Arcamus is a UK-based market intelligence platform serving regulated and security-conscious customers — NHS bodies, local authorities, professional services firms, investors and software vendors. We take security seriously because our customers do. We hold Cyber Essentials Plus certification, host on enterprise cloud infrastructure with UK/EU data residency, encrypt data in transit and at rest, and design our platform to give customers control over their information.

Arcamus is a UK-based market intelligence platform serving regulated and security-conscious customers — NHS bodies, local authorities, professional services firms, investors and software vendors. We take security seriously because our customers do. We hold Cyber Essentials Plus certification, host on enterprise cloud infrastructure with UK/EU data residency, encrypt data in transit and at rest, and design our platform to give customers control over their information.

Cyber Essentials Plus

Cyber Essentials Plus

Arcamus is certified to Cyber Essentials Plus, the UK government-backed cybersecurity scheme administered by the National Cyber Security Centre (NCSC) through the IASME Consortium. Unlike the basic Cyber Essentials self-assessment, the "Plus" level requires hands-on technical verification of our controls by an external assessor, including vulnerability testing of our internet-facing systems, malware protection checks, and verification of patching and access controls.

Arcamus is certified to Cyber Essentials Plus, the UK government-backed cybersecurity scheme administered by the National Cyber Security Centre (NCSC) through the IASME Consortium. Unlike the basic Cyber Essentials self-assessment, the "Plus" level requires hands-on technical verification of our controls by an external assessor, including vulnerability testing of our internet-facing systems, malware protection checks, and verification of patching and access controls.

Cyber Essentials Plus is widely recognised by UK public sector buyers, including the NHS and central government, as a baseline level of cyber hygiene. It is a requirement for many central government contracts and is referenced in NHS supplier assurance frameworks. We renew the certification annually.

Cyber Essentials Plus is widely recognised by UK public sector buyers, including the NHS and central government, as a baseline level of cyber hygiene. It is a requirement for many central government contracts and is referenced in NHS supplier assurance frameworks. We renew the certification annually.

Other assurance

Other assurance

Beyond Cyber Essentials Plus, we maintain a programme of internal security reviews and rely on the underlying certifications of our infrastructure providers (see "Where your data lives" below). As Arcamus grows, we expect to extend our formal assurance to additional standards relevant to our customer base — see "What we're working on next" at the end of this page.

Beyond Cyber Essentials Plus, we maintain a programme of internal security reviews and rely on the underlying certifications of our infrastructure providers (see "Where your data lives" below). As Arcamus grows, we expect to extend our formal assurance to additional standards relevant to our customer base — see "What we're working on next" at the end of this page.

The Arcamus platform is hosted on Vercel, a managed cloud platform that provides serverless compute, edge networking and content delivery. Vercel's underlying infrastructure runs on Amazon Web Services (AWS) — one of the most widely used and independently audited cloud providers in the world.

The Arcamus platform is hosted on Vercel, a managed cloud platform that provides serverless compute, edge networking and content delivery. Vercel's underlying infrastructure runs on Amazon Web Services (AWS) — one of the most widely used and independently audited cloud providers in the world.

This is a shared-responsibility model. Vercel and AWS are responsible for the physical security of the data centres, the host operating systems, network infrastructure, and patching of the underlying compute. Arcamus is responsible for our application code, configuration, access controls, secrets management, and the data we process within the platform. Both layers are essential, and we work to high standards in our own layer while relying on Vercel's and AWS's well-established practices in theirs.

This is a shared-responsibility model. Vercel and AWS are responsible for the physical security of the data centres, the host operating systems, network infrastructure, and patching of the underlying compute. Arcamus is responsible for our application code, configuration, access controls, secrets management, and the data we process within the platform. Both layers are essential, and we work to high standards in our own layer while relying on Vercel's and AWS's well-established practices in theirs.

Provider certifications

Provider certifications

Vercel maintains a comprehensive set of compliance certifications relevant to enterprise customers, including SOC 2 Type 2, ISO 27001 and HIPAA, and offers data processing terms aligned with the UK GDPR and EU GDPR. Their public security and compliance documentation is available at vercel.com/security and vercel.com/legal/dpa.

Vercel maintains a comprehensive set of compliance certifications relevant to enterprise customers, including SOC 2 Type 2, ISO 27001 and HIPAA, and offers data processing terms aligned with the UK GDPR and EU GDPR. Their public security and compliance documentation is available at vercel.com/security and vercel.com/legal/dpa.

AWS, in turn, holds an extensive portfolio of certifications including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and Cyber Essentials Plus, among many others, and provides public assurance reports through AWS Artifact.

