Legal
Security
Last updated: 2026-05-06
Arzan Hub is built as a multi-tenant communication platform for businesses. We treat security as a continuous engineering practice, not a checklist. This page summarizes the controls we implement today.
1. Encryption
- Transport: TLS 1.2+ on all public endpoints (api.hub.arzan.cloud, hub.arzan.cloud).
- At rest: AES-256 for channel credentials, OAuth tokens, webhook secrets, and all media in object storage.
- Application secrets are stored in environment-isolated secret stores, never in version control.
2. Tenant isolation
- Every database row carries a tenant_id; all queries are scoped by tenant in the application layer.
- BullMQ jobs and Redis keys are namespaced by tenant.
- MinIO objects use tenant-prefixed keys with per-tenant access policies.
- Cross-tenant access is impossible by construction; we run automated tests for tenant scoping on every release.
3. Authentication and access
- JWT-based authentication with 15-minute access tokens and rotated refresh tokens.
- Argon2id password hashing for staff accounts.
- Optional 2FA (TOTP) for tenant admins; required for super-admin access.
- Role-based access control: owner, admin, agent, viewer.
- All super-admin actions are written to an immutable audit log.
4. Webhook integrity
- Meta webhooks (WhatsApp Business, Instagram, Messenger): verified with X-Hub-Signature-256 HMAC against the raw request body.
- Telegram webhooks: secret_token header verified with timing-safe comparison.
- Custom HTTP channels: per-channel signing secret with timing-safe comparison.
- Replay protection via timestamp window and nonce cache where supported by the provider.
5. Infrastructure
- Hosting: Hetzner Online GmbH, EU data centers (Falkenstein and Nuremberg, Germany).
- Network: Cloudflare in front for DNS and DDoS mitigation.
- Backups: nightly Postgres dumps and MinIO snapshots, retained 14 days.
- Software updates: rolling kernel and container updates monthly; security patches within 72 hours of disclosure.
6. Incident response
- On-call engineer rotation. Initial triage within 1 hour for P1 incidents.
- Tenant notification within 72 hours of confirmed personal data breach (GDPR Art. 33).
- Status updates published at status.arzan.cloud (planned) and via email to tenant admins.
- Post-mortems shared with affected tenants within 14 days.
7. Sub-processors
Hub uses the following sub-processors. We notify tenants of material additions before they take effect.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Compute, storage, network | Germany (EU) |
| Cloudflare, Inc. | DNS, DDoS mitigation, edge TLS | Global |
| Meta Platforms, Inc. | WhatsApp / Instagram / Messenger channel delivery | USA / EU |
| Telegram FZ-LLC | Telegram channel delivery | UAE / Global |
| Green API | WhatsApp via personal-account gateway | Russia / Global |
| OpenRouter Inc. | AI inference routing (when AI is enabled) | USA |
| Anthropic PBC | Claude models (when AI is enabled) | USA |
| OpenAI, L.L.C. | GPT models, embeddings, vision (when AI is enabled) | USA |
| Google LLC (Gemini) | Gemini models for AI agents (when AI is enabled) | USA / EU |
| TikTok / ByteDance Pte. Ltd. | TikTok comments, video metadata, lead forms (when TikTok channel is connected) | Singapore / USA / EU |
| Resend Inc. | Transactional email delivery (welcome, password reset, alerts) | USA |
| Robokassa LLC | Subscription payments (when paid plan selected) | Russia |
| Apipay (Kaspi gateway) | Subscription payments via Kaspi (KZ market) | Kazakhstan |
8. Audits and certifications
We are not currently SOC 2 certified. SOC 2 Type I is on our 2026 roadmap. Penetration testing is conducted annually by an external firm; the most recent report is available under NDA upon request.
9. Reporting a vulnerability
Please report security issues to security@arzan.cloud. We acknowledge receipt within 1 business day and aim to triage within 5 business days. We do not currently run a paid bounty program but credit responsible disclosure in this section.