Security Built Into Every Layer

Our Security Principles

Data Privacy Commitments

• No Cross-Organization Data Sharing — Your data is logically isolated from other customers
• Organization-Scoped AI Learning — AI improvements are confined to your organization only
• No Sale of Data — We never sell customer data to third parties
• No External AI Training — We do not use your data to train general AI models

Security Governance

Arbol AI maintains a comprehensive information security program overseen by executive leadership. Our security program includes:

• Security Leadership — Dedicated security personnel reporting to executive management
• Security Policies — Comprehensive policies covering all aspects of information security
• Risk Management — Ongoing risk assessment and management processes
• Security Committee — Regular review of security posture and emerging threats

Personnel Security

Security Awareness Program

• New hire security orientation
• Annual security awareness training
• Phishing simulation exercises
• Security updates and communications
• Role-specific security training for developers and operations staff

Cloud Infrastructure

Arbol AI's infrastructure is hosted entirely in the United States using enterprise-grade cloud providers:

Data Center Security

Our cloud providers maintain physical security controls including:

• 24/7/365 security personnel and monitoring
• Biometric access controls
• Video surveillance with retention
• Visitor management and escort requirements
• Environmental controls (fire suppression, climate control, flood protection)
• Redundant power and network connectivity

Infrastructure Hardening

• Operating Systems — Hardened base images with minimal installed software
• Patch Management — Regular security patching with critical patches applied within 24-72 hours
• Configuration Management — Infrastructure as Code (IaC) for consistent, auditable configurations
• Container Security — Hardened container images with vulnerability scanning
• Secrets Management — Secure storage and rotation of credentials and API keys

Data Classification

We classify data based on sensitivity to ensure appropriate protection:

Encryption Standards

Data Isolation

• Logical Separation — Customer data is logically isolated using unique identifiers
• Tenant Isolation — Multi-tenant architecture with strict data boundaries
• Network Segmentation — Production, staging, and development environments are segregated
• Database Isolation — Per-customer encryption keys where applicable

Data Retention and Deletion

• Configurable retention periods for call recordings and transcripts
• Secure deletion processes that render data unrecoverable
• Automated purging of temporary data
• Customer-initiated deletion capabilities through dashboard
• 30-day removal from active systems, 90-day removal from backups

Secure Development Lifecycle (SDLC)

Code Security

• Code Review — All code changes require peer review before merging
• Static Analysis (SAST) — Automated scanning for security vulnerabilities in code
• Dynamic Analysis (DAST) — Regular testing of running applications
• Dependency Scanning — Continuous monitoring for vulnerable third-party libraries
• Secret Detection — Automated scanning to prevent credential exposure

Vulnerability Management

Risk-based prioritization with defined SLAs for vulnerability remediation:

Penetration Testing

• Annual third-party penetration testing by qualified security firms
• Remediation of identified findings
• Retest to verify remediation effectiveness
• Additional testing following significant changes

Authentication

Customer Authentication

• Email/password authentication with strength requirements
• Optional multi-factor authentication (MFA) for customer accounts
• API key authentication for programmatic access
• OAuth 2.0 support for third-party integrations
• Session timeout and concurrent session controls

Authorization

• Role-Based Access Control (RBAC) for all systems
• Principle of least privilege enforced
• Regular access reviews (quarterly for privileged access)
• Just-in-time (JIT) access for production systems
• Audit logging of all access and authorization changes

Privileged Access Management

• Separate privileged accounts for administrative tasks
• Multi-person approval for sensitive operations
• Time-limited access grants
• Full audit trail of privileged actions
• Regular rotation of privileged credentials

Network Architecture

• Virtual Private Cloud (VPC) isolation
• Private subnets for sensitive workloads
• Public subnets only for load balancers and bastion hosts
• Network Access Control Lists (NACLs) and Security Groups
• Micro-segmentation between services

Perimeter Security

Monitoring and Detection

• 24/7 security monitoring of infrastructure and applications
• Security Information and Event Management (SIEM)
• Intrusion Detection Systems (IDS)
• Anomaly detection and alerting
• Log aggregation and correlation
• Real-time alerting for security events

