Security at Arvik
Last updated: April 22, 2026
Security is engineered into Arvik from day one — not bolted on for a marketing page. This document summarizes the controls we operate today and the standards we hold ourselves to.
Encryption
All traffic to and from Arvik is encrypted in transit using TLS 1.3. Data at rest is encrypted with AES-256 on managed cloud infrastructure. Message content is never written to disk in plaintext.
Authentication & integrations
Connections to third-party tools use OAuth 2.0 with the narrowest scopes required for the action you've requested. Tokens are encrypted at rest and tied to your account. You can revoke any integration in one message; revocation is propagated immediately.
Tenant isolation
Customer data is logically isolated per tenant. Application-layer authorization checks are applied on every request, with row-level controls in our data stores as a defense-in-depth layer.
Secrets management
Application secrets and customer credentials are stored in a managed key management service (KMS). Keys are rotated on a regular cadence and access is restricted to the services that need them.
Access control
Internal access to production follows least-privilege principles, requires SSO with hardware-backed multi-factor authentication, and is fully audit-logged. Access to customer data is granted only when necessary to operate or support the Service.
Compliance posture
Arvik is GDPR-aligned and offers region-pinned data residency where supported. We are currently working toward SOC 2 Type II attestation; status updates and our latest sub-processor list are available on request at [security@arvik.one].
Human-in-the-loop
Sensitive actions — sending external messages, scheduling, payments, deletions — always require explicit confirmation from you. Arvik will never silently spend money, send mail, or destroy data on your behalf.
Vulnerability disclosure
We welcome reports from the security community. If you believe you've discovered a vulnerability, please email [security@arvik.one] with details and reproduction steps. We commit to acknowledging valid reports within 72 hours and will not pursue legal action against good-faith researchers who follow this policy.
Incident response
We maintain a documented incident response process covering detection, containment, eradication, recovery, and post-incident review. Affected customers will be notified without undue delay in accordance with applicable law.