ARI

Security & Compliance

ARI is designed for engineering teams that operate in regulated industries. This page explains how we handle your data, what controls are in place, and how ARI supports your compliance posture.

Compliance Overview

ARI is built on infrastructure that supports compliance requirements. The following standards and controls are in scope or actively pursued:

SOC 2 Type IIIn progress
GDPRCompliant
ISO 27001Roadmap 2026
CCPACompliant

You can request a security questionnaire, architecture review, or custom DPA (Data Processing Agreement). Contact our team to arrange this.

GDPR

ARI complies with the General Data Protection Regulation (GDPR). Here is what that means for your team:

  • Data processor role: When you connect ARI to your staging environment, ARI acts as a data processor. You remain the data controller and retain ownership of all data.
  • DPA available: A Data Processing Agreement is available on request for customers on the Pro plan and above.
  • Data residency: Data is stored in EU-based infrastructure by default. Contact us for US region availability.
  • Right to erasure: You can delete your account and all associated data from Settings → Account → Delete account. Data is purged within 30 days.
  • Sub-processors: We maintain an up-to-date list of sub-processors. Changes are notified 30 days in advance via email.

ARI does not share personal data with third parties for advertising or profiling.

Data Retention

ARI retains analysis data for different durations depending on your plan. All data is permanently deleted after the retention period and cannot be recovered.

Free7 daysLast 3 reports
Starter30 daysLast 20 reports
Pro90 daysLast 100 reports
Team1 yearUnlimited

You can manually delete any analysis report at any time from the dashboard or via the API. Deletion is immediate and irreversible.

Encryption

All data transmitted to and from ARI is encrypted in transit and at rest.

  • In transit: All API and dashboard traffic uses TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
  • At rest: Analysis data, report contents, and integration credentials are encrypted at rest using AES-256.
  • API keys: API keys are stored as hashed values. ARI cannot retrieve your key after initial display. Rotate keys at any time from Settings.
  • Integration tokens: Third-party integration tokens (Jira, Datadog, PagerDuty) are encrypted at rest using envelope encryption with per-tenant keys.
  • Evidence redaction: Analysis reports automatically redact cookies, session tokens, Authorization headers, and other sensitive values before displaying or storing evidence.
If you discover a security vulnerability in ARI, please disclose it responsibly to security@ari.sh. We acknowledge reports within 24 hours and aim to ship a fix within 7 days for critical issues.
IntegrationsContact us