AWS, in turn, holds an extensive portfolio of certifications including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, and Cyber Essentials Plus, among many others, and provides public assurance reports through AWS Artifact.

Data residency

Data residency

We configure the platform to host customer data and process requests in UK and EU regions. This means your data does not leave the UK or the European Economic Area in the ordinary course of operation. Where any limited transfer outside the UK/EEA is necessary — for example to a sub-processor that operates in the United States — we put in place the appropriate safeguards required by UK data protection law (UK International Data Transfer Agreement or EU Standard Contractual Clauses with the UK Addendum). A current list of our sub-processors and the corresponding transfer mechanisms is available at arcamus.com/subprocessors.

We configure the platform to host customer data and process requests in UK and EU regions. This means your data does not leave the UK or the European Economic Area in the ordinary course of operation. Where any limited transfer outside the UK/EEA is necessary — for example to a sub-processor that operates in the United States — we put in place the appropriate safeguards required by UK data protection law (UK International Data Transfer Agreement or EU Standard Contractual Clauses with the UK Addendum). A current list of our sub-processors and the corresponding transfer mechanisms is available at arcamus.com/subprocessors.

Encryption

Encryption

All data in transit between your browser and the Arcamus platform is encrypted using Transport Layer Security (TLS) 1.2 or higher. Data at rest within the platform is encrypted using industry-standard algorithms (AES-256 or equivalent), with encryption keys managed by our cloud infrastructure providers using their hardware-backed key management services. Personal credentials are never stored in plaintext — passwords are protected using modern, salted hashing algorithms.

All data in transit between your browser and the Arcamus platform is encrypted using Transport Layer Security (TLS) 1.2 or higher. Data at rest within the platform is encrypted using industry-standard algorithms (AES-256 or equivalent), with encryption keys managed by our cloud infrastructure providers using their hardware-backed key management services. Personal credentials are never stored in plaintext — passwords are protected using modern, salted hashing algorithms.

Access control

Access control

Access to production systems and data is restricted to a small number of authorised Arcamus personnel on a least-privilege basis, role-based, and protected by multi-factor authentication. Access is logged, reviewed periodically, and revoked promptly when no longer required. We do not permit shared accounts in production environments.

Access to production systems and data is restricted to a small number of authorised Arcamus personnel on a least-privilege basis, role-based, and protected by multi-factor authentication. Access is logged, reviewed periodically, and revoked promptly when no longer required. We do not permit shared accounts in production environments.

Within the platform, customer accounts are isolated. Authorised users authenticate using credentials issued to them personally; we support and recommend multi-factor authentication for customer users.

Within the platform, customer accounts are isolated. Authorised users authenticate using credentials issued to them personally; we support and recommend multi-factor authentication for customer users.

Application security

Application security

We follow secure software development practices, including code review, separation of development, test and production environments, and protection against the common web application vulnerabilities catalogued in the OWASP Top 10. Application dependencies and third-party libraries are scanned regularly for known vulnerabilities, and patches are applied on a defined cadence.

We follow secure software development practices, including code review, separation of development, test and production environments, and protection against the common web application vulnerabilities catalogued in the OWASP Top 10. Application dependencies and third-party libraries are scanned regularly for known vulnerabilities, and patches are applied on a defined cadence.

We do not use production data containing personal information in non-production environments, except under controlled conditions consistent with our data protection commitments.

We do not use production data containing personal information in non-production environments, except under controlled conditions consistent with our data protection commitments.

Network and infrastructure security

Network and infrastructure security

Our infrastructure providers operate the underlying network with industry-standard protections, including segmentation between environments, distributed denial-of-service protection, and continuous monitoring. We layer additional controls on top — including web application firewall rules, rate limiting, and bot detection — to protect against scraping, automated abuse and credential-stuffing.

Our infrastructure providers operate the underlying network with industry-standard protections, including segmentation between environments, distributed denial-of-service protection, and continuous monitoring. We layer additional controls on top — including web application firewall rules, rate limiting, and bot detection — to protect against scraping, automated abuse and credential-stuffing.

Backups and resilience

Backups and resilience

We maintain regular automated backups of platform data, stored in encrypted form. We test our recovery procedures so that if an incident occurs we can restore service in line with the expectations of our customers. Vercel's underlying platform offers high availability and the redundancy of AWS's global infrastructure.

We maintain regular automated backups of platform data, stored in encrypted form. We test our recovery procedures so that if an incident occurs we can restore service in line with the expectations of our customers. Vercel's underlying platform offers high availability and the redundancy of AWS's global infrastructure.

