Every ARCG Systems customer can ask for, and receive, the security and compliance artifacts their legal team requires — in the format they expect.
Security · availability · processing integrity · confidentiality. Remediation phase targeting completion in FY2026. Interim: Type I available under NDA.
Request current status letter →Standard DPA + GDPR / CCPA data-subject rights, data-transfer SCCs where applicable. Counter-signed within one business day of request.
Request signed DPA →Standard Master Services Agreement and statement-of-work template attached to every Operator proposal. Redline-friendly.
Request templates →Business Associate Agreement for MedPilot deployments. Required before any PHI touches the platform. Limited availability in Operator tier; broader rollout after SOC 2 Type II.
Request BAA discussion →Targeting FedRAMP Moderate equivalency for GovCon workloads. Currently tracked against NIST 800-171 and CMMC Level 2 controls under ARCG Systems as an SDVOSB.
Request current control matrix →Per-workspace retention. Workspace reset purges localStorage, cached analytics, saved campaign state. Full account deletion on request; 30-day verifiable purge window.
Public retention policy →Every state change (approvals, secret reads, workspace mutations, webhook deliveries) written to an append-only audit log. UI surface in Phase 2; log schema already in SELF_SETUP_SQL_AND_API_SPEC.md §19.1.
SIG Lite, CAIQ, CIS, and custom vendor questionnaires. Turnaround ≤ 5 business days under a signed NDA.
Submit questionnaire →Current subprocessors — Stripe (billing), Cloudflare (edge + Workers), Postmark (transactional email), Basin (form intake), Tidio (chat). Full DPAs in place with each. Updated on change, notice-first.
General liability + professional liability + cyber liability. COIs issued per customer request within one business day.
Request COI →