General Security
Security at Arcade
At Arcade, we prioritize the security and privacy of our customers. This page provides an overview of how we protect your data, what’s collected and stored, and what features are available to meet your privacy needs.
For deeper documentation or questionnaires, please contact [email protected] or visit trust.arcade.software.
Data Collection & Storage
What data does Arcade collect?
Arcade collects only essential data to power the product, including:
User email and name (for account management)
Screenshots and videos captured by the user
Optional analytics (if tracking is enabled)
We do not collect additional personal or behavioral data unless explicitly provided.
Where is Arcade data stored?
Primary storage: Google Cloud Platform (GCP) (Iowa)
Analytics storage: Amazon Web Services (AWS) (Virginia)
Video hosting: Mux (used for video processing and streaming)
Images are stored in GCP buckets. Analytics data (if enabled) is stored in an AWS RDS database.
Is data encrypted?
At rest: Yes — all data (including Firebase and RDS Postgres) is encrypted using AES-256.
In transit: Yes — all data is encrypted using TLS 1.3.
Can I opt out of tracking?
Yes. Creators can disable tracking and IP collection via:
Settings > Privacy > Disable tracking
Settings > Privacy > Disable IP tracking
Arcade supports GDPR-aligned options and honors Do Not Track (DNT) browser settings.
Privacy & Visibility
Who can see my Arcades?
By default, Arcades are private. Only users with the unique link can view them — similar to an unlisted YouTube or Loom video.
However:
If you embed an Arcade on a website, it becomes visible to anyone visiting that site.
If an Arcade is published, it may be indexed by search engines unless this is disabled.
You can disable indexing under Settings > Privacy
.
Does Arcade use my data for AI training?
No. Arcade does not use any customer data (text, screenshots, video, or audio) for AI training.
We’ve signed agreements with our third-party AI providers (e.g. OpenAI, Eleven Labs) ensuring your data is never used to train their models. Inputs are only processed to fulfill your requests and are not retained for training purposes.
Enterprise customers may also request zero data retention, meaning prompts are not even logged internally.
Internal Security Controls
Who has access to customer data?
Only select Arcade DevOps employees have access.
No subcontractors or third-party vendors can access customer data.
How does Arcade protect internal systems?
Employee access is role-based (RBAC) and reviewed quarterly.
All internal services are behind a Virtual Private Cloud (VPC).
Arcade uses Tailscale for internal access, plus SSO with MFA enforcement.
Are there controls on data usage in non-prod environments?
Yes. Confidential or customer data is never used in development or staging environments.
Vulnerability & Incident Management
How does Arcade monitor security?
Uses Vanta and GitHub Dependabot for real-time vulnerability alerts
Runs regular third-party penetration tests
Applies security patches regularly
What happens if there's a security incident?
Arcade follows an internal Incident Response Plan:
Incidents are escalated to engineering leadership
If customer data is affected, customers are notified immediately
Events are logged and stored for 90 days
Does Arcade have disaster recovery?
Yes. Arcade maintains a Business Continuity and Disaster Recovery (BC/DR) plan.
RTO (Recovery Time Objective): 2 hours
RPO (Recovery Point Objective): 4 hours
Encrypted backups are stored securely to minimize data loss
Third-Party Vendors & Subprocessors
What vendors does Arcade use?
Arcade only uses vetted, infrastructure-level providers:
Google Cloud Platform (GCP) – application, image storage
Amazon Web Services (AWS) – analytics and database storage
Cloudflare – CDN and web security
Mux – video hosting
Stripe – payments
These subprocessors are under contract and must meet security and privacy standards.
No customer data is shared with vendors beyond these infrastructure-level services.
Compliance & Certifications
✅ SOC 2 Type II compliant 🔒 (Note: Full report available upon request — may require NDA)
✅ Annual penetration testing and security audits
✅ GDPR-supporting privacy features (e.g. tracking opt-out, deletion)
✅ Data retention and deletion policies are available
Additional Security Features
Multi-Tenant Data Separation
All customer data is logically separated by unique team IDs. No cross-team access is permitted or technically possible without explicit invitation.
Secure Chrome Extension
Arcade’s Chrome extension only records when initiated by the user. It does not passively monitor browser activity.
Frequently Asked Questions
Can I request deletion of my data?
Yes. If you stop using Arcade or your contract ends, you can request full data deletion. Reach out to [email protected].
Are Arcades searchable on Google?
By default, yes — if published. To prevent indexing, disable search engine access under Settings > Privacy
.
Can I disable AI entirely?
Yes. AI features like Avery are opt-in and can be toggled off in your extension or script view settings. No AI is applied to your Arcade without your explicit permission.
Have More Questions?
View additional resources, request the SOC 2 report or submit a security questionnaire: https://trust.arcade.software
Last updated
Was this helpful?