Security at ArrowShield

ArrowShield builds security products for AI agent systems. We hold ourselves to the same standards we help our customers enforce. This page describes how we protect customer data, how we operate our infrastructure, and how security researchers can report vulnerabilities.

Our security posture

Data handling. Customer data is isolated per tenant using row-level security in PostgreSQL, namespace isolation in Pinecone, and dedicated Neo4j databases per tenant tier. We never use customer data to train foundation models.

Authentication. All customer access is authenticated via Kinde with RS256-signed JWTs. Multi-factor authentication is supported for all accounts and required for administrative access.

Encryption. All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 via AWS KMS-managed keys. Secrets are managed in AWS Secrets Manager with automatic rotation where supported.

Infrastructure. Our production environment runs on AWS in US regions. Compute runs on ECS Fargate with least-privilege IAM roles. Network access is controlled via VPC security groups and private subnets for all data plane components.

Monitoring. We maintain centralized logging, anomaly detection on authentication events, and alerting on privileged actions.

Dependencies. We continuously scan our dependencies for known vulnerabilities and apply patches on a defined SLA based on severity.

Compliance

ArrowShield's platform is designed to support customer compliance with:

  • SOC 2 Type II (in progress)
  • GDPR
  • CCPA
  • HIPAA (available for qualified customers under BAA)

Customers under active compliance engagements can request our current security documentation by contacting security@arrowshield.io.

Responsible disclosure

We welcome security research on our platform and products. If you believe you have found a vulnerability, please report it to us directly before disclosing it publicly. We will work with you in good faith to validate, remediate, and credit your finding.

Scope

In scope:

  • arrowshield.io and subdomains
  • agent.arrowshield.io (product application)
  • api.arrowshield.io (backend API)

Out of scope:

  • Third-party services we integrate with (report to the vendor directly)
  • Social engineering of our employees
  • Physical attacks against our offices or infrastructure
  • Denial of service testing
  • Automated scanning that degrades service for other customers
  • Reports generated solely from automated tools without validation

How to report

Email security@arrowshield.io with:

  1. A clear description of the vulnerability
  2. Steps to reproduce, including any proof-of-concept code
  3. The potential impact
  4. Your name or handle for acknowledgment (optional)
  5. Any supporting screenshots or logs

What to expect

  • Acknowledgment within 2 business days
  • Initial assessment within 5 business days
  • Status updates at minimum every 10 business days until resolution
  • Public acknowledgment on our acknowledgments page once resolved, unless you prefer to remain anonymous

Safe harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who act in good faith and avoid privacy violations, data destruction, or service disruption; report vulnerabilities promptly and give us reasonable time to remediate before public disclosure; do not exploit vulnerabilities beyond what is necessary to demonstrate the issue; and do not access or modify data belonging to other users.

Recognition

We maintain a security researcher acknowledgments page. Researchers who report valid vulnerabilities will be listed there with their permission. At this time ArrowShield does not operate a paid bug bounty program. Current reports are handled as goodwill disclosures.

Security contact

Email: security@arrowshield.io

Response time: 2 business days

For non-security support, contact support@arrowshield.io.