Security & data handling
Plain-English answers to the questions program IT staff and prime compliance intake teams ask before they trust a vendor with their data. This is what we actually do today — not a promissory schedule. For the full federal compliance detail (NIST SP 800-171 control-family mapping and our security-questionnaire response skeleton), see Compliance & security posture →
Last updated: June 2026. For a security review or a vendor questionnaire in your format: Team@OlenArc.com (24-hour response on business days).
1 · The essentials, at a glance
The controls every buyer checks first — and where we stand on each today.
| Encryption in transit | Active |
|---|---|
| Encryption at rest | Active |
| Multi-factor authentication (MFA) | Active |
| Least-privilege access | Active |
| Automated backups | Active |
| US data residency | Active |
| Version control & change history | Active |
| Dependency & vulnerability monitoring | Active |
2 · Your data stays yours
The part that matters most to the communities we serve.
- You own it. Everything we build for you, and the data inside it, belongs to your program. You can export it in a standard format at any time.
- We don't resell it. We never sell, rent, or share your program's data with third parties.
- We don't train AI models on it. Your data is used to run your tools — not to train general-purpose models.
- Sovereignty-aware by design. For Native-serving programs, we design with Indigenous data-governance principles (CARE / OCAP-aware) in mind — your community keeps control of its own information.
The full commitment lives on our Data Promise →
3 · Where your data lives
The infrastructure and the third-party services (subprocessors) that run behind a typical deployment. For a federal engagement, primes typically deploy into their own cloud account and we operate inside it.
| Layer | What we use |
|---|---|
| Application & database hosting | Managed US-region cloud hosting (Postgres database + web hosting) |
| Cloud infrastructure | AWS — with AWS GovCloud or Azure Government available when an engagement requires FedRAMP-Moderate inheritance |
| Transactional email | A dedicated email-delivery provider on OlenArc-verified sending domains |
| Error & uptime monitoring | Application error monitoring for fail-loud alerting |
| AI / assistant features | Enterprise LLM APIs — no client data is used to train models; AI features are optional per deployment |
The exact subprocessor list, regions, and data-flow diagram are confirmed in writing per engagement. We keep the stack deliberately small and name every service — no hidden fourth parties.
4 · If something goes wrong
A clear incident-response posture for a senior team.
- A named security lead. The founder is the designated security contact until headcount supports a dedicated role.
- Fast notification. We notify your contact (and the prime PM on a federal engagement) within 4 hours of a confirmed incident, with evidence preserved per your contract.
- Documented runbooks. We run from written runbooks with change history — but we're a small senior team, not a 24/7 network operations center, and we say so up front.
5 · What we are — and what we're not
We'd rather tell you the boundary than have you discover it in a proposal.
| Civilian / unclassified posture | Yes |
|---|---|
| FedRAMP-Moderate (inherited) | On requirement |
| NIST SP 800-171 self-assessment | In progress |
| SOC 2 / ISO 27001 | |
| CMMC certification |
Federal compliance officers: the full NIST SP 800-171 control-family mapping and our anticipated security-questionnaire (CSQ) response are on the Compliance & security posture page.
Have a security questionnaire?
Send us your vendor-security or SIG-lite questionnaire and we'll return a completed response in your format within 5 business days (under a mutual NDA if you'd like). Email Team@OlenArc.com.