Encrypted transport and managed storage
Arbor is served over HTTPS. Production data lives in managed providers with encrypted storage and operational access controls.
Back to Arbor
Trust Center
Security without theater.
Arbor is a young security company, so this page separates what is implemented today from what is provider-backed and what is still on the compliance roadmap. No fake badges, no invented audits, no mystery subprocessors.
Implemented controls Provider-backed infrastructure Audit roadmap
Production controls
What is real today
Concrete controls in the running product and infrastructure stack.
GitHub webhook verification
Webhook payloads are verified before they enter the analysis pipeline. Unverified deliveries are rejected.
Per-installation token boundaries
GitHub API access is performed with installation-scoped tokens. Arbor does not intentionally reuse tokens across tenants.
No repository code execution
The analyzer parses repository code structurally. It does not run customer tests, execute application code, or evaluate scripts.
Allowlisted settings writes
User-controlled repository settings are sanitized in the Next.js API proxy before being forwarded to the Rust API.
Parameterized database access
Rust API data access uses parameter binding through sqlx. Dynamic SQL string assembly is not used for application queries.
Data handling
What Arbor stores
The key operating principle: store product evidence, not customer source code snapshots.
Account and GitHub metadata
Login, user id, avatar URL, installation identity, and repository metadata needed to operate the GitHub App.
Analysis evidence
Verdicts, call-path evidence, risk summaries, PR identifiers, timestamps, and status/comment URLs.
Repository source snapshots
Repos are cloned for analysis work and should be treated as ephemeral worker data, not product data.
Payment card data
Card entry and payment processing are handled by Stripe. Arbor stores billing state, not raw card numbers.
Subprocessors
Third parties in the Arbor Cloud path
These vendors may process customer data when Arbor Cloud is used.
ProviderPurposeSafeguards
GitHubApp install, OAuth, repository metadata, webhooks
GitHub terms and security programVercelFrontend hosting and edge functions
Managed platform controlsRenderRust API, workers, and managed PostgreSQL
Managed platform controlsStripeCheckout, subscriptions, invoices, and payment method handling
PCI DSS Level 1SentryError and performance telemetry when configured
PII scrubbing configured in application codeCompliance roadmap
What is not claimed yet
These are roadmap items until an external audit, signed agreement, or launched program exists.
SOC 2
Not certified yet. Controls and evidence capture are being prepared before any audit claim is made.
GDPR / DPA
Data deletion and processor paperwork should be handled case by case until formal workflows ship.
Enterprise packet
Architecture overview, subprocessors, data flow, and security questionnaire answers are available on request.
Bug bounty
Responsible disclosure is active. A paid bounty is not launched yet.
Vulnerability disclosure
Found a vulnerability? Tell us first.
Email security@getarbor.dev with reproduction steps. We acknowledge reports, triage them, and coordinate disclosure with researchers who act in good faith.