Security

Current as of 2026-05-12. This document describes our security controls in plain language and our coordinated-disclosure program. It is not a contractual representation; binding security commitments live in a Data Processing Addendum or Security Annex.

Hosting and network

• Hosted on Amazon Web Services (us-east-1 for the US/global product; ap-south-1 (Mumbai) for Arkin Vault India). Workloads run on hardened EC2 instances within a private VPC.
• Public traffic terminates at Caddy with automatic TLS via Let's Encrypt (ACME HTTP-01). HTTPS is enforced; HTTP redirects to HTTPS.
• HTTP Strict Transport Security, X-Frame-Options DENY, X-Content-Type-Options nosniff, and Referrer-Policy strict-origin-when-cross-origin are set on every response.

Authentication and access

• Admin passwords are stored as bcrypt hashes (work factor 12). Legacy SHA-256 hashes are auto-upgraded to bcrypt on next successful login.
• Admin sessions are signed, server-side, with the Flask session mechanism. CSRF protection is enabled on every POST.
• Recipient access is gated by configurable combinations of authorized-email allow-list, access password (bcrypt-hashed), and NDA signing.
• Per-document NDA scoping: each recipient signs once per document, not globally.

Data at rest and in transit

• All data in transit uses TLS 1.2 or higher.
• Postgres data and uploaded files are stored on encrypted EBS volumes (AWS KMS-managed keys).
• Daily encrypted Postgres backups are retained for [INSERT — e.g., thirty (30) days].

Auditing

• Every recipient access event (page view, download, print, NDA signing, login, logout) is logged with viewer name, email, IP, user-agent, timestamp, and page number where applicable.
• NDA signatures are cryptographically bound to the NDA text via SHA-256 hash; the signed-PDF artifact captures all signer metadata.
• Admin actions are logged separately as admin_preview to distinguish from real recipient activity.

Application hardening

• Reverse proxy enforces request body size limits (250 MB on the upload route) and rate limiting on authentication endpoints.
• Image-based watermarking is applied per-page with admin-configurable text.
• Encrypted PDFs are rejected at upload time with a clear error message.
• Path-traversal protection on all file-handling routes via UUID-based naming.

Vulnerability disclosure

We welcome reports from security researchers. Please email security@arkinvault.com with:

• A clear description of the vulnerability and impact.
• Step-by-step reproduction.
• Your name and any handle for credit (we will publicly acknowledge consenting researchers).

We commit to acknowledge receipt within 72 hours, provide an initial assessment within 7 days, and remediate critical issues as quickly as practicable. We will not pursue legal action against good-faith research that complies with this policy: do not access more data than is necessary to demonstrate the issue, do not exfiltrate or alter customer data, do not disrupt the service, and give us reasonable time to remediate before disclosure.

Contact

General: security@arkinvault.com
Privacy: privacy@arkinvault.com