ARCAContact

Security Policy

Last updated: January 2026

Arca (ARCA TECHNOLOGIES, INC.) is committed to protecting the confidentiality, integrity, and availability of customer data. This Security Policy describes the administrative, technical, and organizational measures we use to safeguard information processed through our services.

1. Scope

This policy applies to Arca's systems, applications, infrastructure, personnel, and subprocessors involved in the provision of Arca's services.

2. Access Controls

Access to customer data is limited to authorized personnel who require access to perform their job responsibilities. Access is granted based on the principle of least privilege and is reviewed periodically.

3. Data Protection

Arca uses commercially reasonable measures designed to protect customer data against unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit and access controls appropriate to the sensitivity of the data.

4. Use of Customer Data

Customer data is processed solely to provide and support the services as instructed by customers. Arca does not sell customer data and does not use customer data to train general-purpose machine learning models.

5. Infrastructure and Vendors

Arca relies on reputable cloud service providers and subprocessors to operate its infrastructure. Subprocessors are subject to security and confidentiality obligations consistent with this policy. A current list of subprocessors is available upon request or via Arca's Trust Center.

6. Monitoring and Logging

Arca maintains logging and monitoring mechanisms designed to detect unauthorized access and security incidents affecting the service.

7. Incident Response

Arca maintains an incident response process designed to identify, investigate, and respond to security incidents. In the event of a confirmed security incident affecting customer data, Arca will notify affected customers without undue delay, consistent with applicable law and contractual obligations.

8. Data Retention and Deletion

Customer data is retained only as long as necessary to provide the services or as required by applicable law. Upon termination of services or upon customer request, Arca deletes customer data in accordance with its data retention practices.

9. Security Program Maturity

Arca is actively building its security program and has engaged third-party tooling to support ongoing security compliance efforts. Security controls and practices are reviewed and improved over time as the company grows.

10. Contact

Security questions or concerns may be directed to: contact@arca.inc