Security at ARCY
Infrastructure, API key handling, compliance status, and responsible disclosure.
Infrastructure
ARCY runs entirely on AWS. All data is encrypted in transit (TLS 1.2+) and at rest. Database access is private and does not traverse the public internet.
API key security
ARCY issues two keys per integration:
Publishable key (pk_live_...): Safe in client-side code. Used to bootstrap sessions and identify your app.
Secret key (sk_live_...): Server-side and CLI only. Never sent to the browser. Required for arcy push, arcy pull, and arcy rm.
Secret keys are hashed before storage. The plaintext key is shown once at creation time. If a key is compromised, rotate it from your dashboard under Settings > API Keys. The old key is revoked immediately.
Compliance
| Standard | Status |
|---|---|
| GDPR | In progress. DPA available on request at contact@arcyai.com. |
| CCPA | Planned post-launch. |
| SOC 2 Type II | In progress. |
| External penetration test | Scheduled June 2026. |
ARCY is a pre-launch beta. Enterprise customers and customers in regulated industries can request our security questionnaire or DPA by emailing contact@arcyai.com. We respond within 24 hours.
If you are in a regulated industry (HealthTech, FinTech, Government) with specific compliance requirements, email contact@arcyai.com before signing up. We will tell you directly whether we can meet your requirements at this stage.
Responsible disclosure
If you discover a vulnerability in the ARCY SDK or platform:
Email: contact@arcyai.com
Initial response: Within 48 hours.
Triage and resolution: Within 7 days for confirmed issues.
Please do not disclose vulnerabilities publicly until we have had time to assess and patch the issue.
In scope: ARCY platform API, ARCY SDK (@arcyai/sdk), frontend applications at arcyai.com and subdomains, authentication and authorization bypasses, cross-organization data access.
Out of scope: Third-party services (AWS, Clerk, Resend), social engineering, physical security.