How we think about security
Security at ARIAA is a design constraint, not a bolt-on. The platform was architected from the first commit against the expectation that every tenant is a regulated institution whose data cannot leave the jurisdiction, cannot be commingled with another tenant's, and cannot tolerate a third party sitting in the trust boundary. Every product decision is reviewed against that constraint before it ships.
We follow industry security best practices across the product lifecycle — secure development, threat modelling, dependency governance, least-privilege access, defence-in-depth, and continuous monitoring. We intentionally do not publish implementation detail on this page. Adversaries are on the internet; specifics about our internal controls are shared only with customers and auditors under NDA, where they serve defence rather than attack.
Framework alignment
- SOC 2 Type II — controls designed to the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy). Formal audit engaged; certification on the 2026 roadmap.
- ISO/IEC 27001 — Information Security Management System scoped alongside SOC 2. Certification on the 2026 roadmap.
- GDPR · UK GDPR · LGPD · CCPA — ARIAA operates as a data processor for customer-controlled deployments. Controller obligations and sub-processor commitments are in the Data Processing Addendum. DPIA support is available on request.
- Sector-specific frameworks — we support evidence production against customer-led frameworks (e.g. NIST CSF, HIPAA- aligned deployments, sector-specific regulator requirements) through the DPA and under NDA.
Deployment principles
The defining feature of ARIAA's security posture is that the customer chooses where the data lives. We offer deployment modes that let regulated institutions keep data inside the jurisdiction, inside the customer's estate, or fully offline:
- SaaS — managed by ARIAA, appropriate where policy permits.
- Dedicated cloud — single-tenant in the customer's chosen cloud and region.
- On-premises — inside the customer's data centre, under customer control.
- Air-gapped — fully offline for the highest-sensitivity tenants.
Regardless of deployment mode, the security controls are designed to be the same. The posture does not degrade when the customer chooses a more restrictive footprint.
What we commit to
- Confidentiality — encryption in transit and at rest using modern, widely-audited algorithms; strict segregation of customer data.
- Access control — authenticated, authorised, and auditable. Role-based access with least-privilege defaults. SSO integration with customer identity providers.
- Integrity and audit — every change to customer data is logged with actor, action, resource, and timestamp. The audit trail is customer-queryable and is the source for compliance evidence.
- Resilience — availability targets and measurement commitments defined per tier in the Order Form.
- Privacy — data minimisation by default; zero raw-content retention for ingested signals once features are extracted.
- Secure development — code review, static analysis, dependency scanning, and signed releases as part of the SDLC.
- Independent testing — penetration testing by an independent firm on a regular cadence; high-severity findings are remediated before the engagement closes.
What the customer controls
ARIAA is designed so that the customer, not ARIAA, decides the sensitive parts of the trust boundary:
- Where the data is stored — jurisdiction, cloud, or on-prem footprint.
- Who has access — identity provider, roles, and review cadence.
- How long data is retained — contractual retention plus return-or-delete on termination.
- Which sub-processors are in scope — general authorisation with the right to object to new ones.
Information available under NDA
For procurement and risk-committee reviews we share specifics that we do not publish here:
- Security questionnaire responses (CAIQ / SIG / customer templates).
- Latest penetration-test executive summary and remediation status.
- SOC 2 readiness report; ISO 27001 scoping artefacts.
- Sub-processor register with roles and locations.
- Incident-response playbook summary and RTO/RPO targets.
- Architecture and data-flow diagrams for the deployment mode under discussion.
Request via your ARIAA contact or marko@intellimento.com with subject “ARIAA security package”. We turn these around same-week under NDA.
Vulnerability disclosure
Coordinated disclosures are welcomed. Email marko@intellimento.com with subject “ARIAA security disclosure”. We acknowledge within 72 hours and agree a timeline for remediation and coordinated disclosure. Please do not scan or test production without prior written authorisation.