Security & Trust

Arcana Research operates a B2B research panel collecting voluntary, self-reported data from enterprise IT and AI leaders. We do not handle consumer data, payment card data, protected health information, or government IDs. Our infrastructure is built on SOC 2 Type 2-attested providers and hosted entirely in the United States.

• TLS 1.2+ enforced for all traffic; HSTS enabled.
• Data encrypted at rest using provider-managed keys (AES-256).
• Passwords hashed with bcrypt; sessions signed and rotated.
• Principle of least privilege for internal access; SSO required for production console access.
• Audit logs retained for 90 days minimum.
• No third-party advertising trackers, no cross-site pixels, no data resale.

All application infrastructure runs in the United States. Static and dynamic content is served via Vercel’s edge network; persistent data lives in US-region Turso and Supabase clusters. Email is sent through Resend (US). For respondents in the EEA, UK, or Switzerland, transfers rely on the European Commission Standard Contractual Clauses; copies are available on request to privacy@arcana-research.com.

• Respondent accounts use email + password. Passwords are hashed with bcrypt (cost factor 10) and never stored or logged in plaintext.
• Password policy. Minimum 8 characters; rejects approximately 65 common and previously breached passwords (including dictionary terms, sequential keyboard patterns, and seasonal variants); rejects passwords equal to the user’s email address or local-part.
• Login rate-limiting. Per IP: 20 login attempts per 15 minutes (10 registrations per hour). Per email: 5 login attempts per 15 minutes — this second axis blocks credential-stuffing attacks that rotate IP addresses. Lockouts return HTTP 429 with a generic message; per-email lockouts emit a warning for operations review.
• Sessions are issued as cryptographically random identifiers, stored server-side in a session table, transmitted only via httpOnly + Secure + SameSite cookies, and expire after 7 days of inactivity. A daily cron job purges expired session records and stale rate-limit entries.
• Internal administrative tooling uses encrypted, signed session cookies (AES-256-GCM via the iron-session library).
• Workspace invitations use single-use, time-bound tokens that are invalidated on first acceptance.
• Single sign-on (SSO/SAML) and enterprise IdP integration for member organizations is available on request as part of paid programs.

• Collection. Account profile, research responses, and minimal technical telemetry. See /privacy for the full list.
• Use. Operate the panel; produce aggregated, de-identified research outputs. Individual responses are never attributed in published reports.
• Aggregation threshold. Results are published only when n ≥ 10 within a peer cohort. Smaller cohorts are excluded or merged with adjacent cohorts to prevent re-identification.
• Authorized participation. Participants should disclose only information they are authorized to share by their employer. Your employer's confidentiality obligations take precedence over participation in this study. Respondents are reminded of this requirement at the start of each research instrument.
• Retention. 24 months for identified responses, then aggregated and de-identified; 90 days for security and analytics logs.
• Deletion. Self-serve account deletion or by request to privacy@arcana-research.com; processed within 30 days.
• AI processing. Provider contracts with our LLM subprocessors include zero data retention and no-training terms. A redaction layer for outbound prompts is on the security roadmap (see Roadmap).

• Automated dependency scanning on every push; high-severity advisories patched within 7 days.
• Static analysis and secret scanning enforced in CI.
• Production deploys are reviewed and require passing checks.
• External penetration testing scheduled annually beginning Q3 2026.

We maintain an internal incident response runbook covering detection, containment, eradication, recovery, and notification. Confirmed incidents involving personal data are notified to affected parties without undue delay and, where required, within 72 hours of discovery, in accordance with GDPR Article 33 and applicable US state-law timelines.

Report suspected vulnerabilities or incidents to security@arcana-research.com. We support good-faith security research and will not pursue legal action for testing conducted within standard responsible-disclosure norms (no DoS, no privacy violations, no destructive testing).

• SOC 2 Type 1 readiness assessment in progress; Type 2 audit window scheduled for 2026.
• GDPR / UK GDPR — see /privacy and /legal/dpa.
• CCPA / CPRA / Colorado / Virginia / Connecticut consumer privacy laws — rights honored under the same data subject request workflow.
• Data Processing Addendum available at /legal/dpa and on request.
• CAIQ Lite questionnaire (Cloud Security Alliance) — downloadable at /security/caiq. SIG Lite available on request.

Items currently in progress or scheduled. Listed here so customers can verify our claims against real timelines:

• SOC 2 Type 2 attestation — readiness phase active; audit window 2026.
• External penetration test — first engagement scheduled for 2026.
• LLM prompt redaction layer — tokenization of identifying fields prior to outbound LLM calls; engineering in 2026.
• Cyber liability insurance — binding in 2026.

• Security issues: security@arcana-research.com
• Privacy / data subject requests: privacy@arcana-research.com
• Vendor risk and compliance review: compliance@arcana-research.com
• Legal: legal@arcana-research.com

We respond to vendor risk questionnaires (SIG Lite, CAIQ) on request from named-account procurement teams.