Security & Compliance
Security & data protection
Your compliance data is sensitive. Here is exactly how we protect it — and a straight answer on where we are with our own certifications.
EU data residency
Application data is hosted in Frankfurt, Germany (EU). Built for organizations that need to keep data in Europe.
Encryption
TLS 1.3 in transit and AES-256 at rest — applied to your data by default.
Tenant isolation
Row-level security scopes every record to your organization, enforced at the database layer.
Access control
Role-based access control (RBAC) with multi-factor authentication (MFA) support for your team.
Audit logging
Key actions are recorded to an audit trail you can review and export for your own evidence.
AI transparency
Every AI output carries a confidence score and is shown for human review. Nothing is finalized without a person approving it.
Continuous monitoring
We track public vulnerability and breach feeds — CVE, CISA KEV and the EU Vulnerability Database — against your vendor portfolio daily, and our application is instrumented with error monitoring hosted in the EU.
Sub-processors
We rely on a small set of vetted sub-processors to run the service. The current list is published and kept up to date.
View our sub-processorsWhere we are — and what's next
ArvexLab does not yet hold an external certification of its own, such as SOC 2 or ISO 27001. We are an early-stage company and we would rather be straight with you than imply otherwise. Security and data protection are engineered in from day one — EU hosting, encryption, per-organization isolation, access control and audit logging — and we will publish certifications on this page as we achieve them.
Questions about security?
We're happy to walk your team through our architecture and data handling.