Trust & Security
Arnio processes shopper identity signals on behalf of ecommerce brands. This page covers our security posture, compliance certifications, and data protection practices.
Trust Report
arnio.co
Security, privacy, and compliance documentation.
View report →Overview
Arnio sits between your Shopify store and Klaviyo. We identify, score, and route anonymous shoppers — which means we handle sensitive behavioral and identity signals every day. Security isn't a feature here. It's a requirement.
24/7
Infrastructure monitoring
TLS 1.2+
All data in transit
AES-256
Encryption at rest
SOC 2
Audited & certified
Compliance
Resources
SOC 2 Type 2 attestation
Independent auditor attestation covering Arnio's security and availability controls.
Privacy Policy
How we collect, use, and protect your data and your shoppers' data.
Data Processing Agreement
DPA covering your obligations and ours as a data processor under GDPR.
Data Deletion Policy
How we handle deletion requests and enforce data retention limits.
Controls
The full Vanta report contains detailed evidence for each control. These are the categories most security teams ask about first.
Access control
Role-based access for all Arnio team members. Production access is limited, logged, and reviewed on a recurring basis. No standing access to production data.
Infrastructure security
Arnio's backend runs on Railway. Production environment hardening is in place across all services. No public exposure of internal systems.
Data protection
Shopper data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We apply minimal data retention policies and do not store data beyond what the service requires.
Incident response
Documented response playbooks with defined escalation paths and breach notification timelines aligned with GDPR Article 33 requirements.
Vendor management
All third-party subprocessors are reviewed before onboarding. DPA agreements are in place across the full vendor stack. The subprocessor list is available on request.
Application security
Code is reviewed before reaching production. Dependencies are scanned for known vulnerabilities. Secrets are managed through environment vaults — never hardcoded.
Access
Request access to our live Vanta trust report for additional documentation, subprocessor information, and security review materials. For privacy or DPA questions, email hello@arnio.co.