Security

Security of Arcweave customers’ data is a core concern. All data you store in Arcweave remains yours, and we are committed to ensuring that your data is not seen by anyone who should not see it.

Security at a glance

• Access controls and role-based permissions for workspaces and projects.
• CSRF protection on state-changing web requests.
• Clickjacking protection via Content Security Policy (frame-ancestors 'self').
• API rate limiting by user and IP address.
• reCAPTCHA v3 verification during account registration.

Data storage, uploads, and backups

Arcweave hosts user data and media on Google Cloud Platform.

• Media uploads use short-lived, signed upload policies for direct-to-cloud uploads (10 minute expiry) with enforced size and content-type constraints.
• Arcweave’s production database is backed up every 6 hours and backup archives are rotated automatically.

Account security

• Passwords are stored as hashes (bcrypt).
• Password reset tokens and email verification tokens expire after 60 minutes.
• Session cookies are HttpOnly and use SameSite=Lax.

Report a vulnerability

If you have found a security-related issue, please email support@arcweave.com or use our contact form.

• Include steps to reproduce, affected URLs, and any proof-of-concept details.
• Please avoid accessing or modifying any data that does not belong to you.