Security

Our Security Commitment

As an AI-driven autonomous cybersecurity execution platform, Arbitium is trusted to secure other organizations' most critical infrastructure. This responsibility demands an unwavering commitment to security. Our own security posture must be exemplary—not just in practice, but as a fundamental principle of our platform architecture.

We maintain SOC 2 Type II compliance, demonstrating our commitment to security, availability, and confidentiality controls. Our information security practices align with ISO 27001 standards, ensuring comprehensive protection across all dimensions of our business.

Platform Architecture & Security

Zero-Trust Architecture: Arbitium employs zero-trust security principles across all platform access. We require continuous authentication and authorization verification regardless of network location or user role, ensuring that every access request is authenticated and validated before granting permissions.

Agent-Based Deployment: Our autonomous security agents are deployed directly within customer infrastructure, processing security data locally. This architecture ensures that raw security telemetry remains within your control and does not unnecessarily transit external networks.

Encrypted Communications: All communications between Arbitium components and customer environments use TLS 1.3 with strong cipher suites. Data at rest is encrypted using AES-256, protecting sensitive information throughout its lifecycle.

Cryptographic Integrity Verification: All autonomous actions executed by Arbitium include cryptographic integrity verification. This ensures that actions cannot be modified or compromised in transit, and maintains an immutable audit trail of all platform operations.

Data Protection

Customer Infrastructure Priority: Security telemetry from customer environments remains within customer-controlled infrastructure by design. Our AI models process data on-premises or within your cloud environment, minimizing data exfiltration and respecting your security boundaries.

No Cloud-Side Raw Data Storage: Arbitium does not store raw security telemetry on external cloud systems unless explicitly configured for hybrid deployments under customer control. This architecture respects your data sovereignty and reduces exposure risk.

Encryption At Rest and In Transit: All data is protected using industry-standard encryption both when transmitted and when stored. We employ TLS 1.3 for data in motion and AES-256 for data at rest, ensuring protection against unauthorized access.

Data Isolation Between Customers: Each customer's security data is logically and technically isolated. Access controls and encryption ensure that one customer cannot access another customer's telemetry, events, or security findings under any circumstances.

Access Control & Authentication

Role-Based Access Control (RBAC): Access to Arbitium platform features and customer data is governed by role-based access control. Users receive only the permissions necessary to perform their assigned functions, following the principle of least privilege.

Multi-Factor Authentication (MFA): Multi-factor authentication is required for all administrative access and sensitive operations. This layered approach prevents unauthorized access even if credentials are compromised.

SSO/SAML 2.0 Integration: Enterprise customers can integrate Arbitium with their existing identity providers using SAML 2.0, enabling centralized user management and authentication while reducing credential sprawl.

Session Management: All sessions are managed securely with automatic timeouts for inactive users. Session tokens are cryptographically secure and session management follows security best practices.

AI Model Security

Adversarial Testing: Our AI models undergo continuous adversarial testing to identify and remediate vulnerabilities. This proactive approach ensures our models are resilient against sophisticated attacks designed to manipulate autonomous responses.

Model Integrity Verification: All AI models are cryptographically signed and verified before execution. We maintain version control and integrity checks to ensure that models have not been tampered with or corrupted.

Execution Scope Guardrails: Autonomous actions executed by our AI are constrained by guardrails and scope limitations. Our models cannot exceed pre-defined boundaries or execute actions outside their authorized scope, preventing uncontrolled autonomous behavior.

Human-in-the-Loop Escalation: Critical security actions are escalated to human security teams for review and approval. This ensures that high-impact decisions remain under human oversight and control.

Audit Trails for AI Decisions: Every decision made by our AI systems is logged in immutable audit trails. These detailed logs document the reasoning, data inputs, and outputs of each automated decision, enabling comprehensive forensic analysis and regulatory compliance.

Infrastructure Security

Cloud Infrastructure Security: Arbitium's cloud infrastructure is deployed on AWS with security-first architecture. We leverage AWS security services including AWS Security Hub, GuardDuty, and Systems Manager to maintain continuous visibility and threat detection.

Network Segmentation: Our infrastructure employs strict network segmentation with multiple security zones. Internal systems are isolated from external networks, and sensitive components are placed in protected network segments with restricted access.

Web Application Firewall (WAF): All internet-facing applications are protected by Web Application Firewalls that filter malicious traffic, detect attack patterns, and prevent common web exploits.

DDoS Protection: AWS Shield and AWS Shield Advanced provide comprehensive DDoS protection, ensuring that our platform remains available even during distributed denial-of-service attacks.

Penetration Testing: We conduct regular penetration testing by independent security firms to identify vulnerabilities before attackers do. These comprehensive assessments cover all systems and applications.

Vulnerability Scanning: Continuous automated vulnerability scanning identifies security weaknesses across our entire infrastructure. We maintain aggressive patch schedules and remediation timelines for identified issues.

