Security Policy

1. Scope

This policy applies to all information assets owned, leased, or managed by Arca, including systems, applications, networks, data, and the personnel and subprocessors who access them. It governs both Arca's internal operations and the processing of customer data on behalf of Arca's clients.

2. Security Governance

Arca's leadership is responsible for establishing and maintaining the information security program. Security responsibilities are assigned to designated individuals, and security practices are reviewed at least annually. Arca's security program is designed to:

• Align with recognized security frameworks and industry best practices
• Address risks proportionate to the sensitivity of data processed
• Meet contractual, regulatory, and legal obligations applicable to the business

3. Access Controls

Access to customer data and Arca systems is governed by the principle of least privilege. Access is granted only to personnel who have a documented business need and is revoked promptly upon role change or departure. Arca implements:

• Multi-factor authentication (MFA) for access to production systems and sensitive internal tools
• Role-based access controls (RBAC) to restrict data access based on organizational function
• Periodic access reviews to validate that access privileges remain appropriate
• Audit logging of access to customer data and sensitive system components

4. Data Protection

Arca uses commercially reasonable measures to protect customer data against unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of customer data at rest using industry-standard encryption
• Dedicated key management systems with appropriate access controls
• Logical separation of customer data across customer environments

5. Use of Customer Data

Customer data is processed solely to provide and support the services as instructed by customers. Arca does not sell customer data and does not use customer data to train general-purpose machine learning models. Access to customer data by Arca personnel is limited to what is necessary for service delivery and support, and is subject to audit logging and confidentiality obligations.

6. Network and Infrastructure Security

Arca's infrastructure is hosted on reputable cloud service providers that maintain independent security certifications. Network security measures include:

• Logical network segmentation to isolate sensitive environments from general-purpose systems
• Firewall rules and traffic filtering to limit exposure of internal services
• Intrusion detection and monitoring for anomalous network activity
• Regular vulnerability scanning and patch management processes

7. Endpoint and Device Security

All devices used to access Arca systems or customer data are subject to endpoint security controls, including:

• Mandatory device encryption
• Screen lock and idle timeout enforcement
• Remote wipe capability for lost or stolen devices
• Restrictions on installation of unauthorized software on company-managed devices

8. Monitoring and Logging

Arca maintains logging and monitoring mechanisms designed to detect unauthorized access and security incidents affecting the service. Security and access logs are retained for a minimum of 90 days and reviewed as part of ongoing security operations.

9. Vulnerability Management

Arca conducts regular vulnerability assessments of its systems and applications. Identified vulnerabilities are prioritized based on severity and addressed within defined remediation timeframes. Arca applies security patches on a risk-informed schedule and conducts periodic penetration testing of customer-facing systems.

10. Security Awareness and Training

All Arca personnel receive security awareness training upon onboarding and at least annually thereafter. Training covers phishing awareness, data handling obligations, password hygiene, and incident reporting procedures. Personnel with elevated access or security responsibilities receive role-specific training.

11. Incident Response

Arca maintains an incident response process designed to identify, investigate, and respond to security incidents. In the event of a confirmed security incident affecting customer data, Arca will notify affected customers without undue delay, consistent with applicable law and contractual obligations. Details on Arca's breach notification process are available in the Incident Response Policy.

12. Infrastructure and Vendors

Arca evaluates the security posture of vendors and subprocessors prior to engagement and requires contractual commitments addressing data security, confidentiality, and incident notification. Subprocessors are reassessed periodically based on the nature and sensitivity of the data they access. A current list of subprocessors is available upon request.

13. Compliance and Audit

Arca is actively pursuing SOC 2 Type II certification and maintains compliance documentation to support customer and regulatory requirements. This policy is reviewed annually and updated to reflect changes in the threat landscape, business operations, or applicable legal requirements.

14. Contact

Security questions or concerns may be directed to: security@arca.inc