISO 27001 certified, covering identity and access management, cryptography, incident response, and vendor management.

Vulnerability Management: We conduct regular security assessments, penetration testing, and vulnerability scanning to identify and remediate security weaknesses.

Incident Response: We maintain a documented incident response plan and will notify affected customers of security breaches involving their data within 72 hours as required by law.

7. Third-Party Sharing

No Data Sale: Arbitium does not sell, rent, or trade your personal information or customer security data to third parties for marketing or commercial purposes.

Service Providers: We may share data with trusted service providers (cloud infrastructure providers, analytics vendors, payment processors) who are contractually bound to protect your information and use it only as necessary to provide services to Arbitium.

Legal Requirements: We may disclose information when required by law, court order, government request, or in response to a legal process. We will attempt to notify customers of legal demands for their data where permitted.

Business Transfers: If Arbitium is acquired, merges with another company, or sells assets, customer information may be transferred as part of that transaction. You will be notified of any such change and any choices you may have regarding your information.

Threat Intelligence Sharing: With your consent, Arbitium may share de-identified threat indicators and attack patterns with industry organizations and threat intelligence communities to strengthen collective security. Raw customer data is never shared without explicit authorization.

Aggregated Analytics: We may share aggregated, anonymized analytics about platform usage trends and threat patterns with customers and industry analysts.

8. Your Rights

Access: You have the right to access your personal information and a description of how it is being processed. We will provide this information within 30 days of your request.

Correction: You have the right to correct inaccurate or incomplete personal information. You can update your account information directly in the platform or by contacting us.

Deletion: You have the right to request deletion of your personal information, subject to legal and contractual retention obligations. We will delete your information within 60 days of your verified request, except where retention is required.

Portability: You have the right to receive a copy of your personal information in a structured, commonly used, machine-readable format and to transmit that data to another service provider.

Opt-Out of Marketing: You may opt-out of receiving marketing communications by clicking the unsubscribe link in our emails or contacting us directly.

Restrict Processing: You have the right to request that we restrict processing of your information in certain circumstances, such as while we verify the accuracy of disputed data.

Exercise Your Rights: To exercise any of these rights, please contact us at info@arbitium.com with your request. We will verify your identity and respond within the timeframes required by applicable law.

9. Cookies and Website Analytics

Cookie Policy: Arbitium uses cookies and similar tracking technologies to enhance website functionality and user experience. We use:

  • Essential Cookies: Required for security, session management, and basic functionality
  • Analytics Cookies: To understand how visitors use our website and improve user experience
  • Marketing Cookies: To track campaign effectiveness and personalize content (optional, requires consent)

Default to Essential Only: By default, we set only essential cookies. Marketing and analytics cookies require your explicit consent before activation.

Cookie Preferences: You can manage your cookie preferences through your browser settings or our cookie consent banner. Most browsers allow you to refuse cookies or alert you when cookies are being sent.

Analytics Tools: We use industry-standard analytics tools (such as Google Analytics) to measure website performance. These tools may collect anonymized usage data. You can opt-out of analytics tracking using browser plugins or settings.

Do Not Track: If your browser includes a "Do Not Track" signal, we honor that preference and will not use tracking cookies.

10. Changes to This Policy

Arbitium may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this policy will be updated whenever changes are made.

Material Changes: For material changes to this policy that affect how we use your information, we will notify you by email or prominent notice on our website at least 30 days before the changes become effective. Your continued use of Arbitium services after such notification constitutes your acceptance of the updated policy.

Your Responsibility: It is your responsibility to review this policy periodically. We encourage you to check for updates to stay informed about how Arbitium protects your information.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: info@arbitium.com

We will respond to your inquiry within 30 days. If you believe we have not adequately addressed your privacy concerns, you also have the right to lodge a complaint with your local data protection authority.