Trust & Security
Arodus connects to your books to score vendor risk. Here is exactly what we read, what we never touch, how it is protected, and what does and does not leave your account.
We connect through OAuth with read-only permission and read two object types. Nothing else. We can never write to, change, or delete anything in your books.
Vendor records
Name, legal name, category, address, contact details, and account number. Used to build your vendor list and resolve duplicates, so AWS East and Amazon Web Services become one vendor with one score.
Bill and payment records
Vendor, invoice date, payment date, and amount. We ingest at the bill level and do not currently read line-item or SKU detail. Used to verify active relationships and calculate rolling 12-month spend.
We never read payroll, income statements, balance sheets, bank account details, or employee records. The connection is read-only, so nothing in your ERP can be modified.
Arodus runs a network where signals from many buyers sharpen risk and ratings for everyone. The boundary is strict, and it is worth reading closely.
Never leaves your account
Your raw ERP records, your company identity, and your specific spend figures. These stay isolated to your account and are never shown to other customers.
Shared as network signal
When you review a vendor, it appears to other buyers of that vendor in anonymized but attributed form: not your name or company, but your role and a verified spend band, so others can judge relevance. Reviews are weighted by verified spend.
Encrypted in transit
All data moving to and from Arodus uses TLS 1.2 or higher.
Encrypted at rest
Stored data is encrypted with AES-256.
Read-only access
We connect via OAuth with read-only scope, and you can revoke access from your ERP at any time.
Credential security
Connection credentials sit in encrypted secrets management and are never logged in plaintext.
Access control
Production access is limited on a need-to-know basis, with regular security reviews and testing.
Breach notice and SOC 2
We notify you within 72 hours of a breach affecting your data. Our SOC 2 Type II examination is in progress.
Revoke and delete anytime
Disconnect your ERP from your settings or from inside your ERP and syncing stops immediately. On cancellation or request, your account and ERP data are deleted within 30 days.
Documents on request
For your security review, we can provide a Data Processing Addendum, our current sub-processor list, and a completed security questionnaire. Email security@arodus.com.
Questions about security or data handling? Email security@arodus.com or privacy@arodus.com and we will respond.
© 2026 Arodus. All rights reserved.