Security at ARSA

Built for the most sensitive data there is

Face data deserves stricter engineering than ordinary application data. Here is exactly how the ARSA Face Recognition API protects it — no vague claims, just the architecture.

0
photos stored — embeddings only
1
isolated face database per account
100%
of requests logged, quota-checked & rate-limited

Biometric Data Protection

Embedding-only storage

Registered faces are stored as irreversible numerical embeddings — never as photographs. An embedding cannot be reconstructed into the original image.

Transient image processing

Images sent for recognition, verification, analytics, and liveness are processed in memory and discarded once the response is returned. Active-liveness videos are deleted immediately after analysis.

Isolated face databases

Every account gets its own isolated face database. No cross-tenant queries, no shared galleries — your registered faces are matchable only by your API key.

No model training on your data

Your images and embeddings are never used to train our models, never sold, and never shared.

API & Account Security

HTTPS-only transport

All API and dashboard traffic is encrypted in transit with TLS. API keys travel in headers, never in URLs.

API keys with instant revocation

Unique per-account API keys with a display-safe prefix. Regenerate from the dashboard in one click — the old key stops working immediately.

bcrypt password hashing

Account passwords are stored only as salted bcrypt hashes. OAuth sign-in via Google or GitHub is available if you prefer no password at all.

Short-lived JWT sessions

Dashboard sessions use short-lived access tokens with refresh token rotation, validated on every request.

Rate limiting & quota enforcement

Per-plan rate limits and monthly quotas are enforced server-side on every call, containing abuse and capping the blast radius of a leaked key. Login and sensitive account actions are rate-limited separately.

Platform Hardening

Security headers on every response

X-Frame-Options: DENY, X-Content-Type-Options: nosniff, XSS protection, and strict referrer policy are applied by middleware across the platform.

Strict input validation

Uploads are validated by content (magic bytes), not just extension, with a 10 MB size cap. Face IDs are format-validated to prevent injection.

Restricted CORS

Cross-origin access is limited to explicitly configured origins.

Encrypted ML models

The face recognition models themselves are stored encrypted and decrypted only at runtime.

Visibility & Accountability

Full request logging

Every API request is logged with endpoint, status, latency, and key prefix — visible to you in the dashboard for anomaly spotting.

Authentication event trail

Logins, failed attempts, and password resets are recorded with IP and timestamp.

Admin audit logs

Administrative actions on the platform are captured in an immutable audit trail.

Self-service data deletion

Delete a single face or wipe your entire face database with one API call — effective immediately, no support ticket required.

Security for your users, too

Protecting stored data is half the job — the other half is making sure the face in front of the camera is real. Every plan includes passive liveness detection against photo, screen, and mask spoofs, and active livenesswith server-generated head-pose challenges that pre-recorded media and deepfakes can't predict.

Read how these defenses counter real attacks in our guides to deepfake and injection attacks and API key security.

Compliance posture

The architecture above — embedding-only storage, transient processing, per-tenant isolation, self-service deletion — is designed to support your obligations under biometric data regulations, including the EU GDPR and Indonesia's UU PDP. Details of what we collect and how long we keep it are in our Privacy Policy.

Need data residency or full infrastructure control? The ARSA Face SDK is available for self-hosted deployment contact us to discuss on-premise options.

Responsible disclosure

Found a vulnerability? We want to hear about it. Email hello@arsa.technology with the details and we will respond promptly. Please give us reasonable time to remediate before public disclosure.

Evaluate it yourself

Start on the free tier, inspect the request logs, test the liveness endpoints against your own spoof attempts — then decide.