How does ArmsLength AI generate outputs?
Outputs are generated from your inputs and our product logic (criteria, instructions, and guardrails) to produce consistent, reviewable TP deliverables.
Loading...
Loading...
Security
Transfer pricing work requires handling group financials, pricing strategies, and confidential client data. Our security controls are ISO/IEC 27001 certified, EU-hosted, and independently tested to match that responsibility.
Security controls
ArmsLength AI is designed for workflows where confidentiality, auditability, and reliability are non-negotiable.
ISO 27001 governance
Information security is managed through our ISO/IEC 27001-certified ISMS with risk management, controls, and continuous improvement.
EU data residency
Customer project data is stored and processed in the EU.
Encryption by default
Data is protected with encryption in transit and at rest.
Controlled access
Access is restricted to authorized personnel using least-privilege and role-based controls. Support access is limited and scoped to what is necessary.
Incident response program
Security incidents follow a documented triage, containment, and communication process. We notify affected customers within 24 hours of becoming aware of a qualifying incident.
Independent testing
We conduct annual penetration testing and continuous vulnerability management as part of our security program. Our most recent test was completed in December 2025 by BreachLock Inc. (gray-box, OWASP-based).
Infrastructure
As documented in our privacy statement, production systems are hosted in Germany-based infrastructure across selected providers.
| Provider | Region | Service Scope | Notes |
|---|---|---|---|
| Microsoft Azure | Germany West Central (Frankfurt) | Selected platform workloads | Encrypted infrastructure controls at provider layer. |
| Supabase (AWS) | eu-central-1 (Frankfurt) | Primary database and storage services | Daily backups with 7-day retention. |
| Vercel | EU edge delivery (Frankfurt-primary routing) | Frontend and edge delivery | HTTPS/TLS and platform-level security controls. |
We maintain contractual and policy controls for customer data handling, including subprocessors and international transfer safeguards where required. For legal-basis, transfer, retention, and subprocessor information, see our Privacy Statement.
Access model
Current controls and placeholders to align with enterprise security questionnaires.
Admin MFA
Enforced via identity provider for SSO users. SSO with IdP-managed MFA is the recommended access method.
Role-based access
Least-privilege, role-based controls for internal access.
SSO / SAML
Available via Microsoft (Entra ID) and Google. IdP-enforced MFA recommended.
Audit log retention
30 days raw retention, then anonymised. Exports available in CSV/JSON on request.
AI integrity
Your inputs are used to generate your outputs and are not used to train foundation models. Quality improvements come from better instructions, evaluation tests, and guardrails, not from reusing client content as training material.
FAQ
Outputs are generated from your inputs and our product logic (criteria, instructions, and guardrails) to produce consistent, reviewable TP deliverables.
No. Customer data is used only to generate that customer's outputs and is not used to train foundation models.
Projects are kept separate. We do not reuse one customer's inputs or outputs to create deliverables for another customer.
Only authorized ArmsLength AI personnel under least-privilege access controls. Support access is limited, controlled, and auditable.
Production data is hosted on managed infrastructure with provider-level resilience controls. Our Supabase setup includes daily backups, and restoration procedures are part of our operational runbooks.
For security questions or evidence requests, contact us directly.