New · Auto-mapping SOC 2 controls for internally-built agents
Aptible-hosted · SOC 2 Type II infrastructure · HIPAA-ready
For your vendor review team

Security & compliance,
explained honestly.

This page is the permanent public home for Arx's security and compliance posture. It's designed to answer the questions your GRC team, CISO, and legal counsel are going to ask — before they have to ask them.

Document
Security Overview
Version
1.0 · April 2026
Owner
Mershard Frierson
Classification
Shareable under NDA
01 — What Arx is, and what it isn't.

We make your agents credible to a review board. We don't replace them.

Arx is the enterprise-readiness layer that sits between the Python security agents your team has already built and the vendor review that's keeping them from shipping. We handle policy enforcement, human approval gates, immutable audit chaining, and SOC 2 control mapping. We don't write agents; we make the ones you've written credible to the review board that has to approve them.

What Arx is not: a managed security service provider, a SOC-as-a-service, or a replacement for your security program. We don't operate with standing visibility into your agent's runtime environment, and we don't hold credentials for your systems. When Arx isn't running, your agents are still just Python — we're an opt-in layer, not a dependency you can't remove.

02 — Shared responsibility, written plainly.

Two programs, two sets of controls. Here's which is which.

Arx runs on Aptible, which means two distinct programs are in play: theirs and ours. Aptible is the infrastructure. We are the application. The distinction matters to your auditors, so we're stating it clearly instead of letting the attestation documents do the work.

Inherited from Aptible

  • Physical data center security
  • Network infrastructure hardening
  • Host-level patching and hardening
  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)
  • DDoS mitigation and network controls
  • SOC 2 Type II, HIPAA, ISO 27001 attestation

Maintained by Arx

  • Application access control (RBAC)
  • API key issuance and rotation policy
  • Connector policy enforcement
  • Audit trail integrity and witness signing
  • Tenant data isolation
  • Vulnerability management program
  • Incident response and customer notification

Aptible's Type II observation window pre-dates Arx's application-layer program, which entered its own SOC 2 Type I observation window in Q2 2026. The two programs are documented separately and evidence is available separately under NDA.

03 — Data handling.

What we receive, what we store, and what we can't touch.

What Arx receives
Agent source references (file paths, line ranges, SHA-256 hashes), connector invocation metadata (function called, timestamp, parameter shape), policy evaluation results, and approval workflow events. We do not receive the actual data your agents read or write from your systems.
What Arx stores
Agent registry records, control-to-source mappings, audit event log (hash-chained), policy configurations, and connector credential references by name only. All stored in Supabase on Aptible-hosted infrastructure in the United States.
What Arx does not store
Credential values or secrets, raw connector response payloads, PII from your environment, or agent output data. Secrets remain in your chosen secret store; Arx receives a reference name only and never the value.
Data residency
United States. Aptible infrastructure runs on AWS us-east-1. No customer data is replicated outside the US unless you configure it explicitly.
Retention
Audit records retained for 7 years by default, configurable to your policy. Registry and compliance metadata retained for account lifetime plus 90 days post-termination.
Witness bucket
Every five minutes the audit chain tip is written to a customer-controlled S3 or GCS bucket. Arx holds write-only credentials; your team retains read and delete rights. Arx cannot read or modify bucket contents after writing.
04 — Access and authentication.

SAML, SCIM, MFA, and the support access policy.

Arx supports SAML 2.0 SSO with any compliant identity provider, including Okta, Azure AD, and Google Workspace. SCIM 2.0 is available for automated user provisioning and deprovisioning. MFA is enforced at the Arx application layer for all users who authenticate via username and password; SSO-federated sessions inherit MFA enforcement from your identity provider.

Role-based access control has five roles: Admin, Security Architect, SOC Engineer, Analyst, and Auditor. Permissions are non-delegable — an Admin can grant any role, but a SOC Engineer cannot grant Admin. All role assignment and revocation events are recorded in the audit trail and tied to the acting user's session.

