Built Secure. Built for Trust.
Every feature in Arcus is engineered to meet the rigorous security demands of enterprise AI governance — from encrypted data storage to role-based access control and full audit trails.
Data Encryption
All data stored and transmitted through Arcus is encrypted using industry-standard protocols — the same standards used by leading financial institutions and government agencies.
AES-256 Encryption at Rest
All customer data, AI system records, compliance documents, and assessment results are encrypted at rest using AES-256 — the gold standard for data security, used by governments and banks worldwide.
TLS 1.2+ Encryption in Transit
Every data transfer between your browser and Arcus servers is encrypted using TLS 1.2 or higher. No data is ever transmitted in plain text.
Encrypted Database Backups
All database backups are automatically encrypted. Your compliance data is protected not just in production but across all backup and recovery systems.
End-to-End Data Isolation
Each organization's data is fully isolated at the database level using Row-Level Security. No customer can ever access another customer's data — by design, not just by policy.
Access Control & Authentication
Arcus enforces strict access controls at every layer — from how your team logs in to exactly what each member can see and do.
Role-Based Access Control
Three permission tiers — Admin, Member, and Viewer — ensure each team member accesses only what they need. Permissions are enforced server-side, not just in the UI.
Complete Activity Audit Logs
Every action taken within your Arcus organization is logged with timestamp, user, and action type. Full audit trail available for compliance reviews and security incidents.
Secure Session Management
Sessions are managed server-side with automatic expiry. Authentication tokens are rotated regularly and invalidated on logout across all devices.
Infrastructure & Operations
Arcus is built on enterprise-grade infrastructure with multiple layers of protection against unauthorized access, data loss, and service disruption.
Geo-Blocking
Access controls restrict platform access based on geographic rules, providing an additional layer of protection against unauthorized access from high-risk regions.
Server-Side Business Logic
All critical compliance logic, assessment engines, and data processing run server-side. Client-side code never has direct access to sensitive processing or raw compliance data.
Multi-Tenant Data Isolation
Arcus uses a strict multi-tenant architecture with complete data isolation between organizations. Row-Level Security at the database layer ensures separation is enforced at the lowest possible level.
Automated Security Monitoring
Infrastructure is continuously monitored for anomalous activity, unauthorized access attempts, and performance degradation. Alerts are triggered automatically for security-relevant events.
Compliance & Data Protection
Arcus is built to meet the data protection requirements of the markets we serve.
AES-256 Encryption
Industry-standard AES-256 encryption active across all data storage and processing systems.
GDPR
Data processing practices comply with EU General Data Protection Regulation requirements. A Data Processing Agreement (DPA) is available on request for enterprise and government customers.
Data Residency & Storage
We are transparent about where your data is stored and how it is managed.
Arcus infrastructure is hosted on Supabase, an enterprise-grade database platform built on PostgreSQL. Your data is stored in secure, redundant data centers.
All data transfers between regions are encrypted using TLS 1.2+ as described above.
For customers with specific data sovereignty requirements — particularly government or regulated industry customers — contact us at [email protected] to discuss dedicated deployment options.
Responsible Disclosure
We take security seriously. If you discover a vulnerability in Arcus, we want to know about it.
If you discover a security vulnerability in Arcus, please report it to us responsibly before public disclosure.
Subject line: [SECURITY] Brief description of issue
We commit to:
- Acknowledging your report within 2 business days
- Keeping you informed of our investigation progress
- Not taking legal action against good-faith security researchers
- Crediting researchers who responsibly disclose valid issues
Please do not access, modify, or delete customer data during your research. Provide enough detail for us to reproduce and verify the issue.
Questions about security?
Our team is happy to discuss our security posture, provide documentation for your procurement process, or answer specific questions about how we protect your data.