ArborXR Security Information
- Content uploaded to ArborXR (apk, mp4, etc.) are stored encrypted at rest in a private cloud storage bucket.
- Content is stored privately and is not available on the public internet.
- Each action of uploading and downloading content generates an API key with a short expiration that can only be used for downloading or uploading that specific file.
- Content downloads and uploads are done over an SSL connection using HTTPS.
- ArborXR does not not offer a DRM solution so content installed on the VR device are using the security offered natively by Android.
- All authentication is run through a central server that utilizes OpenID Connect.
- The ArborXR web portal and desktop pairing app uses OpenID Connect with a short term refresh tokens that last less than 24 hours and generates very short term access tokens from these.
- ArborXR's client app, installed on VR devices, uses offline tokens for refreshing but the same short term access tokens.
- All tokens can be revoked via the ArborXR web interface.
- ArborXR's authentication system can integrate with existing identity providers and user federation with LDAP or Kerberos.
API / Infrastructure
- All infrastructure is hosted on Google Cloud.
- All databases and systems are encrypted at rest.
- All API communication happens over SSL using GraphQL.
- All databases and internal systems are not accessible to the public web - only our public web applications and an API gateway service.