Arx support engineers operate under a "we see us when you see us" policy. There is no standing support access to your workspace. When a support case requires workspace access, the engineer submits a time-bounded access request, you approve it, and the session appears in your audit trail in real time alongside your own team's activity. We cannot view workspace data outside of an approved, time-limited, recorded session.

05 — Subprocessors.

Every vendor that touches your data, listed.

A complete and continuously updated list of our subprocessors is maintained at arxsec.io/trust/subprocessors. The table below reflects our current primary subprocessors. We will notify you 30 days in advance of adding new subprocessors that materially affect data processing.

Provider Purpose Compliance Data residency
Aptible Application hosting and managed infrastructure SOC 2 Type II · HIPAA · ISO 27001 United States
Supabase Database (PostgreSQL) SOC 2 Type II United States
Cloudflare CDN, DDoS protection, DNS SOC 2 Type II Global edge; data processed in US
Stripe Payment processing SOC 2 Type II · PCI DSS Level 1 United States
Resend Transactional email SOC 2 Type II United States
06 — Operational security.

How we build, patch, test, and respond.

Change management
All production changes require a peer-reviewed pull request and passing automated CI checks. Deployment artifacts are signed and pinned. Production deployments generate a changelog entry automatically bound to the relevant SOC 2 change-management controls in each affected agent workspace.
Vulnerability management
Internal vulnerability scanning runs on every deployment. Dependency scanning runs daily via Dependabot and Snyk. Triage SLAs: critical within 72 hours, high within 14 days, medium within 90 days.
Penetration testing
Annual third-party penetration test planned for Q3 2026 alongside SOC 2 Type I attestation. Prior to formal testing we conduct internal adversarial reviews on each major release. Executive summaries are available to enterprise customers under NDA.
Incident response
Documented incident response plan with defined severity levels (P1–P4) and escalation paths to PagerDuty. Customer notification for confirmed data security incidents within 72 hours. Post-incident reports provided to affected customers on request.
Vulnerability disclosure
Report security issues to security@arxsec.io. We acknowledge within 2 business days, provide status updates every 7 days, and will not pursue legal action against good-faith researchers. We ask for a 90-day coordinated disclosure window.
07 — Compliance roadmap, with dates.

Where we are, and where we're going.

This roadmap reflects our current attestation trajectory. Dates are targets, not guarantees. We publish updates here as milestones close rather than waiting for a formal announcement.

Q1 2026
● Complete
Aptible deployment complete. Infrastructure-layer SOC 2 Type II, HIPAA, and ISO 27001 controls inherited via Aptible's attestation. Evidence available on request.
Q2 2026
● In progress
SOC 2 Type I observation window open. Application-layer controls under continuous monitoring. Readiness documentation available to prospective customers under NDA.
Q3 2026
○ Planned
Third-party penetration test and SOC 2 Type I attestation report. Report provided to enterprise customers under NDA upon completion.
Q1 2027
○ Planned
SOC 2 Type II readiness audit. Direct HIPAA BAA from Arx (currently available via Aptible for customers who need it sooner).
Q3 2027
○ Planned
ISO 27001 certification and EU AI Act Article 9 risk management alignment. Scope to include all customer-facing application controls.
08 — What to ask us next.

The question this page didn't answer is the one we want to hear.

This page was written to answer the questions we hear most often from security review boards, CISOs, and procurement teams. If something here raised a new question, that's exactly the one we want to discuss — it's probably a gap we should fix in the next revision.

We're available for a 30-minute call with your GRC team, your CISO, or your legal counsel. We can bring the current evidence bundle, walk through the Aptible attestation documents, or run a live demo against one of your existing agents to show exactly what Arx sees and doesn't see.

Book a call with our security team
security@arxsec.io arxsec.io/trust © 2026 Arxsec, Inc.