ArborXR Security Information

Content Storage

  • Content uploaded to ArborXR (.apk, .obb, .mp4, etc.) are stored encrypted at rest in a private cloud storage bucket.
  • Content is stored privately and is not available on the public internet.
  • Each action of uploading and downloading content generates an API key with a short expiration that can only be used for downloading or uploading that specific file.
  • Content downloads and uploads are done over an SSL connection using HTTPS.
  • Content installed on the VR device use the security offered natively by Android.
ArborXR offers the ability for customers to connect their own cloud storage system to completely isolate their content from other content on the platform. This supports any storage bucket compatible with the Amazon S3 APIs. This feature is offered with all plans, including the free and standard plans. 


  • All authentication is run through a central server that utilizes OpenID Connect.
  • The ArborXR web portal and desktop pairing app uses OpenID Connect with a short term refresh tokens that last less than 24 hours and generates very short term access tokens from these.
  • ArborXR's client app, installed on VR devices, uses offline tokens for refreshing but the same short term access tokens.
  • All tokens can be revoked via the ArborXR web interface.
  • ArborXR's authentication system can integrate with existing identity providers and user federation with LDAP or Kerberos.

API / Infrastructure

  • All infrastructure is hosted on Google Cloud.
  • All databases and systems are encrypted at rest.
  • All API communication happens over SSL using GraphQL.
  • All databases and internal systems are not accessible to the public web - only our public web applications and an API gateway service.

Have a suggestion or feature request? We'd love to hear!
Message ArborXR

Still need help? Contact Us Contact Us