Privacy Policy

1. Introduction

Arx Inc. ("Arx," "we," "us," or "our") operates ARXsec.io, a compliance-native infrastructure platform for enterprise AI agents. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our platform, website, and related services (collectively, the "Service").

This policy applies to the ARXsec.io console application and our corporate website. Enterprise customers who have entered into a Data Processing Agreement ("DPA") with Arx should refer to that DPA for the terms governing Arx's processing of personal data on their behalf.

By using the Service, you acknowledge the practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

Account Data

• Name and work email address
• Organization name and industry
• Billing information (processed by our payment processor)
• Role and access permissions within your organization

Usage Data

• Agent deployment configurations and metadata
• Policy definitions and guardrail configurations
• Approval workflow actions and decisions
• Connector configurations (metadata only — secrets are encrypted and not readable by Arx)
• Compliance report generation activity

Audit Telemetry

• Agent execution logs and action records
• Policy evaluation results
• Human approval decisions and timestamps
• Audit trail entries (retained per your subscription tier)

Technical Data

• IP addresses and approximate geographic location
• Browser type, client version, and device identifiers
• Session tokens and authentication logs (for security purposes)
• API request logs and error traces

3. How We Use Information

We use the information we collect to:

• Provision, operate, and maintain the Service
• Enforce platform policies and detect abuse, fraud, and unauthorized access
• Generate compliance reports and audit trails on behalf of Customer
• Improve platform features, reliability, and security using aggregated, de-identified data
• Send transactional communications (account notifications, security advisories, billing statements)
• Send product updates and announcements (you may opt out at any time)
• Respond to support requests and inquiries
• Comply with applicable legal obligations

4. AI Agent Data Processing

Arx processes data generated by AI agents deployed through the Service strictly to provide the contracted Service. We do not:

• Use Customer agent execution data or audit logs to train, fine-tune, or improve machine learning models
• Share Customer agent data with third parties for advertising, analytics, or any purpose other than operating the Service
• Access Customer secrets, credentials, or sensitive agent payloads beyond what is technically necessary to execute the service

Where Customer agent workflows process personal data, the Customer remains the data controller and Arx acts as a data processor within the meaning of GDPR Article 28. Enterprise customers may request a Data Processing Agreement (DPA) by contacting legal@arxsec.io.

5. Data Sharing

We do not sell personal data. We share information only in the following limited circumstances:

Service Providers

We engage trusted third-party providers for cloud infrastructure, payment processing, and email delivery. These providers are bound by data processing agreements and may only process data to provide services to Arx.

Legal Requirements

We may disclose information when required by law, court order, or governmental authority. Where legally permitted, we will notify affected customers before complying with such requests.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, customer information may be transferred to the successor entity. The successor will be bound by this Privacy Policy or a substantially equivalent policy.

With Consent

We may share information with third parties when you have given us explicit consent to do so.

6. Data Retention

We retain account data and associated usage records for the duration of your subscription and for ninety (90) days following termination, during which time you may export your data. After this period, data is permanently deleted from our systems.

Audit telemetry and agent execution logs are retained according to your subscription tier as specified in your Order Form. If no specific retention period is specified, the default is ninety (90) days.

To request earlier deletion of your data, contact legal@arxsec.io. Certain data may be retained longer where required by applicable law.

7. Security

Arx implements industry-standard security measures to protect your information, including:

• Encryption at rest using AES-256
• Encryption in transit using TLS 1.2 or higher
• Role-based access controls with principle of least privilege
• Secrets stored in encrypted vaults (HashiCorp Vault integration)
• Security incident response program with defined escalation procedures
• SOC 2 Type II compliance target (refer to your sales contact for current certification status)

No security system is impenetrable. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach affecting your information, we will notify you in accordance with applicable law.

8. International Data Transfers

Arx Inc. is based in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

For customers in the European Union or European Economic Area (EU/EEA), international transfers of personal data are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission. Customers requiring SCCs or a DPA should contact legal@arxsec.io.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (EU/EEA residents)

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to restriction of processing
• Right to object to processing

CCPA Rights (California residents)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal data)
• Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at legal@arxsec.io. We will respond to verifiable requests within the timeframe required by applicable law.

10. Cookies and Tracking

ARXsec.io uses session cookies for authentication and to maintain your logged-in state. These are strictly necessary for the operation of the Service and cannot be disabled without affecting functionality.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics SDKs in the platform console. We do not track your activity across other websites.

11. Children's Privacy

The Service is intended for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected such information, please contact us at legal@arxsec.io and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice via email to the registered account address before the changes take effect. Non-material changes (such as clarifications) may be made without notice.

Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

13. Contact Us

For privacy-related inquiries, data subject requests, or questions about this policy, please contact: