How we protect your business data. Plain-English answers, no marketing fluff.
TLS 1.3 in transit, AES-256 at rest. All traffic served over HTTPS via Cloudflare.
Access enforced at the database layer, not the app layer. Each query is scoped to your workspace and your role automatically.
Workspace owners, admins, and members each see only what they're allowed to. Roles live in a dedicated table to prevent privilege escalation.
Card data never touches our servers. Payments are handled by Paddle, a PCI-DSS Level 1 merchant of record.
Database is backed up automatically every 24 hours with point-in-time recovery available.
GDPR-compliant infrastructure. Data residency available in EU or US regions.
Sensitive actions - sign-ins, role changes, billing events, data exports - are recorded in an append-only audit log.
Passwords are checked against the Have I Been Pwned database at signup and on change. Compromised passwords are rejected.
Optional TOTP-based 2FA via any authenticator app (Google Authenticator, 1Password, Authy). Enrol from Settings → Security.
We email you on new sign-ins from unfamiliar IPs, password changes, and 2FA enable/disable so account takeovers are visible immediately.
Download a JSON copy of your profile and the records you created at any time from Settings → Security. GDPR / DSAR compliant.
Delete your account from Settings → Security. Solo workspaces are removed; backups are purged within 90 days.
For teams with internal security or procurement requirements.
Sign in via Okta, Azure AD / Entra ID, Google Workspace, or any SAML 2.0 provider. Available on request for Pro and Advisory plans.
GDPR-compliant DPA available for all paid plans. Email us and we'll send it the same day.
Owners can export the workspace audit log as CSV for internal compliance reviews.
Third-party services we use to deliver oI. Each has its own security controls.
| Service | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, storage | EU / US |
| Cloudflare | CDN, DDoS protection, edge runtime | Global |
| Paddle | Payments, tax, invoicing (Merchant of Record) | Global |
| Resend | Transactional email | US / EU |
| Lovable | Application hosting | EU / US |
Not yet. SOC 2 Type I is on our roadmap and will be pursued once enterprise demand justifies the audit cost. Our underlying infrastructure providers (Supabase, Cloudflare, Paddle) are SOC 2 Type II certified, and our security controls are designed to be SOC 2-ready.
In encrypted databases on AWS infrastructure managed by Supabase. EU and US regions are available. Email us before signup if you need a specific region.
Yes. You can export your data anytime from Settings. Account deletion permanently removes your data within 30 days, with backups purged within 90 days.
Email security@arcset.ca. We respond within one business day.