Security & Trust

Security and trust at Arkē

We help regulated businesses meet AML obligations. Our own posture has to clear the same bar. This page answers every question on a standard procurement questionnaire — no sales call required.

🇪🇺 EU-only processing 🔒 TLS 1.3 in transit SOC 2 Type I — Q4 2026

📋

Data handling

What Arkē receives, processes, and retains — and what it never touches

Arkē's three pillars process the minimum data necessary to deliver compliance analysis. You control what you send. We process it, return results, and — by default — do not persist anything beyond the request lifecycle.

→ Counterparty screening: receives entity names, jurisdiction, optional registration numbers. No full PAN, no biometric data, no full national ID required for the screening API.
→ Transaction monitoring: receives transaction metadata — amounts, corridors, timestamps, counterparty references. No raw payment credentials, card numbers, or IBAN sequences are required or retained.
→ SAR drafting: receives the facts you provide about the suspicious activity. The narrative is generated and returned to you. Nothing is filed on your behalf or stored without your instruction.
→ Default retention: none. In the MVP tier, data is not stored beyond the request–response cycle. Growth and Scale tiers offer configurable audit-trail retention (30, 90, or 365 days) with explicit opt-in.
✗ Never sent to third parties: your counterparty names, transaction data, and SAR drafts are not shared with, sold to, or used to train models for any third party. OpenAI receives only the anonymised analytical prompt — see sub-processors below.

🔐

Encryption

In transit, at rest, and key management

→ In transit: All traffic between clients and Arkē endpoints is encrypted with TLS 1.3. TLS 1.0 and 1.1 are disabled. Cipher suites are restricted to AEAD constructions (AES-GCM, ChaCha20-Poly1305).
→ At rest: Any data persisted when the retention layer ships (Growth/Scale tiers) will be encrypted using AES-256 via the database provider's native encryption. This applies to all application data and backups.
→ Key management: Encryption keys are managed via the cloud provider's KMS (Neon / Render key management infrastructure). Keys are rotated automatically. Arkē does not hold or manage raw key material outside the KMS boundary.
→ API keys: Your Arkē API key is transmitted only over TLS. It is stored hashed (bcrypt) server-side. If compromised, revoke and reissue from your dashboard — old key is invalidated within 60 seconds.

⚖️

GDPR posture

Lawful basis, data subject rights, DPA, processor role

Arkē operates as a data processor under GDPR Article 28. Your organisation is the data controller. You determine the purpose and means of processing. We process only on your documented instructions.

Topic	Arkē's position
Lawful basis	Legitimate interest (compliance obligation of the controller) + contract performance. Documented in the DPA. No consent required for AML/KYC processing under AMLD6 Art. 41 and MiCAR Art. 68.
Processor role (Art. 28)	Arkē is a processor. A signed Data Processing Agreement (DPA) is available on request — see contact strip below. The DPA covers processing purposes, sub-processors, security measures, and audit rights.
Data subject rights	Rights of access, rectification, erasure, and portability are handled by you as the controller. Arkē provides data export tooling and deletion confirmation on request within 72 hours. We do not respond directly to data subjects on your behalf without your instruction.
International transfers	No personal data is transferred outside the EEA. All inference and storage endpoints are EU-based. GDPR Art. 44 restrictions fully observed. No Standard Contractual Clauses (SCCs) required for transfers — none occur.
Data minimisation	The API accepts only what you send. Arkē does not request or infer additional personal data from external sources and link it to your records without explicit configuration.
Breach notification	Arkē will notify you within 24 hours of becoming aware of a personal data breach affecting your data. Notification includes scope, likely consequences, and mitigation steps — sufficient for you to meet your Art. 33 obligation to your supervisory authority within 72 hours.

DPA available on request

Email katerinachatzikokkinou@gmail.com with the subject line "DPA request — [your company name]". We return a signed DPA within 2 business days.

🔗

Sub-processors

Every third-party service that touches your data

Arkē uses a minimal set of sub-processors. No data is sent to any service not listed here. We notify customers at least 14 days before adding or replacing a sub-processor.

Sub-processor	Purpose	Region	DPA / status
OpenAI	AI inference — generates risk analysis, SAR narrative, and typology classification. Only the analytical prompt is sent — no raw PII, counterparty names, or transaction metadata unless included in the prompt you construct.	EU API endpoint (api.openai.com with EU data residency)	DPA ↗
Render	Application hosting — runs the Arkē API and web interface. No persistent application data storage in MVP tier.	Frankfurt, EU (eu-central-1)	Privacy policy ↗ · DPA available on request
Postmark (ActiveCampaign)	Transactional email only — lead confirmation and internal lead notification. No screening results, SAR drafts, or counterparty data are transmitted via email.	EU	GDPR page ↗
Neon (PostgreSQL)	Database — stores application configuration and, for Growth/Scale tiers with retention enabled, encrypted audit logs. Branching and point-in-time recovery enabled.	EU (aws eu-central-1)	DPA ↗
Cloudflare R2	Static asset storage (public CSS, fonts, brand assets). No personal data or compliance output stored in R2.	EU	DPA ↗

🗺️

Compliance roadmap

Current state, and our credible path to formal certification

Honest current state

Arkē launched in 2026. We are a startup. We are not yet SOC 2 certified, nor do we hold ISO 27001. We believe in saying this plainly rather than burying it. What we do have: documented security controls, EU-only data processing, TLS 1.3, encrypted-at-rest roadmap, and a clear path to Type I certification. If your procurement requires SOC 2 Type II today, we're not the right vendor yet — and we won't pretend otherwise.

