Security
Always on. Always secure.
Your data is in safe hands.
From encryption to access management, Arvexi enforces rigorous standards to ensure your data stays secure, private, and compliant.
Book a demo
certified & compliant
Built on certified infrastructure with enterprise-grade controls at every layer.
SOC 2 Type II Infrastructure
Built on SOC 2 Type II certified cloud infrastructure providers. Arvexi’s own SOC 2 Type I audit is in progress.
SOX-Ready Controls
Separation of duties, period locking, four-eyes governance, and immutable audit trails enforced at the API level. Not configured in settings.
CCPA Compliant
Transparent, documented handling of personal data for California residents. Right-to-delete and data export workflows built in.
AES-256 Encryption
All data encrypted at rest with AES-256 and in transit with TLS 1.2+, inheriting enterprise-grade encryption from our infrastructure providers.
Financial controls
SOX compliance enforced in code, not configured in settings
Separation of Duties
Preparer cannot approve their own reconciliation. Reviewer cannot be the preparer. Entity certification requires a different approver. Enforced at the API level — returns HTTP 403, not a warning.
Period Locking
Close periods follow a controlled lifecycle: OPEN → IN_CLOSE → CLOSED → LOCKED. Once locked, no mutations are possible — no journal entries, no reconciliation changes. Unlock requires admin approval with full audit trail.
Four-Eyes Governance
Data imports go through staging tables before touching production. The person who imports cannot approve. Approval gates require review before staged data is committed. Historical snapshots preserved for every batch.
Immutable Audit Trail
Every reconciliation claim, submission, approval, and rejection logged with user and timestamp. Consolidation runs, IC eliminations, and currency translations recorded with parameters used. Append-only — database triggers prevent modification.
AI trust boundary
Cortex operates within a strict SOX trust boundary
Every AI action creates draft items that require human confirmation. Every investigation logs which tools were used, what data was queried, and how findings were reached.
Cortex cannot
- ✕Post journal entries
- ✕Certify close periods
- ✕Approve reconciliations
- ✕Modify locked periods
- ✕Delete or alter audit records
Cortex can
- ✓Investigate accounts and surface exceptions
- ✓Generate audit-quality work papers
- ✓Score confidence using a deterministic 5-factor formula
- ✓Suggest reconciling items as drafts requiring human confirmation
- ✓Log every tool call, data query, and finding with full provenance
Confidence scores use a deterministic 5-factor formula (variance 35%, auto-recon 20%, matching 20%, materiality 15%, historical 10%) that auditors can independently reproduce.
Trusted data storage
Tenant isolation
Each organization’s data is logically isolated with row-level security policies. No cross-tenant data access is architecturally possible.
US-based infrastructure
Hosted on US-based data centers, ensuring low latency and compliance with domestic data residency requirements.
No AI model training
Your data is never used to train or fine-tune any AI models. Cortex uses enterprise AI APIs with zero data retention. Your data is never used to train or improve AI models.
Legal-grade security
Zero trust design principles
We follow Zero Trust architecture — no user or system is inherently trusted. Access is always verified, limited, and logged.
Your approval required
Access to customer data is strictly controlled and only granted to engineers with written customer approval for support-related issues.
Penetration testing
Arvexi has engaged a certified third-party firm for comprehensive penetration testing covering the full platform scope, following an “assume breach” methodology.
Trusted infrastructure providers
Built on enterprise-grade cloud services with multi-layer access control, audit logging, and automated threat detection.
Full ownership and flexibility
Arvexi supports Single Sign-On via SAML and OpenID Connect, ensuring you are in full control over end-user access. You control data retention periods, have full visibility over how your data flows through the platform, and can request a complete data export at any time.
Your data. Your decisions.
You maintain control over your data at all times.
Data retention
Set and manage data retention periods to align with your internal policies and regulatory requirements.
Data governance
Real-time insight into who’s accessing your data and when, with role-based access controls and entity-level permissions.
Encryption at every layer
AES-256 at rest, TLS 1.2+ in transit, managed by our SOC 2 Type II certified infrastructure providers.
User authentication
SSO integration with SAML and OpenID Connect for complete control over user authentication and access management.
AI & data privacy
How Cortex processes your data
Processing boundary
Cortex processes your data within Arvexi's secure infrastructure using our AI provider's API. Data is sent for processing and returned. It is never stored by our AI provider beyond the API request lifecycle.
Data storage
Cortex investigation findings are stored in your organization's database, fully encrypted at rest, and accessible only to authorized users within your tenant.
Usage control
Configure Cortex sweep parameters including cost tier (FULL, TOP_N, NARRATIVE_ONLY) and investigation depth to control AI usage and cost per close cycle.
Subprocessors
Infrastructure providers
All subprocessors maintain SOC 2 Type II certification. Customer data never leaves these providers.
| Provider | Purpose | Region | Compliance |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | US | SOC 2 Type II |
| Vercel | Application hosting, edge network | US | SOC 2 Type II |
| Anthropic | AI processing for Cortex | US | SOC 2 Type II |
| Resend | Transactional email | US | SOC 2 Type II |
| Cloudflare | DNS, CDN, DDoS protection | Global | SOC 2 Type II |
Arvexi helps us strike a balance that allows us to delve into complex accounting challenges with greater efficiency and precision.
David Chen
Managing Partner at Chen & Associates