Security

We implement enterprise-level security protocols to protect your data and ensure system integrity.

Last updated: January 31, 2026

Overview

Arko's security is built on a multi-layered architecture covering authentication, storage, data transport, and continuous monitoring.

Security Stack

Firebase Authentication (OAuth 2.0 / OpenID Connect)
AWS DynamoDB with at-rest encryption (AES-256)
TLS 1.3 for data transport
Rate limiting and DDoS protection
Centralized audit logs

Authentication

Firebase Auth

We use Firebase Authentication as our identity provider. All users must authenticate using one of the following methods:

Google Sign-In: Google Sign-In: OAuth 2.0 with Google as provider.
Email/Password: Email/Password: Credentials stored with bcrypt hash (cost factor: 10).

JWT Tokens

Sessions are managed using JSON Web Tokens (JWT) signed with RS256:

Expiration: 1 hour (access token)
Automatic rotation via refresh tokens
Signature validation on each request
Immediate revocation on logout

Server-side verification

All API endpoints validate tokens using Firebase Admin SDK:

// Mandatory verification on each endpoint
const token = request.headers.get("Authorization")?.split("Bearer ")[1];
const decoded = await admin.auth().verifyIdToken(token);

Data Storage

DynamoDB

All user information is stored in Amazon DynamoDB with the following guarantees:

At-rest encryption: At-rest encryption: AES-256 managed by AWS KMS.
In-transit encryption: In-transit encryption: TLS 1.3 between client and server.
User isolation: User isolation: All records include uid as partition key.
Point-in-time recovery: Point-in-time recovery: Continuous backups with 35-day retention.

Sensitive data

The following data receives an additional encryption layer before storage:

User API keys (encrypted with AES-256-GCM)
Webhook URLs with embedded credentials
Access tokens for external services

Data retention

Data is retained according to the following policies:

Conversations: Conversations: Indefinitely (until user deletes them).
Audit logs: Audit logs: 90 days.
Deleted account data: Deleted account data: 30 days (recovery period).

API Security

API Keys

Users can generate API keys for programmatic access. Security policies:

Format: arko_[random_32_chars]
Storage: SHA-256 hash in database
Expiration: Configurable (default: no expiration)
Rotation: Manual by user
Revocation: Instant

Critical recommendations

DO NOT include API keys in public repositories
DO NOT share API keys via email or messaging
Rotate compromised API keys immediately
Use environment variables to store keys

Rate limiting

We implement rate limiting to prevent abuse:

Endpoint	Limit
POST /v2/auth	10 requests / min
POST /v2/agents/:id/chat	60 requests / min
GET /v2/*	300 requests / min
POST/PUT/DELETE /v2/*	100 requests / min

HTTPS mandatory

All HTTP requests are automatically redirected to HTTPS. Configuration:

TLS 1.3 (fallback to TLS 1.2)
HSTS header: max-age=31536000; includeSubDomains
Certificates issued by Let's Encrypt
Automatic rotation every 90 days

CORS

Cross-Origin Resource Sharing configured to allow only authorized origins:

Access-Control-Allow-Origin: https://arko.arcaelas.com
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

Auditing and Monitoring

Audit logs

We log the following security events:

Authentication attempts (successful and failed)
Creation, rotation and revocation of API keys
Access to sensitive data (agents, conversations)
Modifications to account configuration
Data deletion

Each log includes:

Timestamp (UTC)
User ID
IP address
User-Agent
Resource accessed
Result (success/failure)

Anomaly detection

We monitor usage patterns to detect suspicious activity:

Failed authentication attempts: Failed authentication attempts: >5 attempts in 10 minutes results in 30-minute temporary lock.
Unusual geographic access: Unusual geographic access: Login from new location generates email notification.
Abnormal request volume: Abnormal request volume: Automatic activation of additional rate limiting.

Incident response

In case of detecting a security breach:

Immediate containment: Immediate containment: Blocking of compromised access.
Investigation: Investigation: Log analysis to determine scope.
Notification: Notification: Email to affected users within 72 hours.
Remediation: Remediation: Application of patches and credential rotation.
Post-mortem: Post-mortem: Root cause analysis and preventive improvements.

Vulnerability Reporting

If you discover a security vulnerability in Arko, please report it responsibly.

Reporting process

Send an email to security@arcaelas.com
Include detailed description and steps to reproduce
DO NOT disclose publicly until receiving confirmation
Response time: 48 business hours

We appreciate the collaboration of the security community and are considering implementing a bug bounty program in the future.

Contact

For security questions or to report vulnerabilities:

Arcaelas Insiders Ltda - Security Team

General email: legal@arcaelas.com

Vulnerabilities: security@arcaelas.com

PGP Key: Download public key