Security

Arcasya is built to handle sensitive business data and AI-driven workflows. This page describes our security architecture, infrastructure posture, and data protection practices. We believe transparency about security builds the trust that makes long-term partnerships possible.

Note: This document is a high-level overview intended for business evaluation. For security inquiries, due diligence requests, or to report a vulnerability, contact us at info@arcasya.ai.

1. Infrastructure and Hosting

Arcasya’s platform is hosted on proven cloud infrastructure providers, all operating under enterprise-grade security programs:

These providers maintain their own security certifications and operate infrastructure with physical security controls, redundancy, and dedicated security teams.

2. Data Encryption

In Transit

• All data transmitted between your browser or application and Arcasya’s servers is encrypted using TLS 1.2 or higher.
• API endpoints enforce HTTPS exclusively. HTTP requests are redirected or rejected.
• Connections to third-party AI model providers (Anthropic, xAI) and integration APIs (Google) are made over encrypted channels.

At Rest

• All database contents stored in Supabase Postgres are encrypted at rest.
• Integration tokens and credentials are additionally encrypted at rest using AES-256-GCM before storage.
• Backups are encrypted using the same standards.
• Sensitive configuration values (API keys, secrets) are stored as encrypted environment variables, never in source code or plaintext config files.

3. Authentication and Access Control

• User authentication is managed through Supabase Auth, which supports email/password, magic links, and OAuth providers.
• Passwords are hashed and never stored in plaintext.
• Per-organization Row-Level Security (RLS) policies in Supabase Postgres ensure that users can only access data belonging to their own organization.
• Internal administrative access to production systems is restricted to named personnel and requires multi-factor authentication (MFA).
• Access permissions follow the principle of least privilege — team members receive only the access necessary for their role.
• API keys are scoped, rotated regularly, and never exposed in client-side code or public repositories.

4. Agent Execution Security

Because Arcasya enables AI agents to take automated actions, we apply specific security controls to agent execution:

• Human approval gates are built into the platform architecture: outbound agent actions require human approval before execution.
• Append-only execution logs are maintained with timestamps, user authorization records, and output states for auditability.
• Agent configurations are scoped to organization workspaces — one organization’s agents cannot access another organization’s data or credentials.
• Webhook endpoints and third-party integrations are validated and rate-limited to prevent abuse.
• Prompt injection safeguards are applied at the application layer to reduce risk of adversarial input manipulation.

5. Application Security

• Our codebase undergoes regular dependency audits using automated tooling to identify and patch known vulnerabilities.
• Input validation and output sanitization are applied throughout the platform to prevent injection attacks.
• Frontend deployments through Vercel include Content Security Policy (CSP) headers and other standard browser security controls.
• Database queries are parameterized to prevent SQL injection.
• We do not store raw payment card data. All payment processing is handled by PCI-compliant third-party processors.

6. Organizational Security

• Access to production environments is limited to essential personnel and governed by documented access policies.
• All team members and contractors are subject to confidentiality agreements covering client data.
• Security practices and access rights are reviewed periodically, including upon team member offboarding.
• We maintain an incident response plan that defines escalation paths, communication timelines, and recovery procedures.

7. Incident Response

In the event of a confirmed security incident affecting your data:

• We will notify affected clients within 72 hours of confirming a breach, consistent with applicable legal requirements.
• Notifications will include the nature of the incident, data potentially affected, steps taken to contain it, and recommended actions for you.
• A post-incident review will be conducted and a summary made available to affected clients upon request.

To report a suspected security vulnerability or incident, contact us immediately at info@arcasya.ai with the subject line: “Security Issue — [Brief Description].”

8. Subprocessors

Arcasya uses the following third-party subprocessors that may access or process client data as part of delivering the Services:

We will provide advance notice of material changes to this subprocessor list. Clients requiring contractual controls over subprocessor changes should request a Data Processing Agreement (DPA). See our full Subprocessor List for details.

9. Compliance Posture

• CCPA / CPRA: We comply with California privacy rights requirements as described in our Privacy Policy.
• GDPR: We handle EU personal data with appropriate safeguards. Contact us for a DPA if your use case involves EU data subjects.
• ADA / WCAG 2.1 AA: We are actively working to ensure our platform meets Web Content Accessibility Guidelines 2.1 Level AA.
• SOC 2: We have not yet completed a SOC 2 audit as an organization. Clients requiring SOC 2 attestation may rely on our subprocessors’ certifications in the interim. We intend to pursue SOC 2 Type II as the platform scales.

10. Contact

For security questions, vulnerability reports, or due diligence requests:

True Mark Consulting, LLC DBA ArcasyaAI
23200 Deming Road, Cicero, Indiana 46034, United States
Email: info@arcasya.ai

Subject line for security matters: “Security Inquiry — [Topic]”