Your business runs on the data you keep in ARC — sales, customers, accounts. This Security Policy describes, in plain language, how ARC protects that data. Formal processor commitments are in the Data Processing Agreement.
1. Encryption
- In transit: every connection to ARC — browser, POS, mobile app, API — is encrypted with TLS (HTTPS). Plain HTTP is not served.
- At rest: databases, uploaded files, and backups are stored encrypted on our cloud infrastructure (DigitalOcean, Frankfurt, EU).
2. Accounts and authentication
- Passwords are stored only as strong one-way hashes — nobody at ARC can read your password.
- Platform administrator accounts (ARC staff) require two-factor authentication; sensitive operator actions require a second administrator's approval.
- Login and other sensitive endpoints are rate-limited to slow down credential-guessing attacks.
- POS cashiers use PIN-scoped access that cannot reach management functions.
3. Workspace isolation and access control
- Every customer workspace lives in its own database schema — tenant data is structurally separated, not just filtered.
- Inside your workspace, role-based permissions control what each staff member can see and do (e.g. payroll data has its own permission that ordinary accounting access never grants).
- ARC operator access to customer data is restricted to a small set of authorised staff, used only for support and maintenance, and audit-logged.
4. Backups and recovery
- Automated encrypted backups run daily, retained on a 30-day rolling window in the same region.
- Restore procedures are tested periodically; recovery objectives are part of our internal Backup & Disaster Recovery plan.
5. Monitoring and incident response
- Errors and security events are monitored continuously (including automated error reporting), and audit logs record sensitive actions across the platform.
- We maintain an internal Incident Response Plan. If an incident affects your personal data, we notify you without undue delay — within 72 hours of becoming aware — with what happened, what is affected, and what we are doing (see the DPA).
6. Development practices
- Changes ship through code review and automated tests; production deployments require operator approval.
- Payment card data is handled by PCI-DSS-compliant providers (Stripe, Whish Money) and never touches ARC's servers.
- AI features are read-only by design against your books; any AI-proposed record requires your explicit confirmation, and payroll data is never sent to the AI provider.
7. Responsible disclosure
If you believe you have found a security vulnerability in ARC, please email arc7solutions@gmail.com with details. Give us reasonable time to fix the issue before disclosing it publicly, do not access other tenants' data, and we will not pursue good-faith research conducted under these rules.
