This Executive Summary is derived from the full SOC 2 Type II report prepared by an independent auditing firm. It is intended to provide a high-level overview of the audit findings for current and prospective customers of ArcaScience. This summary does not constitute the full audit report and should not be relied upon as a substitute for the complete report. The full SOC 2 Type II report is available under NDA upon request. See Section 8 for instructions on obtaining the complete report.
1. Report Overview and Scope
The SOC 2 Type II examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA). The examination evaluated the design suitability and operating effectiveness of ArcaScience's controls relevant to the Security, Availability, and Confidentiality trust service criteria throughout the twelve-month audit period.
The scope of the examination encompassed all components of the ArcaScience Benefit-Risk Analysis (BRA) Platform, including:
- The production cloud infrastructure hosted on Amazon Web Services (AWS) across EU-West (Ireland), EU-Central (Frankfurt), US-East (Virginia), and US-West (Oregon) regions
- The application layer, including all microservices, APIs, and web-based user interfaces
- Data storage systems, including relational databases, object storage, search indices, and cache layers
- The development and deployment pipeline, including source code management, CI/CD, and change management processes
- Identity and access management systems, including authentication, authorization, and session management
- Monitoring, logging, and incident response infrastructure and processes
- Business continuity and disaster recovery systems and procedures
- Corporate governance, risk management, and compliance functions supporting the platform
2. Trust Service Criteria Covered
The examination addressed three of the five AICPA Trust Service Criteria. The Processing Integrity and Privacy criteria were not included in the scope of this examination, though ArcaScience maintains controls in these areas and intends to include them in future audit cycles.
| Trust Service Criteria | Included | Description |
|---|---|---|
| Security (Common Criteria) | Included | Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems |
| Availability | Included | Information and systems are available for operation and use to meet the entity's objectives |
| Confidentiality | Included | Information designated as confidential is protected to meet the entity's objectives |
| Processing Integrity | Not in scope | System processing is complete, valid, accurate, timely, and authorized (planned for 2026 audit) |
| Privacy | Not in scope | Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives (planned for 2026 audit) |
3. Audit Period and Methodology
The examination covered the twelve-month period from January 1, 2025, through December 31, 2025. This represents ArcaScience's second consecutive SOC 2 Type II examination, following the initial Type II audit covering calendar year 2024.
3.1 Examination Methodology
The independent auditor employed the following examination procedures:
- Inquiry: Interviews with ArcaScience management, engineering, security, and operations personnel responsible for the design and operation of controls
- Inspection: Review of system documentation, policies, procedures, configuration evidence, system-generated reports, and other records
- Observation: Direct observation of control activities, including change management processes, incident response procedures, and access management workflows
- Re-performance: Independent testing of selected controls by the auditor to verify that they operated effectively throughout the audit period
- Automated testing: Use of computer-assisted audit techniques (CAATs) to test populations of system-generated evidence, including access logs, change records, and security event logs
3.2 Sampling Approach
For controls that operate on a recurring basis, the auditor selected samples from throughout the 12-month audit period using a statistically valid sampling methodology. Sample sizes were determined based on the frequency of control operation:
| Control Frequency | Population Size (Annual) | Sample Size | Sampling Method |
|---|---|---|---|
| Continuous / Automated | >10,000 | 60 items | Systematic sampling across all quarters |
| Daily | 365 | 45 items | Random sampling, minimum 10 per quarter |
| Weekly | 52 | 25 items | Random sampling, minimum 5 per quarter |
| Monthly | 12 | All 12 | Complete population |
| Quarterly | 4 | All 4 | Complete population |
| Annual | 1 | 1 | Complete population |
4. System Description: ArcaScience BRA Platform
The ArcaScience Benefit-Risk Analysis (BRA) Platform is a cloud-based software-as-a-service (SaaS) application that enables pharmaceutical companies, contract research organizations, and regulatory agencies to conduct structured, quantitative benefit-risk assessments for pharmaceutical products throughout their lifecycle. The platform integrates clinical trial data, pharmacovigilance signals, real-world evidence, and regulatory intelligence to support evidence-based decision-making.