Network Logging

• VPC Flow Logs for network traffic analysis
• DNS query logging
• Load balancer access logs
• API Gateway access logs
• Retention per compliance requirements

Incident Response Program

Arbol AI maintains a documented incident response program that includes:

• Incident Response Plan — Documented procedures for security incidents
• Incident Response Team — Designated personnel with defined roles and responsibilities
• Communication Procedures — Internal and external communication protocols
• Post-Incident Review — Root cause analysis and lessons learned

Incident Classification

Customer Notification

• Notification of security incidents affecting customer data
• Compliance with Delaware breach notification requirements (within 60 days)
• Clear communication of incident details, impact, and remediation
• Ongoing updates until incident resolution

Incident Response Phases

1. Detection — Identification of potential security incident
2. Containment — Limiting the scope and impact of the incident
3. Eradication — Removing the threat from the environment
4. Recovery — Restoring affected systems and services
5. Post-Incident — Analysis, documentation, and improvement

Disaster Recovery

High Availability

• Multi-Availability Zone (AZ) deployment
• Auto-scaling for capacity management
• Load balancing across multiple instances
• Database replication and failover
• No single points of failure for critical services

Backup and Recovery

• Encrypted backups stored in geographically separate locations
• Regular backup integrity testing
• Documented and tested recovery procedures
• Annual disaster recovery exercises

Business Continuity Plan

• Documented business continuity procedures
• Identification of critical business functions
• Recovery priorities and timelines
• Regular testing and updates
• Communication plans for stakeholders

Third-Party Risk Management

Arbol AI maintains a vendor risk management program that includes:

• Due Diligence — Security assessment before vendor engagement
• Contractual Requirements — Security and privacy obligations in contracts
• Ongoing Monitoring — Regular review of vendor security posture
• Incident Notification — Requirement for vendors to report security incidents

Sub-Processor List

All sub-processors are U.S.-based companies with data processing in the United States. We maintain a complete list of our sub-processors including their purpose, data processed, and security certifications.

Vendor Security Requirements

All vendors with access to customer data must:

• Maintain appropriate security certifications
• Implement encryption for data at rest and in transit
• Provide incident notification within 24 hours
• Allow security audits upon request
• Sign data processing agreements

Current Compliance

Audit and Attestation

• Annual independent security assessments
• Penetration testing by qualified third parties
• Vulnerability assessments
• Compliance audits as required

Customer Compliance Support

We provide customers with:

• Data Processing Addendum (DPA) upon request
• Sub-processor list
• Security questionnaire responses
• Compliance documentation
• Audit reports (under NDA)

Account Security Features

Data Controls

• Data Export — Export your data in standard formats (CSV, JSON)
• Data Deletion — Self-service deletion of recordings, transcripts, contacts
• Retention Settings — Configurable data retention periods
• Access Controls — Control who can access sensitive data within your organization

Integration Security

• OAuth 2.0 for third-party integrations
• Webhook signature verification
• IP allowlisting available for API access
• Secure credential storage for integrations

Security Best Practices for Customers

We recommend customers:

1. Enable multi-factor authentication on all accounts
2. Use strong, unique passwords
3. Regularly review and rotate API keys
4. Implement IP allowlisting where possible
5. Regularly review user access and permissions
6. Monitor audit logs for suspicious activity
7. Keep integration credentials secure and rotate regularly

Security Vulnerability Reporting

Arbol AI welcomes responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us:

What to Include

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any proof-of-concept code (if applicable)
• Your contact information

Our Commitment

• We will acknowledge receipt within 24 hours
• We will investigate and provide updates on progress
• We will work to remediate valid vulnerabilities promptly
• We will not take legal action against researchers who act in good faith, avoid privacy violations, data destruction, or service disruption, and do not publicly disclose until we have addressed the issue

Scope

Documentation Requests

For security questionnaires, audit reports, or compliance documentation, contact tomas@getarbol.com.