Skip to main content
All CollectionsFAQs & Troubleshooting GuidesFAQs
Tell me more about ArborXR's platform security.
Tell me more about ArborXR's platform security.

Learn more about how ArborXR secures its platform.

Josh Franzen avatar
Written by Josh Franzen
Updated over a week ago

Content Storage

  • Content uploaded to ArborXR (.apk, .obb, .mp4, etc.) are stored encrypted at rest in a private cloud storage bucket.

  • Content is stored privately and is not available on the public internet.

  • Each action of uploading and downloading content generates an API key with a short expiration that can only be used for downloading or uploading that specific file.

  • Content downloads and uploads are done over an SSL connection using HTTPS.

  • Content installed on the VR device use the security offered natively by Android.

๐Ÿ’กNOTE: ArborXR offers the ability for customers to connect their own cloud storage bucket to isolate their content from other content on the platform. This supports any storage bucket compatible with the Amazon S3 APIs. This feature is offered with all plans, including the free and standard plans.

For more information about connecting a custom storage bucket, see this article.


  • All authentication is run through a central server that utilizes OpenID Connect.

  • The ArborXR web portal and device setup app uses OpenID Connect with a short term refresh tokens that last less than 24 hours and generates very short term access tokens from these.

  • ArborXR's client app, installed on VR devices, uses offline tokens for refreshing but the same short term access tokens.

  • All tokens can be revoked via the ArborXR web interface.

  • ArborXR's authentication system can integrate with existing identity providers and user federation with LDAP or Kerberos.

API / Infrastructure

  • All infrastructure is hosted on Google Cloud.

  • All databases and systems are encrypted at rest.

  • All API communication happens over SSL using GraphQL.

  • All databases and internal systems are not accessible to the public web - only our public web applications and an API gateway service.


  • All communications are encrypted in transit with TLS 1.2 or better.

  • All data is encrypted at rest with AES-256 or better, with symmetric keys.

  • Passwords are encrypted with bcrypt using a salt. They are never stored in plain text.


  • We run both SAST and DAST scanning of our source code.

  • We scan our Docker images for vulnerabilities.

  • We run network scans looking for OWASP Top 10 vulnerabilities.

  • We have automated reporting & tracking of vulnerabilities with remediation timelines enforced.

Did this answer your question?