4.1 System Components
The system comprises the following principal components:
- Web application: A browser-based user interface for creating, managing, and reviewing benefit-risk analyses, built on a modern JavaScript framework with server-side rendering
- API layer: RESTful API services providing programmatic access to platform functionality, secured with OAuth 2.0 bearer token authentication
- AI/ML engine: Machine learning models for automated data extraction, signal detection, preference modeling, and sensitivity analysis, deployed as containerized services
- Data integration layer: Connectors and ETL pipelines for ingesting data from clinical trial management systems, safety databases, literature databases, and regulatory intelligence feeds
- Reporting engine: Automated generation of regulatory-grade reports in PDF, DOCX, and structured XML formats suitable for eCTD submissions
- Audit and compliance module: ALCOA+ compliant audit trail, electronic signature management, and regulatory workflow enforcement
4.2 Infrastructure Overview
The platform is hosted on Amazon Web Services (AWS) using a containerized microservices architecture deployed on Amazon Elastic Kubernetes Service (EKS). The infrastructure is deployed across multiple Availability Zones within each region, with active-passive disaster recovery to a secondary AWS region. All infrastructure is managed through Infrastructure as Code (Terraform) with automated deployment pipelines.
4.3 Customer Base
As of December 31, 2025, the ArcaScience BRA Platform served 47 customer organizations across 18 countries, including 8 of the top 20 global pharmaceutical companies by revenue, 12 mid-size biopharmaceutical companies, 15 contract research organizations, and 12 regulatory consultancies. The platform processes data related to over 300 pharmaceutical products across all major therapeutic areas.
5. Control Categories Assessed
The auditor examined 142 specific controls organized across 9 control categories. The following provides a summary of each category, the number of controls examined, and the assessment results.
Examined
Effectively
Exceptions
CC1: Control Environment
14 controls | All EffectiveGovernance structure, organizational commitment to integrity and ethical values, board oversight, management philosophy, human resources policies, accountability for internal controls. Includes security steering committee operations, CISO reporting structure, and security-aware hiring practices.
CC2: Communication and Information
12 controls | All EffectiveInternal and external communication of security policies, incident escalation procedures, customer notification processes, status page operations, and information quality management. Includes security awareness training program and customer trust portal.
CC3: Risk Assessment
11 controls | All EffectiveRisk identification, assessment, and management processes including annual enterprise risk assessment, threat modeling for new features, vendor risk assessment, and continuous vulnerability scanning with risk-based prioritization.
CC4: Monitoring Activities
10 controls | All EffectiveOngoing monitoring of internal controls, SIEM operations, security metrics dashboards, quarterly management reviews of security posture, internal audit activities, and continuous compliance monitoring.
CC5: Control Activities
18 controls | All EffectivePolicies and procedures supporting control objectives including information security policy framework, acceptable use policies, data classification and handling procedures, change management process, and segregation of duties enforcement.
CC6: Logical and Physical Access Controls
28 controls | All EffectiveUser authentication (MFA, SSO), role-based access control, session management, privileged access management, network segmentation, firewall rules, encryption at rest and in transit, key management, quarterly access reviews, and automated deprovisioning.
CC7: System Operations
22 controls | All EffectiveInfrastructure monitoring, vulnerability management (SAST, DAST, SCA, penetration testing), patch management, incident detection and response, malware protection, DDoS mitigation, WAF management, and security event logging and correlation.
CC8: Change Management
15 controls | All EffectiveSoftware development lifecycle controls, code review requirements, automated testing (unit, integration, security), infrastructure-as-code change management, deployment approval workflows, rollback procedures, and emergency change management.
CC9: Risk Mitigation (including A1 & C1)
12 controls | All EffectiveVendor management, business continuity planning, disaster recovery procedures (RTO 4h, RPO 1h), backup and restoration testing, data confidentiality controls, data classification enforcement, confidential data disposal procedures, and NDA management.
6. Key Findings Summary
Independent Auditor's Opinion
In our opinion, in all material respects, based on the criteria described in ArcaScience's assertion:
(a) The description of ArcaScience's Benefit-Risk Analysis Platform system fairly presents the system that was designed and implemented throughout the period January 1, 2025, to December 31, 2025, in accordance with the description criteria.
