Security & trust

Enterprise trust posture for quality work.

ARQEN is designed for regulated quality workflows where source records, evidence references, human review, and traceability matter. This page separates current public/pilot capability from production controls that must be implemented before live regulated operations.

Current security posture

ARQEN remains a demo/local pilot-ready prototype until production controls are selected, verified, and operating.

Public website, documentation, walkthroughs, and contact forms are available for evaluation.

Demo/local workflows use sample or pilot-context records and evidence-reference metadata only.

Quality Slice production-shaped routes fail closed until production prerequisites are satisfied.

Production guard endpoints return structured blocked responses for production-shaped route checks.

Production auth, production writes, tenant isolation, durable persistence, and controlled evidence storage remain unavailable.

Human authority is preserved; advisory AI does not approve, release, certify, or close regulated work.

Trust summary

Current controls and future gates are separated.

Current evidence handling

Evidence references and source-basis review context only

Audit posture

Audit-event model planned before any tamper-evident or immutable-audit claim

AI boundary

Deterministic logic first; advisory assistance remains human-reviewed

Production access

Blocked until auth, tenant isolation, authorization, and persistence gates exist

Data ownership

Customer production quality records should remain under customer control and be governed by a separate pilot or enterprise agreement before any live use. Public website forms should not receive controlled evidence or live regulated records.

Tenant and data isolation

Tenant/workspace isolation is a required production gate. Current public and demo/local surfaces should be treated as evaluation context, not production tenant isolation.

Encryption

Public web traffic is expected to use HTTPS in hosted environments. Production encryption-at-rest commitments, key management, backups, and retention rules must be finalized before live regulated operation.

Access-control roadmap

Role and permission models are part of the production-readiness plan. Production auth, verified actor identity, tenant membership, workspace scope, and server-side authorization are not claimed until implemented and tested.

Audit trails and action logging

ARQEN is designed around lifecycle events, source links, review actions, and future audit-event contracts. Current logs and source-basis records are local/demo review context, not immutable or tamper-evident audit.

Evidence controls

Current evidence references are metadata only. Controlled evidence storage requires file storage, access control, retention, checksums, malware-scan policy where appropriate, and audit-event persistence before production claims.

Human-authorized approvals

ARQEN supports review and closure discipline, but it does not replace responsible quality personnel, customer approval, regulatory review, e-signature, or final controlled-copy release authority.

AI data handling

ARQEN does not present AI-generated text as compliance truth. Deterministic quality logic remains primary, source records stay linked, and advisory assistance is labeled as advisory.

Planned controls

Enterprise roadmap, clearly labeled.

These items are part of the production-readiness path and should be confirmed in a security review before relying on ARQEN for live regulated work.

SSO and SCIM planning for enterprise identity environments
SOC 2 readiness roadmap aligned to Security, Availability, Processing Integrity, Confidentiality, and Privacy trust categories
Advanced audit exports after durable audit-event storage exists
Controlled evidence storage after provider, retention, checksum, and access-control gates are satisfied
Production backup/recovery and environment validation before production writes

SOC 2 readiness roadmap

Readiness requires controls, evidence, and an independent report.

ARQEN is aligning its production-control plan to the SOC 2 trust-services categories, but readiness is not the same as an issued SOC 2 report. Public claims must wait for implemented controls, operating evidence, management assertion, and independent auditor review for the stated scope.

Independent CPA/service-auditor engagement and scoped system description
Production identity, tenant isolation, server authorization, and access-review evidence
Durable audit-event storage, change-management evidence, incident response, vulnerability management, and vendor-risk processes
Backup/restore evidence, monitoring, business-continuity objectives, and production environment validation
Controlled evidence storage, retention/deletion, key custody, privacy/DPA process, and auditor evidence collection

Responsible disclosure

Security reports, suspected vulnerabilities, or trust-review questions can be sent to security@arqen-ai.com. Please do not include controlled production evidence or regulated customer records in public email unless a secure review channel has been established.

Blocked production route contracts

/api/production-write/guard and /api/production-access/guard return structured blocked responses for production-shaped route checks. They do not authenticate users, isolate tenants, authorize server roles, mutate records, persist audit events, or enable production operation.

Security model docs Request security review