Security posture

Arbor Lane is a multi-tenant SaaS platform running on Cloudflare Workers at the edge, with per-tenant data isolation enforced at the database layer. We use Cloudflare D1 (SQLite) for tenant data, R2 for files, and KV for short-lived security primitives like rate-limit counters and CSRF tokens. Sessions are managed by Better Auth. We force TLS 1.3 and HSTS on every request. We're pursuing SOC 2 Type II certification and are currently in the control-design phase; we expect to begin our audit window in 2026 Q4.

All connections to Arbor Lane use TLS 1.3. We force HSTS so browsers refuse to downgrade. Data at rest is encrypted by Cloudflare D1 (tenant database) and R2 (file storage) using their default encryption-at-rest implementations.

Inside the application we use capability-based authorization — every action is gated by a named capability tied to a role. Cross-tenant requests are blocked at the routing layer by host-scoped tenant resolution. State-changing administrative actions (role changes, charge posting, account suspension, banking changes) are all audit-logged with operator identity, time, and parameters.

We use Better Auth for session management. Passwords are required to be at least 8 characters; we hash them with industry-standard primitives. Two-factor authentication is available on operator accounts. Mobile applications use a session-bearer model with a server-validated user-agent discriminator that prevents CSRF replay from a web context.

Every state-changing API call writes an audit-log row capturing the actor, the action, the target, the before/after state, and the timestamp. We redact credentials, banking numbers, and other secret-shaped fields before persisting. Audit logs are retained for seven years and are available to operators on request.

Our sub-processors and their data processing addenda are listed at /legal/subprocessors. We commit to at least 30 days' notice before adding a new sub-processor, for customers who subscribe.

We rely on Cloudflare D1's daily snapshot mechanism plus point-in-time export. Our recovery target is to restore service within 24 hours of a catastrophic failure. Backups are encrypted at rest by Cloudflare and roll off on a 30-day window.

Found a security issue? Email legal@arborlane.app with the subject "Security disclosure." We commit to a good-faith response within five business days and to working with you on coordinated disclosure. We do not currently operate a paid bug-bounty program, but we publicly credit reporters who request it.

If we discover a security incident affecting customer data, we will notify affected customers without undue delay and in any event within the legally-required notification window for the relevant jurisdiction. Notifications include what happened, what data was affected, what we're doing about it, and what you should do.

Arbor Lane is pursuing SOC 2 Type II certification — we are in the control-design phase and expect to begin our audit window in 2026 Q4. We honor GDPR and CCPA data-subject rights (see Privacy Policy). We can share our current control posture, data flow diagrams, and incident-response runbook under NDA — email legal@arborlane.app to start that conversation.