General Security

Security at Arcade

At Arcade, we prioritize the security and privacy of our customers. This page provides an overview of how we protect your data, what’s collected and stored, and what features are available to meet your privacy needs.

For deeper documentation or questionnaires, please contact our Support team on Intercom (bottom right help icon) or visit trust.arcade.software.

Data Collection & Storage

What data does Arcade collect?

Arcade collects only essential data to power the product, including:

• User email and name (for account management)

• Screenshots and videos captured by the user

• Optional analytics (if tracking is enabled)

We do not collect additional personal or behavioral data unless explicitly provided.

Where is Arcade data stored?

• Primary storage: Google Cloud Platform (GCP) (Iowa)

• Analytics storage: Amazon Web Services (AWS) (Virginia)

• Video hosting: Mux (used for video processing and streaming)

Images are stored in GCP buckets. Analytics data (if enabled) is stored in an AWS RDS database.

Is data encrypted?

• At rest: Yes — all data (including Firebase and RDS Postgres) is encrypted using AES-256.

• In transit: Yes — all data is encrypted using TLS 1.3.

Can I opt out of tracking?

Yes. Creators can disable tracking and IP collection via:

• Settings > Privacy > Disable tracking

• Settings > Privacy > Disable IP tracking

Arcade supports GDPR-aligned options and honors Do Not Track (DNT) browser settings.

Privacy & Visibility

Who can see my Arcades?

By default, Arcades are private. Only users with the unique link can view them — similar to an unlisted YouTube or Loom video.

However:

• If you embed an Arcade on a website, it becomes visible to anyone visiting that site.

• If an Arcade is published, it may be indexed by search engines.

Does Arcade use my data for AI training?

No. Arcade does not use any customer data (text, screenshots, video, or audio) for AI training.

We’ve signed agreements with our third-party AI providers (e.g. OpenAI, Eleven Labs) ensuring your data is never used to train their models. Inputs are only processed to fulfill your requests and are not retained for training purposes.

Enterprise customers may also request zero data retention, meaning prompts are not even logged internally.

Internal Security Controls

Who has access to customer data?

• Only select Arcade DevOps employees have access.

• No subcontractors or third-party vendors can access customer data.

How does Arcade protect internal systems?

• Employee access is role-based (RBAC) and reviewed quarterly.

• All internal services are behind a Virtual Private Cloud (VPC).

• Arcade uses Tailscale for internal access, plus SSO with MFA enforcement.

Are there controls on data usage in non-prod environments?

Yes. Confidential or customer data is never used in development or staging environments.

Vulnerability & Incident Management

How does Arcade monitor security?

• Uses Vanta and GitHub Dependabot for real-time vulnerability alerts

• Runs regular third-party penetration tests

• Applies security patches regularly

What happens if there's a security incident?

Arcade follows an internal Incident Response Plan:

• Incidents are escalated to engineering leadership

• If customer data is affected, customers are notified immediately

• Events are logged and stored for 90 days

Does Arcade have disaster recovery?

Yes. Arcade maintains a Business Continuity and Disaster Recovery (BC/DR) plan.

• RTO (Recovery Time Objective): 2 hours

• RPO (Recovery Point Objective): 4 hours

• Encrypted backups are stored securely to minimize data loss

Third-Party Vendors & Subprocessors

What vendors does Arcade use?

Arcade only uses vetted, infrastructure-level providers:

• Google Cloud Platform (GCP) – application, image storage

• Amazon Web Services (AWS) – analytics and database storage

• Cloudflare – CDN and web security

• Mux – video hosting

• Stripe – payments

These subprocessors are under contract and must meet security and privacy standards.

No customer data is shared with vendors beyond these infrastructure-level services.

Compliance & Certifications

• ✅ SOC 2 Type II compliant 🔒 (Note: Full report available upon request — may require NDA)

• ✅ Annual penetration testing and security audits

• ✅ GDPR-supporting privacy features (e.g. tracking opt-out, deletion)

• ✅ Data retention and deletion policies are available

Additional Security Features

Multi-Tenant Data Separation

All customer data is logically separated by unique team IDs. No cross-team access is permitted or technically possible without explicit invitation.

Secure Chrome Extension

Arcade’s Chrome extension only records when initiated by the user. It does not passively monitor browser activity.

Frequently Asked Questions

Can I request deletion of my data?

Yes. If you stop using Arcade or your contract ends, you can request full data deletion. Reach out to our Support team over Intercom (bottom right help icon).

Are Arcades searchable on Google?

Only if published.

Can I disable AI entirely?

Yes. AI features like Avery are opt-in and can be toggled off in your extension or script view settings. No AI is applied to your Arcade without your explicit permission.

Have More Questions?

View additional resources, request the SOC 2 report or submit a security questionnaire: https://trust.arcade.software