General Security
Last updated
Was this helpful?
Last updated
Was this helpful?
At Arcade, we prioritize the security and privacy of our customers. This page provides an overview of how we protect your data, whatβs collected and stored, and what features are available to meet your privacy needs.
For deeper documentation or questionnaires, please contact support@arcade.software or visit .
Arcade collects only essential data to power the product, including:
User email and name (for account management)
Screenshots and videos captured by the user
Optional analytics (if tracking is enabled)
We do not collect additional personal or behavioral data unless explicitly provided.
Primary storage: Google Cloud Platform (GCP) (Iowa)
Analytics storage: Amazon Web Services (AWS) (Virginia)
Video hosting: Mux (used for video processing and streaming)
Images are stored in GCP buckets. Analytics data (if enabled) is stored in an AWS RDS database.
At rest: Yes β all data (including Firebase and RDS Postgres) is encrypted using AES-256.
In transit: Yes β all data is encrypted using TLS 1.3.
Yes. Creators can disable tracking and IP collection via:
Settings > Privacy > Disable tracking
Settings > Privacy > Disable IP tracking
Arcade supports GDPR-aligned options and honors Do Not Track (DNT) browser settings.
By default, Arcades are private. Only users with the unique link can view them β similar to an unlisted YouTube or Loom video.
However:
If you embed an Arcade on a website, it becomes visible to anyone visiting that site.
If an Arcade is published, it may be indexed by search engines unless this is disabled.
You can disable indexing under Settings > Privacy
.
No. Arcade does not use any customer data (text, screenshots, video, or audio) for AI training.
Weβve signed agreements with our third-party AI providers (e.g. OpenAI, Eleven Labs) ensuring your data is never used to train their models. Inputs are only processed to fulfill your requests and are not retained for training purposes.
Enterprise customers may also request zero data retention, meaning prompts are not even logged internally.
Only select Arcade DevOps employees have access.
No subcontractors or third-party vendors can access customer data.
Employee access is role-based (RBAC) and reviewed quarterly.
All internal services are behind a Virtual Private Cloud (VPC).
Arcade uses Tailscale for internal access, plus SSO with MFA enforcement.
Yes. Confidential or customer data is never used in development or staging environments.
Uses Vanta and GitHub Dependabot for real-time vulnerability alerts
Runs regular third-party penetration tests
Applies security patches regularly
Arcade follows an internal Incident Response Plan:
Incidents are escalated to engineering leadership
If customer data is affected, customers are notified immediately
Events are logged and stored for 90 days
Yes. Arcade maintains a Business Continuity and Disaster Recovery (BC/DR) plan.
RTO (Recovery Time Objective): 2 hours
RPO (Recovery Point Objective): 4 hours
Encrypted backups are stored securely to minimize data loss
Arcade only uses vetted, infrastructure-level providers:
Google Cloud Platform (GCP) β application, image storage
Amazon Web Services (AWS) β analytics and database storage
Cloudflare β CDN and web security
Mux β video hosting
Stripe β payments
These subprocessors are under contract and must meet security and privacy standards.
No customer data is shared with vendors beyond these infrastructure-level services.
β SOC 2 Type II compliant π (Note: Full report available upon request β may require NDA)
β Annual penetration testing and security audits
β GDPR-supporting privacy features (e.g. tracking opt-out, deletion)
β Data retention and deletion policies are available
All customer data is logically separated by unique team IDs. No cross-team access is permitted or technically possible without explicit invitation.
Arcadeβs Chrome extension only records when initiated by the user. It does not passively monitor browser activity.
Yes. If you stop using Arcade or your contract ends, you can request full data deletion. Reach out to support@arcade.software.
By default, yes β if published. To prevent indexing, disable search engine access under Settings > Privacy
.
Yes. AI features like Avery are opt-in and can be toggled off in your extension or script view settings. No AI is applied to your Arcade without your explicit permission.
View additional resources, request the SOC 2 report or submit a security questionnaire: