Security Policy

Last updated March 1, 2026

Arvexi maintains world-class security and privacy measures to protect customer data. Our customers entrust us with sensitive financial information (lease agreements, journal entries, compliance records) and we treat that responsibility as foundational to everything we build. This policy outlines our security practices, certifications, and commitments.

1. Security Architecture

1.1 Infrastructure

The Service is hosted on enterprise-grade cloud infrastructure with:

• Multi-region deployment with automated failover and geographic redundancy for high availability
• Network segmentation isolating application, database, and AI processing tiers into separate security zones
• Web Application Firewall (WAF) and DDoS protection at the network edge
• Private VPC configuration with no direct public internet access to backend services or data stores
• Infrastructure-as-code with automated provisioning, eliminating manual configuration drift

1.2 Tenant Isolation

Customer data is logically segregated at the database level. Each customer's lease documents, financial records, and AI outputs are isolated from other tenants. Access controls enforce strict tenant boundaries at every layer of the application stack, verified through automated testing and regular security reviews.

2. Data Sovereignty and Control

You maintain control over your data throughout its lifecycle:

• Upload Decisions: You decide what documents and data to upload to the Service
• Retention Policies: Configure data retention periods per portfolio or entity to meet your compliance requirements
• Deletion: Request on-demand deletion of Customer Data with confirmation and audit trail
• Export: Export your data at any time in standard formats for portability
• Data Lifecycle Management: Full visibility into data access, modifications, and processing through comprehensive audit logs

3. Encryption

3.1 Data at Rest

All Customer Data stored in Arvexi's systems is encrypted using AES-256. This includes lease documents, extracted data fields, journal entries, amortization schedules, audit logs, and backups. Encryption keys are managed through a dedicated key management service with automatic key rotation and strict access controls.

3.2 Data in Transit

All network communication uses TLS 1.3 with forward secrecy. This applies to:

• User browser sessions and API calls to the Service
• Internal communication between Service microservices
• Data transfers to and from AI processing infrastructure
• Database connections, replication, and backup transfers

4. No Model Training

Arvexi does not use Customer Data to train, fine-tune, or improve general-purpose AI models. Each customer's data is processed in isolation for the sole purpose of delivering the Service. This commitment is:

• Contractually enforceable through our Terms of Service and Data Processing Agreement
• Technically enforced through infrastructure isolation and access controls
• Independently verified through third-party audits

Subprocessors involved in AI processing are contractually prohibited from retaining Customer Data or Input beyond the processing session.

5. Access Controls

5.1 Authentication

• Multi-factor authentication (MFA) required for all Service accounts
• SAML 2.0 and OIDC single sign-on (SSO) integration for Enterprise customers
• IP allow-listing to restrict access to approved network ranges
• Session management with configurable timeout and automatic lockout after failed authentication attempts

5.2 Authorization

• Role-based access control (RBAC) with predefined roles: Admin, Controller, Accountant, Viewer, Auditor
• Principle of least privilege: users only access data and features required for their role
• Auditor role provides read-only access through the dedicated Auditor Portal with complete audit trail
• All access permissions auditable and reviewable by Customer administrators

5.3 Internal Access

Arvexi employee access to production systems follows strict controls:

• Just-in-time access provisioned through an approval workflow with mandatory business justification
• All production access logged, monitored, and subject to automated alerting
• Background checks required for all employees with production access
• Access automatically revoked upon role change or employment termination
• Quarterly access reviews to ensure permissions remain appropriate

6. Enterprise-Grade Features

• SAML SSO: Integrate with your identity provider for centralized authentication and provisioning
• Audit Logs: Comprehensive, immutable logs of all user actions, data access, and system events, exportable for compliance
• IP Allow-Listing: Restrict Service access to approved corporate networks
• Data Lifecycle Management: Configurable retention policies, automated data classification, and scheduled purge workflows
• Custom Security Policies: Configure password requirements, session durations, and MFA enforcement to match your organization's security policies

7. Compliance Certifications

Arvexi maintains the following certifications and attestations:

• SOC 2 Type II: Independent audit of security, availability, and confidentiality controls. Continuously monitored through automated compliance tooling.
• SOC 1 Type II: Controls relevant to financial reporting, independently audited. Critical for customers relying on Arvexi for journal entry generation and compliance reporting.
• ISO 27001: Certified information security management system covering risk assessment, access controls, incident management, and business continuity.
• GDPR Compliant: Full compliance with the General Data Protection Regulation, including data subject rights, lawful processing bases, and cross-border transfer safeguards.
• CCPA Compliant: Full compliance with the California Consumer Privacy Act, including data subject rights, deletion requests, and disclosure obligations.

Current audit reports and certifications are available to customers and prospects under NDA. Contact security@arvexi.com to request copies.

8. Independently Tested

Our security posture is validated through independent third-party assessments:

• Annual penetration testing by independent security firms covering application, infrastructure, and API attack surfaces
• Continuous automated vulnerability scanning of all Service components
• Red team exercises to test detection and response capabilities
• Third-party code reviews for security-critical components
• Dependency scanning with automated alerts for known CVEs in third-party libraries

9. Vulnerability Management

• Critical vulnerabilities patched within 24 hours of identification
• High-severity vulnerabilities remediated within 7 days
• Responsible disclosure program for external security researchers
• Automated dependency monitoring and alerting for supply chain risks
• Security regression testing integrated into the development pipeline

10. Incident Response

Arvexi maintains a documented incident response plan that covers:

• Detection: 24/7 monitoring with automated alerting for anomalous activity, unauthorized access attempts, and potential data exfiltration
• Containment: Immediate isolation of affected systems with established runbooks to prevent lateral movement and further impact
• Notification: Affected customers notified within 48 hours of a confirmed data breach, with ongoing updates throughout investigation and resolution
• Recovery: Restoration from encrypted backups with tested recovery procedures and validation checks
• Post-Incident: Root cause analysis and corrective actions documented within 5 business days, with findings shared with affected customers upon request

11. Business Continuity

• Automated database backups with point-in-time recovery capability
• Multi-region replication for critical data stores
• Recovery Time Objective (RTO): 4 hours for critical services
• Recovery Point Objective (RPO): 1 hour maximum data loss
• Annual disaster recovery testing with documented results and improvement plans
• Business continuity plan covering facility, personnel, and vendor disruption scenarios

12. Employee Security

• Comprehensive security awareness training for all employees upon hire and annually thereafter
• Role-specific training for engineering, operations, and customer-facing teams
• Phishing simulation exercises conducted quarterly with tracking and remediation
• Secure development lifecycle (SDLC) training for all engineering team members
• Clear desk, screen lock, and device encryption policies for all personnel
• Mandatory background checks for all employees with access to production systems or Customer Data

13. Enforceable Commitments

Our security commitments are not just aspirational. They are contractually binding. The security practices described in this policy are incorporated into our:

• Terms of Service: governing data ownership, AI restrictions, and confidentiality
• Data Processing Agreement: governing data processing obligations and sub-processor management
• Service Level Agreement: governing uptime, performance, and support commitments

These documents are aligned with SOC 2, ISO 27001, and GDPR standards and are available for review during your procurement and security assessment process.

14. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly to security@arvexi.com. We acknowledge reports within 24 hours and provide an initial assessment within 72 hours. We will not take legal action against researchers who report vulnerabilities in good faith and in accordance with our responsible disclosure guidelines.

Contact

For security inquiries, audit report requests, compliance questionnaires, or to report a vulnerability:

Arvexi, Inc.
Attn: Security Team
security@arvexi.com