(b) The controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust service criteria would be met if the controls operated effectively throughout the period January 1, 2025, to December 31, 2025, and the user entities applied the complementary user entity controls assumed in the design of ArcaScience's controls.
(c) The controls operated effectively to provide reasonable assurance that the applicable trust service criteria were met throughout the period January 1, 2025, to December 31, 2025.
6.1 Overall Assessment
The examination identified zero (0) control exceptions across all 142 controls tested during the 12-month audit period. All controls were found to be suitably designed and operating effectively throughout the entire examination period. This represents a continuation of the clean opinion received in the prior year's SOC 2 Type II examination.
6.2 Notable Strengths
While all control areas met the applicable trust service criteria, the auditor noted several areas of particular strength:
| Area | Notable Strength |
|---|---|
| Access Management | 100% MFA adoption across all user accounts with no exceptions observed; SCIM-based automated provisioning/deprovisioning reduced access management lag to under 15 minutes for SSO-enabled customers |
| Encryption | AES-256-GCM encryption verified across all data stores with per-tenant key isolation; TLS 1.3 enforced for 100% of external connections; BYOK option available for enterprise customers |
| Change Management | 100% of production deployments passed through automated CI/CD pipeline with mandatory code review, automated security testing (SAST/DAST), and approval gates; zero unauthorized changes detected |
| Incident Response | Mean time to detect (MTTD) security events was 4.2 minutes during the audit period; all security incidents were resolved within SLA timelines; quarterly tabletop exercises and semi-annual DR failover tests completed on schedule |
| Vulnerability Management | Critical vulnerabilities remediated in a mean of 18.3 hours (against a 24-hour SLA); annual penetration test and quarterly targeted assessments completed with all findings remediated; active bug bounty program with 100% of valid findings addressed |
| Availability | Platform achieved 99.98% uptime during the audit period, exceeding the 99.95% SLA target; successful DR failover test demonstrated full recovery within 2.1 hours (against a 4-hour RTO) |
6.3 Year-over-Year Improvements
Compared to the prior year's SOC 2 Type II examination, the auditor noted the following improvements in ArcaScience's control environment:
- Expanded scope: The 2025 examination included 142 controls, up from 118 in the 2024 examination, reflecting the maturation of the control environment and the addition of controls for new platform features and infrastructure components.
- Enhanced monitoring: Implementation of a new SIEM platform with over 400 detection rules (up from 280 in the prior year), including machine learning-based user behavior analytics.
- Improved disaster recovery: Reduction of actual failover time from 3.4 hours (2024 test) to 2.1 hours (2025 test), demonstrating continuous improvement in recovery capabilities.
- Strengthened vendor management: Implementation of continuous monitoring for critical vendors, replacing the previous annual-review-only approach.
- Additional certifications: Progress toward ISO 27001 certification with completion of the Statement of Applicability and gap assessment (formal certification expected Q3 2026).
6.4 Complementary User Entity Controls
The auditor's opinion assumes that customer organizations (user entities) have implemented certain complementary controls necessary for the overall security of the system. These include:
- Restricting access to the Platform to authorized personnel and promptly revoking access for terminated employees
- Maintaining the confidentiality of user credentials and MFA devices
- Configuring access policies within their ArcaScience tenant in accordance with organizational security requirements
- Reviewing and acting upon security notifications and advisories from ArcaScience
- Reporting suspected security incidents to ArcaScience promptly
- Ensuring that data uploaded to the Platform complies with applicable data protection regulations
7. Management's Assertion
ArcaScience's management is responsible for:
- Preparing the description of the ArcaScience BRA Platform system and its assertion that the description is presented in accordance with the description criteria and that the controls were suitably designed and operating effectively
- Having a reasonable basis for the assertion, including designing, implementing, and documenting the controls
- Selecting the applicable trust service criteria and stating the applicable trust service criteria in the assertion
- Identifying the risks that threaten the achievement of the control objectives stated in the description
"ArcaScience is committed to maintaining the highest standards of security, availability, and confidentiality for the data our customers entrust to us. Our SOC 2 Type II report with zero exceptions reflects the security-first culture we have built across every team and function. We view this not as a destination but as a continuous journey, and we are committed to expanding our compliance program in 2026 with the addition of ISO 27001 certification and expanded trust service criteria coverage."
