ARA runs on your infrastructure. Your data never leaves your perimeter. This page is an honest account of our current security posture, not a marketing document.
ARA runs entirely within your infrastructure. Decision data is persisted to local or network storage you control. There is no ARA cloud, no data lake, no telemetry pipeline that processes your entity data or feature values.
All persisted decision state is AES-256 encrypted by default. Key management is yours, ARA supports envelope encryption with AWS KMS, GCP Cloud KMS, and HashiCorp Vault. Keys never leave your environment.
All API communication requires TLS 1.3. Mutual TLS (mTLS) is supported for service-to-service authentication. Certificate management integrates with cert-manager and Let's Encrypt out of the box.
API key authentication for Community Edition. Enterprise adds RBAC with SAML 2.0 / OIDC SSO, per-role access scoped to entity namespaces, and session audit logs with full attribution.
Anonymous usage telemetry is enabled by default and disclosed in the EULA. It collects ops-rate ranges, uptime, and crash reports, never entity IDs, feature values, or decision outputs. Disable via telemetry.enabled: false in config.
The decision log is append-only. Writes are cryptographically chained, every snapshot contains a SHA-256 hash of the prior snapshot. Any modification to historical records breaks the chain. Chain validation is a built-in CLI command: ara chain verify.
Every release binary is GPG-signed with a key published on the releases page. SHA-256 checksums are published alongside each download. Verify before running: sha256sum -c checksums.txt and gpg --verify ara.tar.gz.sig.
We operate a responsible disclosure programme. Report vulnerabilities to security@aralabs.ai. Our PGP public key is on the releases page for sensitive reports. We commit to acknowledging reports within 48 hours and providing a remediation timeline within 7 days.
We respond to security inquiries within 48 hours. For regulated customers requiring a Data Processing Agreement (DPA) or penetration test approval, use the form and specify your requirement.
We acknowledge all security inquiries within 48 hours.