Data Lifecycle Policy

1. Scope

This policy applies to all data assets owned, processed, or managed by Arca, including customer data, operational data, infrastructure data, security logs, and internal business records. It covers all personnel, subprocessors, and systems involved in the storage and management of such data.

2. Data Classification

Arca classifies data into the following tiers to ensure appropriate handling and protection controls are applied:

• Confidential. Customer data, legal documents, integration-sourced content, AI outputs, and any data subject to contractual or regulatory restrictions. Requires the highest level of access controls, encryption, and audit logging.
• Internal. Operational data, internal communications, system configurations, and business records accessible only to authorized Arca personnel.
• Public. Marketing materials, publicly available documentation, and information intentionally released for general access.

Data classification governs how data is stored, transmitted, accessed, and disposed of at end of life.

3. Data Ownership and Stewardship

Customer data remains the property of the customer at all times. Arca acts as a data processor and does not assert ownership over data provided by or on behalf of customers. Arca designates internal data stewards responsible for overseeing the integrity, security, and proper use of each data category.

Data stewards are accountable for ensuring that classification labels are applied accurately and that handling practices conform to this policy and applicable contractual obligations.

4. Lifecycle Stages

Arca manages data through defined lifecycle stages, each governed by controls appropriate to the data's classification:

• Collection. Data is collected only for specified, legitimate purposes and limited to what is necessary for service delivery.
• Storage. Data is stored in systems that enforce appropriate security controls, physical and logical isolation, and access management. Confidential data is encrypted in transit and at rest, subject to role-based access controls, and accessible only to personnel with a documented business need.
• Use. Data is used solely for the purposes for which it was collected or as authorized by the customer. Customer data is not used for model training, shared with unauthorized third parties, or retained beyond agreed-upon retention periods.
• Sharing. Data is shared only with authorized subprocessors or parties under contractual protections.
• Deletion. Data is deleted or destroyed in a manner consistent with its classification, applicable retention schedules, and customer instructions.

5. Data Retention

Arca retains data only for as long as necessary to fulfill the purpose for which it was collected, meet contractual obligations, or comply with applicable legal requirements.

• Customer data is retained for the duration of the active service agreement and deleted within a defined period following termination, except where retention is required by law or contract.
• Integration-sourced content accessed through authorized connectors is retained only to the extent necessary for service delivery, including supporting ongoing workflows and customer-accessible history, and is not retained beyond what is required for those purposes.
• Security and access logs are retained for a minimum of 90 days and up to 12 months depending on system sensitivity. Audit logs are retained for a minimum of 12 months.
• Application performance and error logs are retained for up to 90 days and used solely for operational and diagnostic purposes.
• Internal business records are retained in accordance with applicable legal requirements and Arca's internal record-keeping schedule.

Customers may request deletion of their data at any time. Arca fulfills such requests in accordance with contractual commitments and applicable law.

6. Secure Deletion and Destruction

When data reaches the end of its retention period or a deletion request is fulfilled, Arca ensures data is deleted or destroyed in a manner that prevents recovery:

• Digital data is deleted using secure methods that render it unrecoverable
• Deletion is performed across all environments, including primary storage, backups, and any replicated instances
• Data stored in backups is addressed in accordance with Arca's backup rotation and expiration schedules

7. Backup and Recovery

Arca maintains automated backup and recovery capabilities to ensure data availability and integrity in the event of accidental loss, system failure, or disaster.

• Database backups are performed at least daily, with point-in-time recovery supported for critical customer data environments
• Backups are stored in geographically separate locations from primary data and encrypted at rest and in transit
• Access to backup systems is restricted to authorized personnel under the same access control principles as production systems
• Backup retention periods are aligned with Arca's overall data retention commitments; backups are automatically expired and securely deleted upon reaching the end of their retention period

Arca's backup program is designed to meet defined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) appropriate to the criticality of each system. Recovery procedures are tested periodically — at least annually — to validate that data can be successfully restored within defined objectives.

In the event of a significant data loss event, Arca will assess scope and cause, activate recovery procedures, restore services from the most recent clean backup state, and communicate with affected customers if service availability or data integrity is materially impacted.

8. Third-Party and Subprocessor Obligations

Subprocessors and third-party vendors who access or process Arca data are required to maintain data management and retention practices consistent with the requirements of this policy. Arca conducts vendor assessments and requires contractual commitments addressing data security, confidentiality, appropriate use, and timely deletion.

9. Compliance and Review

This policy is reviewed at frequent intervals and updated to reflect changes in regulatory requirements, business operations, or security best practices. Personnel with data management responsibilities receive training appropriate to their role.

10. Contact

Questions about this policy or data deletion requests may be directed to: security@arca.inc