Monitoring, logging and incident response

Monitoring, logging and incident response

We monitor the platform for security and operational events, including logging of access to production, anomalous behaviour, and indicators of compromise. We have a documented incident response procedure covering detection, triage, containment, investigation, remediation, communication and post-incident review.

We monitor the platform for security and operational events, including logging of access to production, anomalous behaviour, and indicators of compromise. We have a documented incident response procedure covering detection, triage, containment, investigation, remediation, communication and post-incident review.

In the event of a personal data breach affecting our customers, we are committed to notifying affected customers without undue delay and in any event within 72 hours of becoming aware, in line with the UK GDPR. Our Data Processing Addendum sets out our notification commitments in full.

In the event of a personal data breach affecting our customers, we are committed to notifying affected customers without undue delay and in any event within 72 hours of becoming aware, in line with the UK GDPR. Our Data Processing Addendum sets out our notification commitments in full.

People and training

People and training

All Arcamus personnel are subject to confidentiality obligations and receive security and data protection training as part of induction and on a regular cadence thereafter. We follow good practice on screening and access management for personnel with access to production systems, to the extent permitted by employment law.

All Arcamus personnel are subject to confidentiality obligations and receive security and data protection training as part of induction and on a regular cadence thereafter. We follow good practice on screening and access management for personnel with access to production systems, to the extent permitted by employment law.

Endpoint security

Endpoint security

Devices used to access Arcamus production systems are managed under our endpoint security baseline, which includes disk encryption, automatic patching, anti-malware protection, screen lock, and the ability to remotely wipe lost or stolen devices. Multi-factor authentication is required for access to corporate systems and to production.

Devices used to access Arcamus production systems are managed under our endpoint security baseline, which includes disk encryption, automatic patching, anti-malware protection, screen lock, and the ability to remotely wipe lost or stolen devices. Multi-factor authentication is required for access to corporate systems and to production.

Vendor and sub-processor management

Vendor and sub-processor management

We carry out due diligence on the suppliers and sub-processors that handle data on our behalf. We review their security and data protection posture before engagement and periodically thereafter. We require contractual data protection terms equivalent to those we offer our own customers, including a Data Processing Addendum where applicable. A current list of sub-processors that handle customer data is maintained at arcamus.com/subprocessors.

We carry out due diligence on the suppliers and sub-processors that handle data on our behalf. We review their security and data protection posture before engagement and periodically thereafter. We require contractual data protection terms equivalent to those we offer our own customers, including a Data Processing Addendum where applicable. A current list of sub-processors that handle customer data is maintained at arcamus.com/subprocessors.

Security is a shared responsibility. The Arcamus platform provides features to help customers manage their own use of the service safely:

Security is a shared responsibility. The Arcamus platform provides features to help customers manage their own use of the service safely:

If you operate in a sector with specific security requirements (NHS, financial services, central government), we are happy to discuss how Arcamus can be configured to support those requirements.

If you operate in a sector with specific security requirements (NHS, financial services, central government), we are happy to discuss how Arcamus can be configured to support those requirements.

We welcome reports from researchers, customers and members of the public who believe they may have identified a security issue affecting Arcamus.

We welcome reports from researchers, customers and members of the public who believe they may have identified a security issue affecting Arcamus.

If you believe you have found a vulnerability, please email support@arcamus.com with a clear description of the issue, the steps to reproduce it, and any relevant evidence. We commit to acknowledging genuine reports promptly, investigating diligently, and keeping you informed of progress where appropriate.

If you believe you have found a vulnerability, please email support@arcamus.com with a clear description of the issue, the steps to reproduce it, and any relevant evidence. We commit to acknowledging genuine reports promptly, investigating diligently, and keeping you informed of progress where appropriate.

Please act in good faith: do not attempt to access data belonging to other users, do not run automated scans against the platform without prior agreement, and do not disclose the issue publicly until we have had a reasonable opportunity to investigate and remediate. We will not pursue legal action against researchers who follow these principles.

Please act in good faith: do not attempt to access data belonging to other users, do not run automated scans against the platform without prior agreement, and do not disclose the issue publicly until we have had a reasonable opportunity to investigate and remediate. We will not pursue legal action against researchers who follow these principles.

For security questions, including questionnaires, due diligence requests or to discuss the security elements of an Arcamus subscription:

For security questions, including questionnaires, due diligence requests or to discuss the security elements of an Arcamus subscription:

For data protection and privacy matters, including data subject rights requests, please see our Privacy Notice at arcamus.com.

For data protection and privacy matters, including data subject rights requests, please see our Privacy Notice at arcamus.com.