Security Standards

Arkoura's infrastructure is designed with security at every layer:

Google Cloud Platform (GCP): enterprise-grade cloud hosting with VPC network isolation, IAM role-based access control, and SOC 2 / ISO 27001 certified data centers.

Cloudflare Pages: CDN delivery with built-in DDoS protection, WAF (Web Application Firewall), and TLS termination at the edge.

Firebase / Firestore: managed database with per-document security rules enforced server-side — no client can bypass them.

Google Cloud Storage: private buckets with no public access — all file access requires server-generated signed URLs.

GCP Secret Manager: all API keys, tokens, and credentials stored in Secret Manager — never in source code or environment files.

Authentication: Firebase Authentication handles all user identity (email/password, Google, Apple) with industry-standard secure token management.

Route protection: all dashboard routes protected by middleware that validates Firebase Auth tokens on every request.

Firestore security rules: every read and write operation validates that the authenticated userId matches the document owner — cross-user data access is impossible at the database rule level.

QR token architecture: emergency profile URLs use a 12-character CSPRNG token — non-sequential, non-guessable, decoupled from internal user IDs, preventing enumeration attacks (~62^12 possible values).

Encryption at rest: AES-256 for all Firestore data and GCS file storage.

Encryption in transit: TLS 1.3 for all client-server communication.

Profile photos and documents: stored in private GCS buckets, accessed only via signed URLs with 1-hour expiry — the server verifies document ownership before generating any signed URL.

No plaintext secrets: OTPs, tokens, and sensitive values are stored as SHA-256 hashes — originals are never persisted.

Document de-identification: before any uploaded document or image is analyzed by the Arkoura AI, all personally identifiable information (PII) is automatically removed using Google Cloud Data Loss Prevention (DLP). Your health documents are anonymized before they leave your account's security boundary — this applies whether you or a family administrator uploads documents on your behalf.

Two-phase notification: Phase 1 fires an informational alert on every QR scan; Phase 2 fires a high-urgency alert only when a helper explicitly confirms an emergency.

Dual OTP for AI Insight: a public OTP is sent to the requesting party; a separate private OTP is sent exclusively to the profile holder — the profile holder must actively share their private OTP, making surprise full-journal access sessions impossible.

OTP security: 6-digit cryptographically random codes, SHA-256 hashed before storage, 1-hour expiry, single-use, 3-attempt limit before automatic session invalidation.

Session isolation: each emergency and AI Insight session is scoped to a single QR token and profile — no session can access data across profiles.

Enumeration prevention: no sequential IDs in public-facing URLs — all external identifiers are random tokens.

CORS policy: Cloud Functions restrict cross-origin requests to Arkoura domains.

Rate limiting: Cloud Functions enforce request rate limits to prevent abuse.

AI scope guardrail: the journal AI validates every incoming message against the profile scope — prompt injection attempts to access other users' data are detected and refused.

Account quarantine: deletion requests enter a 30-day quarantine before permanent erasure, protecting against accidental or malicious account deletion.

An immutable audit log records every security-relevant event:

Emergency Mode sessions (trigger, outcome, cancellation).

AI Insight sessions (OTP generation, validation attempts, activation).

Journal entry edits and deletions.

Document uploads and access.

Family account linking and dissolution.

Account security events (password changes, new device sign-ins).

The complete audit log is accessible to the authenticated profile holder at all times within their dashboard.

To report a security vulnerability or concern:

legal@arkoura.com

Subject: "Security Report"

We commit to acknowledging reports within 48 hours.