Privacy Policy

We collect information necessary to operate an export compliance platform and fulfill regulatory requirements:

• Account data: names, work contact details, job titles, authentication identifiers, and administrative role assignments.
• Operational data: transaction records, classification results, restricted party screening logs, training attestations, corrective action tracking, and uploaded technical data that may be subject to ITAR/EAR.
• Diagnostic data: audit logs, API usage, device and browser metadata, and support tickets required to troubleshoot issues or demonstrate control effectiveness.

• Provide, secure, and support the Services, including automated monitoring for anomalous access.
• Comply with legal obligations such as ITAR retention (minimum 5 years) and EAR Part 762 recordkeeping.
• Develop product improvements based on aggregated, de-identified usage metrics.
• Communicate service announcements, roadmap updates, or regulatory advisories relevant to your deployment.

We do not sell data or use Customer Data for advertising. Processing occurs under the lawful bases of contract performance, legitimate interest in securing the Services, and compliance with legal obligations.

Arcliance operates on FedRAMP Moderate-aligned infrastructure within the United States. Limited subprocessors may operate in allied jurisdictions (Canada, EU, UK) for redundant monitoring and support. Each subprocessor signs data protection agreements, is pursuing SOC 2 Type II certification, and is bound by contractual flow-downs mirroring ITAR 124.8(5) and GDPR Article 28.

Cross-border transfers leverage Standard Contractual Clauses and the EU-U.S. Data Privacy Framework where applicable. Customers requiring sovereign deployments can request regional isolation.

Customer Data is encrypted using FIPS 140-2 validated ciphers in transit (TLS 1.3) and at rest (AES-256). Key management is handled through dedicated Hardware Security Modules with quarterly rotation. Access is restricted via least privilege, mandatory MFA, and continuous monitoring aligned to NIST 800-171 and CMMC Level 2 practices.

Unless a longer retention period is required by law or contract, data is deleted or anonymized within 90 days after termination. Immutable audit logs may be retained for up to seven years to satisfy government inquiries.

Depending on jurisdiction, individuals may request access, correction, deletion, or portability of their personal data. Arcliance acts as a processor for most Customer Data; therefore, requests should be directed to your employer or the organization controlling the export authorization. We will assist controllers in fulfilling requests within 30 days.

We maintain a 24/7 incident response program with defined playbooks for ITAR/EAR reporting, state breach laws, and contractual SLAs. Customers will be notified without undue delay—and always within 72 hours—after confirming a security incident that affects their data. Notifications include scope, containment steps, and recommendations for downstream notifications to DDTC, BIS, or impacted data subjects.

Questions related to privacy or data processing should be directed to privacy@arcliance.com or Arcliance Privacy Office, Seattle, WA. You may also contact our EU representative at EuRep Compliance BV, Keizersgracht 391A, 1016 EJ Amsterdam, Netherlands.