Lean on ARC’s robust and secured information management system to provide a reliable and compliant environment for your information.
At ARC, we are dedicated to work towards security of your data and flow of information. Individuals and organizations across the globe have used our platform for millions of projects and we are committed to improve security, confidentiality, integrity and availability of your data. To be worthy of your trust, we built and will continue to grow our platform with an emphasis on security, compliance, and privacy.
Our platform’s SLA ensures 99.99% uptime for services. Databases and infrastructure are available in multiple geographic regions in the United States, allowing resilience in the face of natural disasters or service interruptions. For Compliance, a version of the platform is available in the UK to comply with Data Protection Act and privacy regulations.
Visibility and Control
Access to the platform is maintained with strict levels of control access to accounts/projects. Different permission levels include:
|Administrator||Owner or administrator of an Account has the total control on that particular Account and on all the Collections created within this Account. Only administrator can create secondary administrators. Administrator controls access to all projects, which are grouped into folders. Users can be given the following permissions: Full Control, Read Folder, Download Files, Upload Files, Create/Update Folder and Delete Folders.
Administrator has control over the projects and their settings. The Administrator has the power to delete projects and manage project team members and subscriptions.
|Secondary Administrator||Secondary administrators enjoy the same privilege as of Administrators. Multiple secondary administrators can be added, if required.|
|Employee User||Owns the licenses for the Collection. An Employee user can access all the areas of the Collection in which they have been assigned permissions.|
|Shared User||Collection partner, who can access all the areas of the Collection in which they have permission. They can upload and download the files, send and receive tasks and communications.|
|Lite User||Lite user has the ability to only view, markup and download files from the collection files library. This is the least permissive role.|
Single Sign-On (SSO)
The platform supports SSO based on the SAML 2.0 and OAuth 2.0 standards to give administrators the ability to enforce certain security and access requirements through their preferred identify provider, such as Microsoft’s Azure Active Directory and ADFS, Okta, OneLogin and more.
Application and network level controls are in place to protect against web vectors. Our security team also conducts regular web security testing.
Industry leading encryption in transit
All data transfers from a device to the platform’s secure cloud with industry standard 2048-bit SSL encryption.
Passwords are stored and transmitted securely and hashed using a strong salt. The platform’s public enterprise API utilizes the industry-standard authorization protocol OAuth 2.0.
Automated vulnerability detection
All of the platform applications are scanned weekly for vulnerabilities using industry best practices guidelines like OWASP TOP 10, CREST, SANS CWE 25 and industry advisories.
Protection against application attacks
The platform uses machine learning monitor all files uploaded and downloaded. Application alerting reports on attacks and infected files to control and to prevent attackers from exploiting application-level vulnerabilities.
Access Control: The platform hosts servers across multiple data centers with regular audits and 24*7 monitoring. Access to production systems are restricted to authorized individual only. Any individual requiring additional privilege to production environment facilities are granted through appropriate management approval. During employee exit process, these accesses are revoked.
Only Customer Organizations have full access to their customer data. Support has limited access to folders only, not customer data.
Network Security: Maintain network security and monitoring techniques to provide multiple layers of protection and defense. Industry-standard protection techniques, including firewalls, network security monitoring, and intrusion detection systems ensures only allowed traffic reaches our environment.
Fault Tolerance: For business continuity and 100 % data integrity, critical applications are protected using hardware and software fault tolerant solutions to deliver interrupted service to customers. In the event of a master server failover, secondary server takes over and there is zero downtime.
Redundancy: Warm standby servers across regions and zones ensures rapid switch over to redundant environment in the event of a disaster in any zone or region in the cloud goes offline.
Availability: We provide customers 99.9% uptime guarantee for real-time access to the latest and updated information.
DoS and DDoS Protection: The platform’s applications and infrastructure are protected against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, ensuring our high uptime. The platform has always-on detection and automatic inline mitigations to minimize application downtime and latency. Thus, shielding frequently occurring network and transport layer DDoS attacks.
Automated Vulnerability Detection: Security loopholes are scanned automatically including OWASP top 10 vulnerabilities.
Security Testing:We regularly test our infrastructure to uncover and patch vulnerabilities. We also work with third-party specialists to keep our environment safe. Potential security are assessed and fixed as reported to us by third party.
Multifactor Authentication: Access to the production environment is restricted to a few authorized personnel. Multifactor authentication is always required to access production systems.
Risk mitigation:There are no document upload restrictions to specific file types to prevent malicious code from being executed on clients or on our cloud hosting machines. However, all infected files will be quarantined. Infected files will not be accessible.
Encryption management: The platform uses encryption keys to link users to files. Each user account will have encryption keys for every file given permission to access.
Automated vulnerability detection: The platform’s infrastructure has end to end application monitoring & reporting for vulnerable packages. Vulnerable packages can not be opened.
The platform adheres to industry standard for security to share, access, and manage your content with highest level of security.
Compliant with ISO/IEC 27001:2013: ARC is compliant with the defined standards and certified with ISO/IEC 27001:2013 – Information Security Management System for management of information and information processing facilities.
SOC 2 Type 2 compliant: The platform is hosted at multiple datacenters around the world. All datacenters are SOC 2 Type 2 compliant.
Continual training program: All platform’s employees are trained on security best practices at time of hire. In addition, annual training on security best practices are provided to employees.
Third party vendor review: All 3rd party vendors are audited for compliance with ARC’s security standards.
Application and data portability: The platform provides well documented and easily accessible URL. For upload and downloads the SkySite Sync tool must install on each device accessing and available in the App Store
Third party security assessments: The platform’s applications are tested using industry leading vendors.
Payment processes are PCI compliant: The platform does not store PCI-related payment information. All sensitive data is stored by a PCI Service Provider Level 1 certified 3rd party provider.
Highly secure cloud
The platform hosts data in Amazon data centers, which is an industry leader in secure hosting facilities management. Read more about security at Amazon.
Reporting Security Vulnerabilities to SkySite
ARC aims to keep its product and services safe for everyone. Data security and privacy is of utmost priority to ARC. If you are a security researcher and have discovered a security or a privacy issue in the product or services, we appreciate your help in disclosing it to us in a responsible manner.
Our responsible disclosure process is hosted by Hackerone bug bounty program. It is a private bounty program, so If you are not one of the invited members, please report the issue to email@example.com.
A report should include: