Privacy Policy

arcform is a UK-based software company providing a web-based B2B SaaS product for engineering governance, architecture decision records, review workflows, approvals, and decision lineage tracking.

For account administration and service operations, arcform generally acts as a data controller. For decision content and organisation data submitted by customers, arcform generally acts as a data processor on behalf of the customer organisation.

Account information

We collect account details such as name, work email address, organisation membership, authentication identifiers, and sign-in metadata required to manage access to the service.

Organisation data

We store organisation, project, membership, and governance configuration data needed to operate the product, including review policies, ownership assignments, and workflow settings.

Decision content

We process decision records and related content created by your organisation, including titles, summaries, rationale, status, approval history, comments, and supersession lineage.

Usage data

We collect service usage and diagnostic information such as timestamps, page interactions, device/browser details, IP addresses, error logs, and audit events to maintain security, reliability, and product performance.

Integration data (GitHub, Slack)

If you connect integrations, we process the minimum data needed to provide those features, including OAuth tokens, workspace or repository identifiers, and message or event metadata required for GitHub integration, Slack notifications, and workflow automation.

We use information to provide, secure, support, and improve arcform, including to:

• create and manage user accounts and organisation access;
• operate review workflows, approvals, and supersession tracking;
• send product emails and service notifications, including security and operational notices;
• deliver GitHub and Slack integration features requested by customers;
• monitor performance, investigate incidents, and prevent misuse;
• comply with legal obligations and enforce our terms.

We do not sell personal data, use customer data for advertising, or resell customer data to third parties.

Where UK GDPR applies, we rely on the following legal bases (as relevant to the processing activity):

• Contract: to provide the service, authenticate users, process decision records, and support customer requests.
• Legitimate interests: to secure the service, prevent abuse, maintain auditability, and improve reliability and usability.
• Legal obligation: where we must retain or disclose data to comply with applicable law or lawful requests.
• Consent: where consent is required for specific optional processing activities (if used).

Hosted on AWS (EU region)

arcform is hosted on Amazon Web Services (AWS), with primary data storage in the EU (London, eu-west-2), including services such as Amazon Cognito for authentication and DynamoDB for application data.

Encryption in transit (HTTPS)

Data is encrypted in transit using HTTPS/TLS. We use standard security controls designed to protect data from unauthorised access, alteration, disclosure, or loss.

Role-based access

Access to customer data is restricted using role-based access controls and operational permissions. We limit internal access to what is necessary to operate, support, and secure the service.

We retain data for as long as needed to provide the service, meet contractual obligations, maintain security records, and comply with legal requirements.

Account and organisation data is typically retained while the account or subscription remains active. Following deletion or termination, we delete or anonymise data within a reasonable period, subject to backup cycles, audit requirements, and legal obligations.

We use trusted processors to operate the service. Current categories include:

AWS

Hosting, authentication (including Cognito), storage, and core infrastructure services in the AWS EU region.

GitHub

OAuth-based integration for repository and workflow features requested by customer organisations.

Slack

OAuth-based integration for notifications and workflow messaging requested by customer organisations.

We may also use email delivery providers to send product and operational emails. We review processors for security and data protection commitments appropriate to their role.

Our primary hosting is in the UK/EU region. Some processors or subprocessors may process data outside the UK. Where international transfers occur, we use appropriate safeguards, such as contractual protections, to support lawful transfers under applicable data protection law.

Where UK GDPR applies, individuals may have rights including:

• access to personal data;
• rectification of inaccurate data;
• erasure in certain circumstances;
• restriction of processing;
• objection to processing based on legitimate interests;
• data portability where applicable;
• withdrawal of consent where processing relies on consent.

You may also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

If arcform acts as a processor for your organisation's decision content, please contact your organisation administrator first. We will assist customers with rights requests as required.

Organisation administrators can request deletion of organisation data, and individual users can request deletion of their account data, subject to contractual, security, and legal retention requirements.

To request deletion, contact us using the details below. We may verify authority before processing requests, especially for organisation-level deletions.

If you have questions about this Privacy Policy or data protection in arcform, contact us at:

hello@arcform.dev

For general product information, you can also return to the arcform homepage.