Arahi AI Logo

Data Security Policy

Find all information pertaining to our Data Security Policy

Last Updated: October 5, 2025

Data Security Policy

Find all information pertaining to our Data Security Policy

1 Scope

1.1 The following describes Arahi AI's Data Security Policy. This policy may be updated from time to time, however, terms effective at the time of signing a Proposal will apply throughout the duration of the applicable Term.

1.2 Defined terms provided under clause 1 of the Arahi AI SaaS Terms and Conditions shall apply to this policy.

2 Organisational Access Control

2.1 Arahi AI employees are required to comply with the company's policies and procedures. These policies include:

(a) an obligation to not disclose proprietary or confidential information (including Subscriber-related information) to unauthorised parties; and

(b) an obligation to report any known security incidents to the company's management for investigation and action.

2.2 Arahi AI employees do not have direct access to Subscriber Data, except where necessary on a need-to-know basis to undertake:

(a) Technical support;

(b) system management, maintenance, backups; and

(c) other actions authorised by the Subscriber in writing.

2.3 Criminal background checks are performed for employees with access to Subscriber Data as part of the hiring process.

2.4 Arahi AI trains its employees on the importance of information security and the Company's approach to maintenance of information security. This training is conducted at the commencement of the employment and at regular intervals after commencement.

3 Cloud Infrastructure

3.1 Arahi AI engages a cloud infrastructure provider (IaaS Provider) to host data in data centre facilities.

3.2 An IaaS Provider will:

(a) only allow its staff to access information relating to or data of a Subscriber for the period of time in which a legitimate business need for such privileges exists;

(b) only allow its staff to access the cloud infrastructure under its control for the period of time in which a legitimate business need for such privileges exists;

(c) log and audit all physical access to its data centre facilities;

(d) notify Arahi AI of the location of the data centres facilities (which may be located in various global regions);

(e) monitor electrical, mechanical, and life support systems and equipment at its data centre facilities to ensure any issues are immediately identified; and

(f) perform preventative maintenance to maintain the continued operability of the electrical, mechanical, and life support systems and equipment at its data centre facilities.

3.3 All data centre facilities used by an IaaS Provider:

(a) are online and serving customers i.e., no data centre facility is "cold";

(b) in the event of failure, have automated processes to move Subscriber Data traffic away from the affected area;

(c) have backup power and environmental protection systems, which are regularly maintained and tested;

(d) have automatic fire detection and suppression equipment that has been installed to reduce risk and damage to data centre environments;

(e) have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility;

(f) have electrical power systems designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week; and

(g) are conditioned to maintain systems, monitor and control temperature and humidity at appropriate levels.

4 Technical Security Measures

4.1 The Platform will include reasonably up-to-date versions of system security agent software which will include reasonably current and tested malware protection, patches and anti-virus protection.

4.2 Arahi AI will create a disaster recovery plan designed to provide appropriate technical and operational controls to deliver the recovery time objective (RTO) and recovery point objective (RPO), as outlined in its Service Level Policy.

4.3 Unless otherwise agreed by Arahi AI in writing, Subscribers are prohibited from performing their own penetration testing on any system of Arahi AI.

4.4 Arahi AI ensures that database infrastructure is segregated from the application servers and the internet via firewalls.

4.5 All communications are encrypted between the data exporter and the data centres using high-grade encryption (AES-256).

4.6 Access to Arahi AI's on-demand applications and services is only available:

(a) through secure sessions (https); and

(b) with an authenticated login and password.

4.7 Passwords for Arahi AI's on-demand applications and services are never transmitted or stored in their original form.

4.8 Arahi AI's application infrastructure is protected against intrusion by industry standard firewalls at the network, host, and application levels.

4.9 Several IaaS Provider instances are hosted on the same physical machine and are isolated from each other through a hypervisor layer.

4.10 IaaS Provider infrastructure has no access to raw disk devices, but instead are presented with virtualised disks.

5 Exclusions

5.1 The Platform may allow third party services interoperating with it to access, use, or otherwise process and transmit Subscriber Data.

5.2 This Data Security Policy does not apply to any processing, storage, or transmission of data outside the Platform.

5.3 Arahi AI is not responsible for the security practices (or any acts or omissions) of any third party service providers engaged by or on behalf of Subscriber.

5.4 The Data Security Policy excludes:

(a) data or information shared with Arahi AI that is not stored in the Platform; and

(b) data in a Subscriber's virtual private network (VPN) or a third party network other than one that is under a contract with Arahi AI to assist Arahi AI in fulfilling its obligations to that Subscriber.

5.5 Arahi AI excludes liability for any data used, processed, stored or transmitted by a Subscriber or other third parties in violation of these terms and conditions.