2026 Q2
✓ Now

Security controls documentation + DPA programme

Written security policies covering access control, incident response, change management, and vendor risk. DPA available to all customers. EU data residency confirmed. TLS 1.3 enforced.

2026 Q3
Planned

Pen test + vulnerability disclosure programme

External penetration test by accredited firm. Findings remediated and published in summary. Formal responsible disclosure policy and inbound email channel live.

2026 Q4
Planned

SOC 2 Type I

Readiness assessment → audit engagement with a PCAOB-registered firm targeting the Trust Services Criteria (Security, Availability). Type I report covering a point-in-time snapshot. Report shared with customers under NDA on request.

2027 H1
Planned

SOC 2 Type II

Six-month observation period following Type I. Type II report covers operational effectiveness of controls over time. Target for enterprise and regulated financial institution customers requiring continuous assurance.

2027
Evaluating

ISO 27001 evaluation

Feasibility assessment for ISO 27001 certification. Depends on growth trajectory and customer demand from EU-specific enterprise procurement requirements. Decision milestone: 2027 Q1.

🇪🇺

EU data residency

MiCAR Art. 68, DORA Art. 28, GDPR Art. 44 requirements

All Arkē inference, storage, and application hosting runs inside the European Economic Area. No data leaves the EEA at any point in the processing lifecycle. This is a hard architectural constraint, not a configuration option.

→ Application hosting: Render Frankfurt region (eu-central-1). The Arkē API, web interface, and all compute run in EU.
→ AI inference: OpenAI EU API endpoint. Requests are routed to OpenAI's EU infrastructure. Data is not processed outside the EEA by OpenAI under this configuration.
→ Database: Neon PostgreSQL on AWS eu-central-1 (Frankfurt). All stored data, backups, and read replicas remain in EU.
→ DORA Art. 28 relevance: Financial entities subject to DORA must contractually ensure their ICT third-party service providers process data in the EU (or under adequate safeguards). Arkē's EU-only architecture satisfies this requirement by design — no SCCs needed.
→ MiCAR Art. 68 relevance: CASPs must ensure outsourced functions comply with applicable data protection and residency requirements. Arkē's EU processing satisfies the MiCAR outsourcing framework for compliance tooling.

🚨

Incident response

24-hour notification commitment, post-mortem policy, status page

Phase	Arkē's commitment
Detection	Infrastructure monitoring with automated alerting. Application error rates, latency, and uptime are monitored continuously. On-call rotation covers EU business hours; critical alerts escalate 24/7.
Notification (personal data breach)	24-hour commitment. If a personal data breach affecting your data is confirmed, you are notified within 24 hours via your registered contact email. Notification includes: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and mitigation measures taken or proposed. This gives you sufficient time to meet your GDPR Art. 33 obligation to your supervisory authority within 72 hours.
Notification (service incident)	Service incidents affecting availability or data integrity are posted to the Arkē status page within 1 hour of confirmation. Status page: /status (live Q3 2026).
Post-mortem	Any incident that results in data exposure, data loss, or a downtime event exceeding 1 hour triggers a written post-mortem. The post-mortem is shared with affected customers within 5 business days. It includes: root cause, timeline, affected scope, and prevention measures committed.
Escalation path	Security incidents: security@arke.polsia.app. Reaches the security lead and an internal incident channel. Response within 4 hours during EU business hours; 24 hours outside.

🔎

Responsible disclosure

How to report a vulnerability — and what happens next

If you find a security vulnerability in Arkē, we want to know. We commit to responding promptly, keeping you informed, and crediting researchers who report in good faith.

→ Report to: security@arke.polsia.app. Encrypt sensitive reports with our PGP key (published on request).
→ Acknowledgement: We acknowledge receipt within 1 business day. Initial triage assessment within 3 business days.
→ Disclosure window: 90-day coordinated disclosure window from date of acknowledgement. We will fix and publish a summary within this window, or request a single extension if a fix requires significant architectural change.
→ Bug bounty: No monetary bounty programme at this stage. Researchers who report valid vulnerabilities are credited publicly (with permission) in the security acknowledgements log.
✗ Out of scope: Social engineering, physical attacks, denial of service, vulnerabilities in third-party software outside Arkē's control, and issues already reported by another researcher.

Safe harbour

Security research conducted in good faith, within the scope above, and reported through security@arke.polsia.app will not result in legal action by Arkē. We treat good-faith researchers as partners, not threats.

Get in touch

DPA requests, security questionnaires, and breach notifications go to the same place. Response within 2 business days.

DPA requests

katerinachatzikokkinou@gmail.com

Security questionnaires

katerinachatzikokkinou@gmail.com

Vulnerability reports

security@arke.polsia.app

Breach notifications

katerinachatzikokkinou@gmail.com

For regulatory context, see EU regulations coverage → and how Arkē compares to legacy vendors →