Arcbase← Back to Home

Security

Last updated: 26 March 2026

Security Overview

At Arcbase, security is foundational to everything we build. As a GRC platform that helps organisations manage their governance, risk, and compliance programs, we hold ourselves to the highest security standards. Our security program is designed around the principle of defence in depth, with multiple layers of protection at every level of our infrastructure and application.

This page provides an overview of the security measures we implement to protect your data. For information about how we handle your personal data, please see our Privacy Policy.

Infrastructure Security

  • Cloud hosting: Arcbase is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certified data centres, providing physical security, redundancy, and disaster recovery capabilities.
  • Network security: Our infrastructure is protected by firewalls, intrusion detection and prevention systems (IDS/IPS), and DDoS mitigation services. All traffic is routed through secure networks with network segmentation.
  • Environment isolation: Production, staging, and development environments are fully isolated. No customer data is ever used in non-production environments.
  • Redundancy and backups: Automated daily backups with point-in-time recovery. Data is replicated across geographically separated availability zones to ensure high availability and disaster resilience.
  • Monitoring: 24/7 infrastructure monitoring with automated alerts for anomalies, performance degradation, and potential security events.

Data Encryption

In Transit

All data transmitted between your browser and Arcbase is encrypted using TLS 1.3 with strong cipher suites. We enforce HTTPS across all endpoints and use HSTS headers to prevent downgrade attacks. API communications between internal services are also encrypted.

At Rest

All data stored in our databases and file storage systems is encrypted at rest using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic key rotation.

Secrets Management

Application secrets, API keys, and credentials are stored in encrypted vaults with strict access controls. Secrets are never stored in code repositories or logs.

Access Controls

Application-Level Controls

  • Role-based access control (RBAC): Arcbase implements granular role-based permissions (Admin, Risk Manager, Compliance Officer, Auditor, Executive, User) to ensure users only access data and features relevant to their role.
  • Organisation isolation: All data is scoped to individual organisations. Users in one organisation cannot access data from another organisation.
  • Session management: Secure session handling with automatic timeouts and session invalidation on password changes.
  • SSO and SAML: Available on Pro and Agency plans for integration with your existing identity provider.

Internal Controls

  • Principle of least privilege: Arcbase team members have access only to the systems and data necessary for their role. Production data access requires justified business need and management approval.
  • Audit logging: All administrative actions, data access events, and configuration changes are logged with timestamps and user identification for accountability and forensic analysis.
  • Background checks: All team members with access to customer data undergo background verification.

Compliance and Certifications

SOC 2 Type II

Currently in progress. We are working towards SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria.

GDPR Compliance

Fully compliant with the General Data Protection Regulation. We implement appropriate technical and organisational measures to protect personal data.

Digital Services Act (DSA)

Compliant with DSA requirements for transparency, content moderation, and user rights.

EU AI Act

Our AI systems are designed with transparency, human oversight, and accountability principles in accordance with the EU AI Act requirements.

Incident Response

We maintain a comprehensive incident response plan that covers detection, containment, eradication, recovery, and post-incident analysis. Our incident response process includes:

  • Detection and triage: Automated monitoring and alerting systems detect potential security incidents. A dedicated response team triages and classifies incidents by severity.
  • Containment: Immediate actions to contain the incident and prevent further impact, including isolation of affected systems.
  • Notification: In the event of a personal data breach, we will notify affected customers and relevant supervisory authorities within 72 hours as required by GDPR Article 33.
  • Recovery: Systematic restoration of affected systems and data from verified backups.
  • Post-incident review: Root cause analysis and implementation of corrective measures to prevent recurrence.

Responsible Disclosure

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security vulnerability in Arcbase, we ask that you:

  • Report the vulnerability to security@arcbase.com
  • Provide sufficient detail for us to reproduce and address the issue
  • Allow us a reasonable period (90 days) to address the vulnerability before public disclosure
  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks or other disruptive testing

Safe Harbour

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following the guidelines above. We consider security research conducted in accordance with this policy to be authorised and will work with you to understand and resolve the issue quickly.

Scope

The following are in scope for responsible disclosure:

  • The Arcbase web application (*.arcbase.com)
  • The Arcbase API
  • Authentication and authorisation mechanisms

The following are out of scope: social engineering, physical attacks, denial of service, and third-party services.

Contact

For security-related inquiries:

Security Team

Email: security@arcbase.com

Data Protection Officer

Email: privacy@arcbase.com

General Inquiries

Email: hello@arcbase.com