How we protect your data
and our infrastructure.

1. Infrastructure security

The Applicare platform runs on hardened cloud infrastructure across geographically isolated availability zones. All production systems are deployed within private virtual networks with no direct public ingress. Network perimeters are enforced through layered security groups, Web Application Firewalls (WAF), and DDoS mitigation at the edge.

Servers are provisioned from immutable, version-pinned base images. Configuration drift is detected and auto-remediated by IntelliTune. Kernel-level hardening follows CIS Benchmark Level 2 baselines for Linux.

2. Compliance certifications

• — Information security management system certified across Applicare development, operations, and support.
• — All cryptographic modules are validated.
• — Data residency and access controls meet requirements for applicable customers.
• — Controls aligned to for the Defence Industrial Base.

3. Authentication and access control

• Multi-factor authentication (MFA) required for all access. SAML 2.0 and OIDC SSO supported for enterprise customers.
• Role-based access control (RBAC) enforced at the API layer. Permissions scoped to minimum required function.
• Privileged access requires just-in-time (JIT) elevation with full audit trail. No standing privileged accounts.
• Sessions time-limited. Idle sessions terminate after 15 minutes. Refresh tokens rotate on each use and revoke on sign-out.
• IAM posture continuously mapped by Applicare — escalation paths and wildcard permissions flagged in real time and queued for remediation.

4. Data protection

In transit: TLS 1.2+ enforced across all endpoints. TLS 1.0 and 1.1 disabled. Certificates are short-lived and rotated automatically.

At rest: All data encrypted with AES-256. Keys managed via dedicated KMS with automatic rotation. BYOK available for enterprise deployments.

Data isolation: Customer data logically isolated at storage and query layers. Cross-tenant access is architecturally prevented.

Data residency: Customers may elect a residency region. Data does not leave that region without explicit authorisation. Air-gapped and on-premises deployment options are available.

5. Vulnerability management

• Automated dependency scanning on every commit via Dependabot and SAST tooling.
• Container image scanning at build time and continuously in production via Applicare security posture management.
• Annual third-party penetration testing. Summary reports available to enterprise customers under NDA.
• Responsible disclosure: report vulnerabilities to security@arcturustech.com.

6. Incident response

Arcturus maintains an incident response plan aligned to industry incident response standards. Incidents are triaged within 1 hour, investigated within 4 hours, and communicated to affected customers within 24 hours of confirmation. All timelines retained in an immutable audit log.

7. Audit logging

Every access event, configuration change, and administrative action is logged immutably for a minimum of 12 months. Logs are tamper-evident and stored separately from production systems. ArcIn AI continuously correlates events against behavioural baselines, triggering automated alerts on anomalous patterns.

8. Physical security

Applicare cloud infrastructure resides in audited data centres. Physical access requires multi-factor biometric authentication, 24/7 CCTV, and mantrap entry. On-premises deployments operate within the customer's own secured environment.

9. Contact

For security enquiries, vulnerability disclosures, or to request our security documentation package:

Arcturus Technologies, Inc.
McLean, VA 22102, USA
Email: security@arcturustech.com
Phone: +1 (866) 262-7971