Back to Home

Security Policy

Last Updated: January 13, 2025

Arxiv Stone Inc. ("Company," "we," "our," or "us") is committed to protecting the confidentiality, integrity, and availability of the data entrusted to us. This Security Policy outlines the technical, organizational, and administrative measures we implement to safeguard customer data, prevent unauthorized access, and ensure compliance with applicable regulations.

1. Scope

This Policy applies to all data processed through our platform, including but not limited to:

  • Account and identity information.
  • API keys and authentication credentials.
  • Equity and corporate records.
  • Legal and business documents uploaded or generated through the platform.
  • Operational and system logs.

2. Encryption Standards

2.1 Data at Rest

  • All sensitive data is encrypted using AES-256-CBC encryption.
  • Encryption keys are generated and managed in compliance with NIST SP 800-57 guidelines.
  • Keys are rotated periodically and stored in a Hardware Security Module (HSM) or equivalent secure key vault.

2.2 Data in Transit

  • All data transmissions occur over secure channels using TLS 1.2 or higher (preferably TLS 1.3).
  • Strong cipher suites are enforced; weak protocols and ciphers are disabled.

2.3 API Security

  • All API traffic requires HTTPS with TLS encryption.
  • API authentication is enforced using token-based mechanisms, OAuth 2.0, or mutual TLS as applicable.

3. Access Control

  • Role-Based Access Control (RBAC) ensures that users only have access to resources necessary for their role.
  • Multi-Factor Authentication (MFA) is required for administrative accounts.
  • Least Privilege Principle is enforced across all systems.
  • Internal access to production systems is restricted to authorized personnel only and logged.

4. Network Security

  • Firewalls & Segmentation – Network segmentation and firewalls isolate sensitive data environments from public-facing systems.
  • Intrusion Detection & Prevention – Continuous monitoring for suspicious activity using enterprise-grade IDS/IPS systems.
  • DDoS Protection – Distributed Denial-of-Service mitigation is implemented via upstream filtering and rate-limiting.

5. Data Backup & Recovery

  • Encrypted backups are taken at regular intervals and stored in geographically redundant locations.
  • Disaster recovery testing is conducted at least annually.
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined for critical services.

6. Monitoring & Logging

  • Comprehensive logging of system access, API calls, and administrative actions.
  • Logs are immutable, time-synchronized, and stored securely.
  • Continuous Security Information and Event Management (SIEM) monitoring for anomaly detection.

7. Vulnerability Management

  • Regular penetration testing by third-party security experts.
  • Automated vulnerability scanning of infrastructure and applications.
  • Patch management processes ensure timely remediation of security flaws.

8. Incident Response

  • Dedicated Incident Response Plan (IRP) for detecting, analyzing, containing, and recovering from security incidents.
  • 24/7 on-call security team for high-severity incidents.
  • Customer breach notifications issued in compliance with applicable regulations (e.g., GDPR 72-hour rule, U.S. state breach notification laws).

9. Compliance & Standards

We align our security practices with:

  • ISO/IEC 27001 – Information Security Management Systems.
  • NIST Cybersecurity Framework.
  • SOC 2 Type II security principles (where applicable).

10. Customer Responsibilities

Customers are responsible for:

  • Safeguarding their account credentials and API keys.
  • Using secure client-side configurations when connecting to our APIs.
  • Implementing appropriate access controls within their own organization.

11. Policy Review

This Security Policy is reviewed at least annually or upon significant changes to our security posture.