Arca
Security

Incident Response Policy

Last updated: March 31, 2026

Arca (ARCA TECHNOLOGIES, INC.) is committed to responding swiftly and transparently to security incidents that affect customer data. This Incident Response Policy describes how Arca detects, investigates, contains, and notifies affected parties in the event of an actual or suspected security incident.

1. Scope

This policy applies to any security event that affects the confidentiality, integrity, or availability of customer data, personal data, or Arca systems — including unauthorized access, data exposure, service disruptions caused by a security event, and infrastructure compromise. It covers all personnel, subprocessors, and third-party service providers involved in the processing or hosting of such data.

2. Definition of a Security Incident

For purposes of this policy, a “security incident” means any confirmed or reasonably suspected event that results in:

  • Unauthorized access to or acquisition of customer data or personal data
  • Unauthorized disclosure, alteration, or destruction of such data
  • Loss of availability of systems processing confidential or customer data due to a security event
  • Compromise of infrastructure, credentials, or systems that could expose customer data or disrupt service delivery

Arca classifies incidents by severity:

  • Critical (P1). Confirmed unauthorized access to or exfiltration of customer data; active compromise of production systems. Requires immediate response and customer notification.
  • High (P2). Suspected unauthorized access, credential compromise, or significant service disruption with potential data impact. Requires prompt investigation and containment.
  • Medium (P3). Anomalous activity or policy violations with limited or no confirmed data impact. Requires investigation and documentation.

3. Detection and Identification

Arca maintains monitoring, alerting, and logging systems designed to detect anomalous activity, unauthorized access attempts, and potential security incidents. Detection may also occur through:

  • Internal security reviews and audits
  • Reports from personnel or customers
  • Disclosures from subprocessors or third parties
  • Responsible disclosure from external security researchers

4. Incident Response Process

Upon detection of a potential security incident, Arca follows a structured response process:

  • Triage. The incident is assessed to determine its nature, scope, and severity. Preliminary containment steps are taken to limit further exposure.
  • Containment. Affected systems, accounts, or access paths are isolated as quickly as practicable. Credentials may be rotated and access revoked as appropriate.
  • Investigation. Arca conducts a forensic investigation to determine the root cause, extent of exposure, and categories of data affected.
  • Remediation. Vulnerabilities are addressed and controls are strengthened to prevent recurrence.
  • Post-Incident Review. A review is conducted after resolution to identify systemic improvements and update policies and controls as needed.

5. Customer Notification

In the event of a confirmed security incident affecting customer data, Arca will notify affected customers without undue delay and, where required by applicable law, within 72 hours of becoming aware of the incident. Notification will include, to the extent known at the time:

  • A description of the nature of the incident
  • The categories and approximate volume of data affected
  • The likely consequences of the incident
  • Measures taken or proposed to address the incident and mitigate its effects
  • Contact information for obtaining further information or assistance

Where full details are not immediately available, Arca will provide an initial notification and follow up with additional information as the investigation progresses.

6. Regulatory Notification

Arca will cooperate with customers in meeting applicable regulatory notification obligations, including those under GDPR, CCPA, and other applicable data protection laws. Where Arca is acting as a processor, the determination of whether a reportable incident has occurred under applicable law is the responsibility of the data controller. Arca will provide customers with the information necessary to fulfill their regulatory obligations.

7. Subprocessor Obligations

Arca requires subprocessors to notify Arca promptly upon becoming aware of any security incident affecting Arca customer data. Arca will assess such notifications, take appropriate action, and notify affected customers where required.

8. Documentation and Records

Arca maintains internal records of all security incidents, including their nature, impact, response actions taken, and outcomes. These records support ongoing security improvement efforts and may be made available to customers or regulators as required by law or contract.

9. Contact

To report a suspected security incident, contact: security@arca.inc

Transform your legal
team today.

HomeSecurityCareers

Arca 2026. All rights reserved.