Where Arbor stands on security, privacy, and operational readiness — and how to get the evidence you need for procurement.
SOC 2 Type II
In progressDrata-managed program. Engineering controls (access, audit, backup, retention, dependency hygiene, runbooks) implemented. Type II report available within ~6 months of audit kickoff.
HIPAA
BAA availableHospital and other covered-entity customers can request a Business Associate Agreement before transmitting PHI. Supabase HIPAA add-on covers the data layer; Vercel HIPAA add-on covers hosting.
GDPR
AlignedDPA available with EU SCCs incorporated. EEA / UK / Swiss customers covered. Subject access requests fulfilled via /admin/data-export plus admin-assisted erasure.
CCPA / CPRA
AlignedPrivacy Policy honors disclosure, deletion, and opt-out-of-sale rights (we do not sell personal information). Cookie banner offers reject-non-essential.
Row-level security on every tenant table
Postgres RLS enforces that no row crosses an organization boundary, even with leaked database credentials. Every server action also checks role-based access.
Encrypted at rest and in transit
AES-256 at rest via Supabase managed encryption. TLS 1.2+ in transit. HSTS on every response. Custom-domain TLS provisioned automatically via Vercel.
SAML SSO + MFA-ready auth
Per-org SAML SSO so customers can use their existing identity provider (AzureAD, Okta, Google Workspace). MFA enforced for all production access on our side.
Comprehensive audit log
Every mutating operation lands in an append-only audit_log table with org, actor, timestamp, and field-level diff. Default 5-year retention; per-org override with a 30-day floor.
Backup + tested restore
Supabase point-in-time recovery to any second within the retention window. Quarterly restore drills with documented RTO 4h / RPO 5min.
Per-org data export
Customers can download a complete ZIP of every tenant table from /admin/data-export at any time — for portability, GDPR access requests, or off-platform backup.
Outbound webhook hardening
HMAC-SHA256 signed payloads. Server-side SSRF guard rejects URLs that resolve to private/internal address space. Failed deliveries replayable from the admin UI.
API key auth + scopes
Bcrypt-hashed bearer tokens. Issued from /admin/settings/api with scope picker. Read-only keys cannot reach write endpoints. Revocation is immediate.
Reach legal@arbor.app for any of the following under NDA:
Email security@arbor.app. We acknowledge within one business day. Coordinated disclosure is welcomed; we do not pursue good-faith security researchers who follow responsible-disclosure norms.