Security Model

This page separates ARQEN's current demo/local security boundary from the production controls required before live regulated operation. It is not a production security claim.

Current pilot boundary

ARQEN currently operates as a demo/local pilot-ready Quality Operating System prototype. Production writes, production auth, tenant isolation, controlled evidence storage, immutable audit, e-signature, certified reporting, final controlled-copy release, and durable cross-module links remain blocked.

Demo/local sessions are not production auth.
Tenant isolation for production records is unavailable.
Server-side authorization for operating workflow writes is unavailable.
Evidence references are metadata only, not controlled evidence storage.
Audit context is local/source-basis only, not immutable or tamper-evident audit.
E-signature and final controlled-copy release are unavailable.

Production go/no-go gates

Future production access and production write routes must fail closed until the required gates are implemented and verified.

Production auth provider and verified actor identity.
Tenant membership, workspace scope, roles, and permission policy.
Server-side authorization middleware on every production route.
Durable persistence, migration validation, and backup/recovery posture.
Controlled evidence storage with access control, retention, and checksums.
Audit-event persistence before any immutable/tamper-evident audit claim.
SOC 2 readiness evidence collection before any public SOC 2 report claim.

Blocked API guard contracts

The read-only guard endpoints return structured blocked responses for future production-bound route shapes. They document missing gates; they do not authenticate users, isolate tenants, authorize server-side roles, approve launch, mutate records, accept controlled files, persist audit events, or enable production operation.

Production writes
/api/production-write/guard
Blocked readiness-only

Fails closed until production auth, tenant scope, server authorization, and persistence are verified.

Does not mutate records or enable production writes.

Production access
/api/production-access/guard
Blocked readiness-only

Fails closed until verified actor identity, tenant membership, role policy, and permission policy exist.

Does not authenticate users, isolate tenants, or authorize server roles.

Session readiness
/api/production-access/session/status
Blocked readiness-only

Stays blocked until production session prerequisites exist without creating or trusting a production session.

Does not create, refresh, revoke, or validate production sessions.

Certified reporting
/api/production-reporting/status
Blocked readiness-only

Stays blocked until durable data, report templates, signature policy, and review evidence are implemented.

Does not generate, sign, certify, or export regulated reports.

Continuity
/api/production-continuity/status
Blocked readiness-only

Stays blocked until backup/restore evidence, monitoring, and launch validation exist.

Does not certify backup, recovery, environment validation, or launch approval.

Durable source links
/api/production-source-links/status
Blocked readiness-only

Stays blocked until source-link writes, revision history, integrity checks, and exports are durable.

Does not create, update, delete, export, or certify source-link records.

Audit events
/api/production-audit/status
Blocked readiness-only

Stays blocked until audit-event persistence, retention, integrity, and export controls are implemented.

Does not persist audit events or create immutable audit proof.

Persistence
/api/production-persistence/status
Blocked readiness-only

Stays blocked until database configuration, migrations, repositories, and backups are verified.

Does not persist records, apply migrations, or enable production repositories.

E-signature
/api/production-signature/status
Blocked readiness-only

Stays blocked until signer identity, intent capture, record binding, and audit persistence exist.

Does not capture signatures or create signature records.

Release go/no-go
/api/production-release/go-no-go
Blocked readiness-only

Fails closed until all production readiness gates are complete and independently reviewed.

Does not approve launch or regulated operation.

Controlled copies
/api/production-release/controlled-copy/status
Blocked readiness-only

Stays blocked until release approval, revision control, distribution, and signature controls exist.

Does not approve releases, distribute controlled copies, or capture release signatures.

Controlled evidence
/api/controlled-evidence/status
Blocked readiness-only

Stays blocked until storage, access control, retention, checksum, malware-scan, and audit rules exist.

Does not accept, store, export, or delete controlled files.

SOC 2 readiness path

ARQEN must collect operating evidence and complete independent auditor review before any SOC 2 report or certification language appears in public or customer-facing material. The readiness path is organized around Security, Availability, Processing Integrity, Confidentiality, and Privacy trust categories, but no SOC 2 report is claimed here.

Security: production auth, access reviews, tenant isolation, server authorization, change management, incident response, monitoring, and vendor-risk evidence.
Availability: backup/restore evidence, business-continuity objectives, monitoring, and production environment validation.
Processing integrity: durable workflow state, input validation, lifecycle event persistence, and reviewed source-link behavior.
Confidentiality: controlled evidence storage, retention/deletion rules, key custody, access logging, and data classification.
Privacy: public-form boundaries, privacy notice/DPA process, retention/deletion handling, and support escalation process.

Enterprise trust model

Data ownership

Public contact forms are for inquiry context only. Live production quality records require separate agreements and production controls.

Evidence upload / export logging

Future controlled evidence and export workflows require audit-event persistence, retention rules, access control, and inclusion rules before production use.

Audit-event model planned

Current pilot/demo surfaces show traceable review history and local source-basis context. Tamper-evident or immutable-audit claims require durable audit-event storage and verification gates first.

AI handling

AI assistance is advisory. ARQEN does not treat generated text as compliance truth or autonomous approval authority.

Responsible disclosure

Security reports should go to security@arqen-ai.com without including controlled production evidence unless a secure channel has been established.