Security & trust
Enterprise trust posture for quality work.
ARQEN is designed for regulated quality workflows where source records, evidence references, human review, and traceability matter. This page separates current public/pilot capability from production controls that must be implemented before live regulated operations.
Current security posture
ARQEN remains a demo/local pilot-ready prototype until production controls are selected, verified, and operating.
Public website, documentation, walkthroughs, and contact forms are available for evaluation.
Demo/local workflows use sample or pilot-context records and evidence-reference metadata only.
Quality Slice production-shaped routes fail closed until production prerequisites are satisfied.
Production guard endpoints return structured blocked responses for production-shaped route checks.
Production auth, production writes, tenant isolation, durable persistence, and controlled evidence storage remain unavailable.
Human authority is preserved; advisory AI does not approve, release, certify, or close regulated work.
Current controls and future gates are separated.
Evidence references and source-basis review context only
Audit-event model planned before any tamper-evident or immutable-audit claim
Deterministic logic first; advisory assistance remains human-reviewed
Blocked until auth, tenant isolation, authorization, and persistence gates exist
Data ownership
Customer production quality records should remain under customer control and be governed by a separate pilot or enterprise agreement before any live use. Public website forms should not receive controlled evidence or live regulated records.
Tenant and data isolation
Tenant/workspace isolation is a required production gate. Current public and demo/local surfaces should be treated as evaluation context, not production tenant isolation.
Encryption
Public web traffic is expected to use HTTPS in hosted environments. Production encryption-at-rest commitments, key management, backups, and retention rules must be finalized before live regulated operation.
Access-control roadmap
Role and permission models are part of the production-readiness plan. Production auth, verified actor identity, tenant membership, workspace scope, and server-side authorization are not claimed until implemented and tested.
Audit trails and action logging
ARQEN is designed around lifecycle events, source links, review actions, and future audit-event contracts. Current logs and source-basis records are local/demo review context, not immutable or tamper-evident audit.
Evidence controls
Current evidence references are metadata only. Controlled evidence storage requires file storage, access control, retention, checksums, malware-scan policy where appropriate, and audit-event persistence before production claims.
Human-authorized approvals
ARQEN supports review and closure discipline, but it does not replace responsible quality personnel, customer approval, regulatory review, e-signature, or final controlled-copy release authority.
AI data handling
ARQEN does not present AI-generated text as compliance truth. Deterministic quality logic remains primary, source records stay linked, and advisory assistance is labeled as advisory.
Enterprise roadmap, clearly labeled.
These items are part of the production-readiness path and should be confirmed in a security review before relying on ARQEN for live regulated work.
- SSO and SCIM planning for enterprise identity environments
- SOC 2 readiness roadmap aligned to Security, Availability, Processing Integrity, Confidentiality, and Privacy trust categories
- Advanced audit exports after durable audit-event storage exists
- Controlled evidence storage after provider, retention, checksum, and access-control gates are satisfied
- Production backup/recovery and environment validation before production writes
Readiness requires controls, evidence, and an independent report.
ARQEN is aligning its production-control plan to the SOC 2 trust-services categories, but readiness is not the same as an issued SOC 2 report. Public claims must wait for implemented controls, operating evidence, management assertion, and independent auditor review for the stated scope.
- Independent CPA/service-auditor engagement and scoped system description
- Production identity, tenant isolation, server authorization, and access-review evidence
- Durable audit-event storage, change-management evidence, incident response, vulnerability management, and vendor-risk processes
- Backup/restore evidence, monitoring, business-continuity objectives, and production environment validation
- Controlled evidence storage, retention/deletion, key custody, privacy/DPA process, and auditor evidence collection
Responsible disclosure
Security reports, suspected vulnerabilities, or trust-review questions can be sent to security@arqen-ai.com. Please do not include controlled production evidence or regulated customer records in public email unless a secure review channel has been established.
Blocked production route contracts
These endpoints return structured blocked responses for production-shaped route checks. They document missing gates; they do not authenticate users, isolate tenants, authorize server roles, approve launch, mutate records, accept controlled files, persist audit events, or enable production operation.
/api/production-write/guardProduction write authorization
Fails closed until production auth, tenant scope, server authorization, and persistence are verified.
Does not mutate records or enable production writes.
/api/production-access/guardProduction access authorization
Fails closed until verified actor identity, tenant membership, role policy, and permission policy exist.
Does not authenticate users, isolate tenants, or authorize server roles.
/api/production-access/session/statusServer-readable production session status
Stays blocked until production session prerequisites exist without creating or trusting a production session.
Does not create, refresh, revoke, or validate production sessions.
/api/production-reporting/statusCertified report generation and export
Stays blocked until durable data, report templates, signature policy, and review evidence are implemented.
Does not generate, sign, certify, or export regulated reports.
/api/production-continuity/statusBackup, recovery, and production environment validation
Stays blocked until backup/restore evidence, monitoring, and launch validation exist.
Does not certify backup, recovery, environment validation, or launch approval.
/api/production-source-links/statusCross-module source-link persistence
Stays blocked until source-link writes, revision history, integrity checks, and exports are durable.
Does not create, update, delete, export, or certify source-link records.
/api/production-audit/statusDurable audit-event storage
Stays blocked until audit-event persistence, retention, integrity, and export controls are implemented.
Does not persist audit events or create immutable audit proof.
/api/production-persistence/statusProduction repositories and migrations
Stays blocked until database configuration, migrations, repositories, and backups are verified.
Does not persist records, apply migrations, or enable production repositories.
/api/production-signature/statusElectronic signature capture
Stays blocked until signer identity, intent capture, record binding, and audit persistence exist.
Does not capture signatures or create signature records.
/api/production-release/go-no-goProduction launch decision
Fails closed until all production readiness gates are complete and independently reviewed.
Does not approve launch or regulated operation.
/api/production-release/controlled-copy/statusFinal controlled-copy release
Stays blocked until release approval, revision control, distribution, and signature controls exist.
Does not approve releases, distribute controlled copies, or capture release signatures.
/api/controlled-evidence/statusControlled evidence file storage
Stays blocked until storage, access control, retention, checksum, malware-scan, and audit rules exist.
Does not accept, store, export, or delete controlled files.