Security
Security at Aria
Practical controls for protecting customer content, workspace access, and AI-generated output from prompt to publication.
Last updated: January 15, 2025
Encryption
In transit
TLS 1.3 minimum on every external endpoint. HSTS preload-listed. Perfect-forward-secrecy cipher suites only.
At rest
AES-256 encryption on all customer data. Key rotation every 12 months or on suspected compromise. Customer-managed keys available on Enterprise.
Secrets management
All production secrets stored in HashiCorp Vault with short-lived dynamic credentials. No long-lived API keys in production code paths.
Infrastructure
Compliance posture
Continuous monitoring with documented control mappings, evidence collection, and audit-ready reporting. Compliance summaries available to enterprise buyers under NDA.
Network segmentation
Production environment isolated in a VPC with no public administrative interfaces. Service-to-service traffic over mutual TLS.
Traffic protection
WAF and DDoS protection at the edge. Per-account rate limits with adaptive throttling on anomalous patterns.
Application security
Dependency review
Daily SCA scans against known vulnerability databases. Critical patches deployed within 24 hours; high within 7 days.
Code review
Two-reviewer requirement on every change touching auth, billing, or customer data paths. Security-team approval required for cryptography changes.
Security testing
Annual external penetration test by an accredited firm. Continuous fuzzing on parsers and untrusted input. Quarterly tabletop exercises.
Responsible disclosure
If you believe you have found a vulnerability, please report it to security@aria.example.invalid.
We acknowledge valid reports within two business days, provide status updates during triage, and coordinate disclosure timing with researchers acting in good faith.