— Chief Information Security Officer, ArcaScience SAS
7.1 Continuous Compliance Commitment
ArcaScience operates a continuous compliance monitoring program that ensures controls remain effective between formal audit periods. Key elements of this program include:
- Automated evidence collection: Compliance evidence is automatically gathered from production systems on a continuous basis, reducing manual effort and ensuring completeness
- Real-time compliance dashboards: Internal dashboards track the status of all 142 controls in real time, with automated alerts for any control deviations
- Monthly compliance reviews: The Security Steering Committee reviews compliance metrics monthly, including any policy exceptions, audit findings, and remediation progress
- Readiness assessments: Internal control assessments are conducted quarterly to identify and address potential issues before the next external audit
7.2 2026 Compliance Roadmap
ArcaScience has established the following compliance objectives for 2026:
| Objective | Target Date | Status |
|---|---|---|
| ISO 27001:2022 certification | Q3 2026 | In progress |
| SOC 2 Type II with Processing Integrity criteria | Q1 2027 (for 2026 period) | Planning |
| SOC 2 Type II with Privacy criteria | Q1 2027 (for 2026 period) | Planning |
| CSA STAR Level 2 certification | Q4 2026 | Assessment |
| HDS certification (direct, not inherited) | Q4 2026 | Planning |
8. How to Request the Full Report
The full SOC 2 Type II report, including the independent auditor's detailed report, system description, management's assertion, control descriptions, test procedures, and results of testing, is available to current customers, prospective customers in active evaluation, and their designated advisors. The full report is provided under the terms of a Non-Disclosure Agreement.
8.1 For Current Customers
Current ArcaScience customers can request the full SOC 2 Type II report through the following channels:
- Customer Trust Portal: Log in to the ArcaScience platform and navigate to Settings > Security & Compliance > Compliance Documents. The most recent SOC 2 report is available for download directly.
- Customer Success Manager: Contact your assigned Customer Success Manager, who can facilitate access to the report and arrange a walkthrough session with our security team if desired.
- Email: Send a request to compliance@arcascience.ai from a registered customer email address. Reports are typically provided within 2 business days.
8.2 For Prospective Customers
Prospective customers evaluating the ArcaScience platform can request the full SOC 2 Type II report by:
- Contacting our sales team: Email sales@arcascience.ai or complete the contact form at arcascience.ai/contact and indicate your interest in reviewing the SOC 2 report.
- During security review: If you are conducting a security assessment as part of your vendor evaluation process, your procurement or information security team can request the report directly from trust@arcascience.ai.
In both cases, ArcaScience will provide the report following execution of a mutual NDA or, if the prospective customer's standard NDA covers audit reports, upon confirmation of applicable coverage.
8.3 Additional Compliance Resources
In addition to the SOC 2 Type II report, ArcaScience makes the following compliance resources available upon request:
- Completed security questionnaires (SIG, CAIQ, custom formats accepted)
- Penetration test executive summary (most recent)
- Data Processing Agreement template (GDPR Article 28 compliant)
- Business Associate Agreement template (HIPAA compliant)
- ArcaScience Security Architecture whitepaper
- ISO 27001 Statement of Applicability
- 21 CFR Part 11 compliance assessment
- GDPR compliance documentation
9. Contact Information
Compliance and audit requests: compliance@arcascience.ai
Security questionnaires and trust documentation: trust@arcascience.ai
Data Protection Officer: dpo@arcascience.ai
General security inquiries: security@arcascience.ai
Sales inquiries: sales@arcascience.ai
Web: arcascience.ai/security-compliance
42 Rue de Lisbonne
75008 Paris, France
General: +33 1 XX XX XX XX | Web: arcascience.ai
Learn More About ArcaScience Security
Our security team is available to discuss our compliance posture, answer your security questionnaires, and provide detailed technical briefings.