Container Security: Our container environments are hardened with minimal base images, read-only filesystems where possible, and strict resource limits. Container images are scanned for vulnerabilities before deployment.

Incident Response

24/7 Security Operations: Our Security Operations Center operates continuously to monitor for threats, respond to incidents, and maintain platform security. We maintain on-call incident response teams to address issues immediately.

Incident Response Plan: We maintain a documented, tested incident response plan covering detection, investigation, containment, eradication, and recovery. This plan is regularly updated and tested through simulations and real incidents.

Timely Breach Notification: In the event of a security incident involving customer data, we will notify affected customers within 72 hours as required by applicable law, providing detailed information about the incident and our response.

Dedicated Security Team: Our dedicated security team coordinates all incident response activities, manages communication with affected parties, and oversees remediation efforts.

Post-Incident Reviews: Following every incident, we conduct comprehensive post-incident reviews to identify root causes and implement improvements. Lessons learned are shared across our organization to prevent recurrence.

Compliance & Certifications

SOC 2 Type II Certification: Arbitium maintains SOC 2 Type II certification, which has been independently audited by third-party auditors. This certification demonstrates our commitment to security, availability, and confidentiality controls over time.

ISO 27001 Alignment: Our information security management system is designed and implemented in alignment with ISO 27001 standards. We are actively pursuing formal ISO 27001 certification to provide our customers additional assurance.

GDPR Compliance: Arbitium complies with the European Union's General Data Protection Regulation. We implement appropriate safeguards for personal data and respect individuals' data protection rights.

CCPA Compliance: We comply with the California Consumer Privacy Act and similar data protection regulations, providing customers with transparency and control over personal information.

Regular Third-Party Audits: We engage independent auditors to conduct regular security audits and assessments. These third-party reviews provide objective validation of our security controls and identify improvement opportunities.

Penetration Testing by Independent Firms: Annual penetration testing by independent security firms ensures that our platform is resilient against realistic attack scenarios.

Vulnerability Disclosure

Responsible Disclosure Program: We welcome security researchers to help us identify and responsibly address security vulnerabilities. Our responsible disclosure program provides a secure channel for reporting vulnerabilities without public exposure.

Vulnerability Reporting: Security researchers and customers can report vulnerabilities to security@arbitium.com. Please include detailed information about the vulnerability, steps to reproduce, and proof-of-concept code if available.

Acknowledgment and Response: We commit to acknowledging vulnerability reports within 48 hours and providing regular updates on our investigation and remediation efforts. We work diligently to develop patches and deploy them to production as quickly as possible.

No Legal Action Against Good-Faith Researchers: We will not pursue legal action against security researchers who discover vulnerabilities and report them responsibly according to our disclosure guidelines. We appreciate the contributions of the security community.

Employee Security

Background Checks: All employees with access to customer data or sensitive systems undergo thorough background checks consistent with applicable laws and regulations.

Security Training: All employees receive security training covering data protection, secure coding practices, phishing awareness, and incident response. New employees receive onboarding security training, and ongoing training is provided to all staff.

Access Provisioning and Deprovisioning: Employee access to systems and data is provisioned with the minimum privileges necessary. When employees change roles or leave the company, all access is promptly revoked.

Secure Development Lifecycle (SDLC): Our development practices incorporate security from the start. Code is developed following secure coding guidelines and threat modeling principles.

Code Review Requirements: All code changes undergo security-focused code review by qualified developers before deployment. Automated security scanning is performed on all commits to identify potential vulnerabilities.

Business Continuity

Disaster Recovery Plans: We maintain comprehensive disaster recovery and business continuity plans covering various failure scenarios. These plans are documented, tested regularly, and updated as our infrastructure evolves.

RPO/RTO Targets: Our Recovery Point Objective (RPO) is designed to minimize data loss, with backups taken multiple times per day. Recovery Time Objective (RTO) targets ensure rapid restoration of services following any disruption.

Geographic Redundancy: Our infrastructure is distributed across multiple availability zones and regions, ensuring that regional failures do not impact service availability. Data is replicated to geographically diverse locations.

Backup Testing: We conduct regular backup testing to ensure that backups can be successfully restored. These tests validate that our recovery procedures work as intended.

Incident Communication: During any service disruption or security incident, we maintain transparent communication with affected customers, providing status updates and expected resolution timelines.

Contact Our Security Team

We take security seriously and welcome engagement with our security team regarding security concerns, vulnerability reports, security questionnaires, or compliance documentation requests.

Email: security@arbitium.com

Response Times: We commit to acknowledging all security inquiries within 48 hours and providing substantive responses within 5 business days. For urgent security matters, please clearly mark your email as urgent.

Accepted Requests: We respond to vulnerability reports, security assessments, security questionnaires, compliance documentation requests, and other security-related inquiries from customers and authorized third parties.

Last Updated: March 2026