1 · The essentials, at a glance

The controls every buyer checks first — and where we stand on each today.

Encryption in transitActive TLS / HTTPS on every connection
Encryption at restActive Managed AES-256 at the database & storage layer
Multi-factor authentication (MFA)Active Enforced on all admin and cloud-provider accounts
Least-privilege accessActive Role-based access in the app; per-engagement scoping
Automated backupsActive Managed daily backups; recovery tested per engagement
US data residencyActive Data hosted in US regions — no offshore storage or offshore staff
Version control & change historyActive All code in Git; every change reviewed and traceable
Dependency & vulnerability monitoringActive Automated dependency and CVE scanning

2 · Your data stays yours

The part that matters most to the communities we serve — and the reason programs choose us.

  • You own it. Everything we build for you, and the data inside it, belongs to your program. You can export it in a standard format at any time.
  • We don't resell it. We never sell, rent, or share your program's data with third parties.
  • We don't train AI models on it. Your data is used to run your tools — not to train general-purpose models.
  • Sovereignty-aware by design. For Native-serving programs, we design with Indigenous data-governance principles (CARE / OCAP-aware) in mind — your community keeps control of its own information.

The full commitment lives on our Data Promise →

3 · Where your data lives

The infrastructure and the third-party services (subprocessors) that run behind a typical deployment. For a federal engagement, primes typically deploy into their own cloud account and we operate inside it.

LayerWhat we use
Application & database hostingManaged US-region cloud hosting (Postgres database + web hosting)
Cloud infrastructureAWS — with AWS GovCloud or Azure Government available when an engagement requires FedRAMP-Moderate inheritance
Transactional emailA dedicated email-delivery provider on OlenArc-verified sending domains
Error & uptime monitoringApplication error monitoring for fail-loud alerting
AI / assistant featuresEnterprise LLM APIs — no client data is used to train models; AI features are optional per deployment

The exact subprocessor list, regions, and data-flow diagram are confirmed in writing per engagement. We keep the stack deliberately small and name every service — no hidden fourth parties.

4 · If something goes wrong

An honest incident-response posture for a senior team.

  • A named security lead. The founder is the designated security contact until headcount supports a dedicated role.
  • Fast notification. We notify your contact (and the prime PM on a federal engagement) within 4 hours of a confirmed incident, with evidence preserved per your contract.
  • Documented runbooks. We run from written runbooks with change history — but we're a small senior team, not a 24/7 network operations center, and we say so up front.

5 · What we are — and what we're not

We'd rather tell you the boundary than have you discover it in a proposal.

Civilian / unclassified postureYes We build civilian-agency software; we do not handle classified data or hold clearances
FedRAMP-Moderate (inherited)On requirement Inherited via AWS GovCloud / Azure Government — we are not a Cloud Service Provider
NIST SP 800-171 self-assessmentIn progress Targeted Q4 2026 · SPRS submission Q1 2027
SOC 2 / ISO 27001Not held — not pursued at current scale (revisited as we grow)
CMMC certificationNot pursued — monitored for DoD CUI work; civilian-agency work does not require it

Federal compliance officers: the full NIST SP 800-171 control-family mapping and our anticipated security-questionnaire (CSQ) response are on the Compliance & security posture page.

Have a security questionnaire?

Send us your vendor-security or SIG-lite questionnaire and we'll return a completed response in your format within 5 business days (under a mutual NDA if you'd like). Email Team@OlenArc.com.