Security & Trust
Security is a feature, not an afterthought. Ariyes runs multiple brands, teams, and customer datasets on one platform, so isolation, encryption, and least-privilege access are built into the architecture, not bolted on.
Data protection
Encryption in transit. All traffic to and from the platform is encrypted using TLS. Data moving between our services and our sub-processors is encrypted in transit.
Encryption at rest. Databases, file storage, and backups are encrypted at rest. Sensitive stored credentials, such as the API tokens for accounts you connect to Ariyes , are additionally encrypted at the application layer using AES-256-GCM.
EU hosting. Our primary application, database, and email infrastructure run in the EU (Frankfurt region), which supports GDPR data-residency expectations.
Tenant isolation.Ariyes is multi-tenant by design. Every request is scoped to a workspace, and access controls at the application and data layers are built to ensure one customer’s data is never visible to another.
Access control
Least privilege. Internal access to production systems is restricted to the personnel who need it, granted on a least-privilege basis, and logged. Privileged actions - including any administrative impersonation of a workspace for support, are recorded in an audit log.
Passwordless sign-in. User accounts sign in without passwords, via an email magic link or Google sign-in, which removes the risk of weak or reused passwords. Multi-factor authentication is required for privileged platform-staff access.
Role-based permissions. Within a workspace, you control what each team member can see and do through roles and granular permissions. Every request is scoped to a single workspace.
Infrastructure & operations
Reputable providers. We host on established cloud infrastructure (EU/Frankfurt) and rely on vetted providers for email (Mailgun, AWS SES), SMS and WhatsApp (Twilio), payments (Stripe), and error monitoring (Sentry). Each sub-processor is bound by data-protection obligations. See our DPA for the current list.
Backups & resilience. Data is backed up regularly, and we design for recoverability.
Monitoring & logging. We log access and key events, and monitor the platform for abuse, anomalies, and security signals - including sending-abuse controls that protect deliverability across the platform.
Secure development. Security is part of our development lifecycle: code review, dependency management, and testing before changes reach production.
Privacy & compliance
Your data is yours. We process customer data only to provide the Service and on your instructions. We do not sell personal data. See our Privacy Policy and DPA.
Data processing terms. We offer a Data Processing Addendum covering GDPR/UK GDPR obligations, sub-processors, international transfers, and breach notification.
Communications compliance. The platform includes suppression lists, unsubscribe handling, and consent-oriented controls to help you send responsibly. See our Acceptable Use Policy.
Certifications.[PLACEHOLDER, list only certifications you actually hold, e.g. SOC 2 Type II, ISO 27001, or state “in progress”. Remove this block if none apply.]
Responsible disclosure
If you believe you’ve found a security vulnerability, we want to hear from you. Please report it to [email protected]with enough detail to reproduce the issue. We ask that you give us reasonable time to investigate and remediate before public disclosure, and that you avoid accessing or modifying other users’ data during testing. We appreciate and acknowledge responsible researchers.
Questions
For security questions, documentation requests, or to request our current sub-processor list, contact [email protected].