> ## Documentation Index > Fetch the complete documentation index at: https://docs.artu.ai/llms.txt > Use this file to discover all available pages before exploring further. # Security & Trust > How Artu protects customer compliance data Artu is built to help companies manage sensitive compliance workflows. We maintain application-level controls designed to protect customer data, limit access, and preserve auditability. ## Summary Artu's security posture is based on five principles: * Strong authentication for users and machine-to-machine API access * Least-privilege authorization across environments, resources, and operations * Tenant and environment isolation for customer data * Audit trails for sensitive resource activity * Defensive handling of files, errors, and public workflow surfaces ## Authentication and Access Control Artu uses an enterprise identity provider for user authentication and supports scoped API keys for machine-to-machine access. API keys can be scoped by environment, resource, and operation. For example, a key may be limited to read-only access in the test environment, while a production integration key can be granted only the live permissions it needs. See [API Keys](/concepts/api-keys) and [Environments](/concepts/environments) for more detail on how access is scoped. ## Tenant and Environment Isolation Customer data is isolated by organization and environment using database-level tenant isolation controls. The test and live environments are also isolated from each other, which helps teams develop and validate integrations without touching production data. ## Auditability Artu maintains centralized audit logs for key resource operations. Audit entries include actor context, resource type, operation, request metadata, and change information where applicable. Audit logs include tamper-evident integrity checks for each organization and environment. Customers with the appropriate permissions can retrieve audit logs and verify audit log integrity through the API. ## File Handling Customer-uploaded files are stored privately and accessed through short-lived signed URLs. Uploaded files are validated server-side before they are accepted, and file access is scoped through Artu's authorization model. ## Error Handling and Monitoring Artu avoids exposing internal error details to API clients. Unexpected server errors are returned with generic messages, while expected validation and permission errors are sanitized before being shown externally. Application monitoring is configured to avoid default PII collection. Sensitive values such as credentials, tokens, internal file references, and common identity fields are redacted from exposed error messages. ## Public Workflow Protections Public workflow and onboarding flows use additional browser and abuse-protection controls, including browser security headers, origin restrictions, signed webhook verification, and abuse controls on public-facing workflows. ## Secure Development Practices Artu's development workflow includes automated checks intended to reduce supply-chain and release risk: * Dependency security auditing for production dependencies * Dependency vulnerability updates * License policy checks * Type checking, linting, and automated tests * Public SDK bundle checks to avoid publishing internal server implementation details ## Vendor Reviews If your team has a security questionnaire or requires additional review, contact us and we will provide the most current information about our controls, architecture, and roadmap. ## Security Questions For security questions, vendor reviews, or responsible disclosure, contact [support@artu.ai](mailto:support@artu.ai).