Trust & Security

Security at Arkion.

Arkion governs machine identities for enterprise security teams. The security of our own platform is held to the same standard we help our customers achieve.

01

Our Security Posture

Arkion is purpose-built for enterprise security teams. Our platform handles sensitive infrastructure metadata, certificate data, and identity governance records. We apply security controls commensurate with this responsibility.

TLS 1.2+
All data encrypted in transit
AES-256
All data encrypted at rest
72hrs
Maximum breach notification timeline
02

Platform Security

Encryption in Transit
All communication between Arkion components and customer environments uses TLS 1.2 or higher. mTLS enforced for governed agent channels.
Encryption at Rest
All data stored within the Arkion platform is encrypted at rest using AES-256.
Role-Based Access Control
Least privilege enforced across all internal systems. Access to customer data is strictly limited to personnel with a documented business need.
Multi-Factor Authentication
MFA is mandatory for all Arkion personnel accessing internal systems, the platform, and customer environments.
Vulnerability Management
Regular automated vulnerability scanning and periodic penetration testing conducted by independent third parties.
Incident Response
Documented incident response procedures with defined escalation paths, breach notification timelines, and post-incident review processes.
03

Discovery Scan Security

Read-Only. Always.The Arkion discovery scan operates exclusively on read-only credentials provided by the customer. Arkion does not write to, modify, or delete any customer infrastructure during a scan. No agents are installed. No traffic is intercepted. The scanner identifies and inventories non-human identities — it does not interact with them.
  • Read-only IAM role required
  • No persistent access retained after scan completion
  • Scan credentials can be revoked at any time
  • All scan activity logged and available to the customer
04

Data Handling

How we handle your data:

  • Infrastructure scan output (certificate metadata, identity records) is encrypted and stored per the customer DPA
  • Personal data is handled per the Privacy Policy
  • Sub-processor list available on request at privacy@arkion.ai
  • Data residency options available — contact sales@arkion.ai
  • All data deleted or returned on contract termination per the DPA
05

Compliance & Certifications

SOC 2 Type II
In progress. Target certification Q4 2026. Controls audit conducted annually.
UK GDPR
Fully compliant. Data controller registration maintained with the ICO.
ISO 27001
Alignment in progress as part of enterprise security programme.
DORA / NIS2
Platform designed to support customers' DORA and NIS2 compliance obligations.
06

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue in the Arkion platform, we ask that you disclose it to us responsibly.

Report tosecurity@arkion.ai

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact details for follow-up

We commit to:

  • Acknowledging your report within 48 hours
  • Providing a timeline for remediation
  • Not taking legal action against researchers acting in good faith
Arkion Identity Systems Ltd · Security · Last updated March 2026