Trust Center

Transparency, Verification, and Compliance Documentation

The ArcaScience Trust Center provides your procurement, legal, and IT security teams with direct access to our certifications, compliance documentation, and security architecture details. Everything you need to evaluate and approve ArcaScience for your organization.

View Certifications Browse Documentation →

Certifications & Compliance Status

Current Compliance Posture

ArcaScience maintains active certifications and compliance programs across the regulatory frameworks required by pharmaceutical organizations worldwide.

Certified

ISO 27001:2022

Information Security Management System (ISMS) certified. Covers the design, development, and operation of the ArcaScience benefit-risk analysis platform.

Annual surveillance audits · Full recertification every 3 years

Audited

SOC 2 Type II

Independently audited controls for security, availability, and confidentiality. Report covers the platform's operational environment, control objectives, and test results over a 12-month observation period.

Report available under NDA · Executive summary on request

Compliant

GDPR Compliance

EU data protection fully implemented. Data Protection Officer appointed. Standard DPA and Standard Contractual Clauses available. Compliant with EU-US Data Privacy Framework (DPF) for transatlantic data transfers.

Paris-headquartered · DPO: dpo@arcascience.ai

Validated

FDA 21 CFR Part 11

Electronic records and electronic signatures validated per FDA requirements. Immutable audit trails, system validation (IQ/OQ/PQ), and GAMP 5-aligned change control processes.

Validated electronic records & signatures · Full audit trail

Aligned

GxP Compliance

Good Practice alignment across GCP (Good Clinical Practice), GVP (Good Pharmacovigilance Practice), and GLP (Good Laboratory Practice). Platform workflows designed to support regulated pharmaceutical processes.

GCP · GVP · GLP aligned workflows

Compliant

HIPAA

Business Associate Agreement (BAA) available for US clients. Protected Health Information (PHI) handled per HIPAA Security Rule requirements, including technical, administrative, and physical safeguards.

BAA available · PHI safeguards per Security Rule

Available Documentation

Compliance & Security Documents

Access the documentation your procurement, legal, and IT security teams need to evaluate ArcaScience. Request access to receive documents directly from our security team.

ISO 27001 Certificate

Current ISO 27001:2022 certification issued by an accredited certification body. Includes scope of certification and validity dates.

Request Access →

SOC 2 Type II Report (Latest Period)

Full independent auditor's report on security, availability, and confidentiality controls. Covers the most recent 12-month observation period. Available under NDA.

Request Access →

Penetration Test Executive Summary

Executive summary of the most recent annual penetration test conducted by an independent third-party security firm. Includes scope, methodology, and findings overview.

Request Access →

Sub-Processor List

Complete list of third-party sub-processors with access to client data, including entity name, location, purpose, and data processed. Updated per GDPR Article 28 requirements.

Request Access →

Data Processing Agreement (DPA) Template

Pre-approved DPA template compliant with GDPR Article 28. Includes Standard Contractual Clauses, sub-processor list annex, and technical/organizational measures.

Request Access →

Business Associate Agreement (BAA) Template

Standard BAA for US clients processing Protected Health Information. Defines obligations under HIPAA Privacy and Security Rules. Available for execution prior to PHI processing.

Request Access →

HIPAA Compliance Documentation

Detailed documentation of ArcaScience's HIPAA Security Rule implementation, including technical safeguards, administrative safeguards, and breach notification procedures.

Request Access →

Platform Security Architecture Whitepaper

Comprehensive technical overview of ArcaScience's security architecture, encryption standards, access controls, incident response, and compliance posture. Designed for IT security evaluation.

Request Access →

Disaster Recovery & Business Continuity Plan Summary

Summary of DR/BCP capabilities including RTO/RPO targets, backup strategy, geographic redundancy, and semi-annual testing results.

Request Access →

Data Retention & Deletion Policy

Documented policy covering data retention schedules, deletion procedures, certificate of destruction process, and compliance with GDPR right to erasure requirements.

Request Access →

Security Architecture

Enterprise-Grade Security by Design

ArcaScience's platform is built on a security-first architecture, designed from the ground up to protect pharmaceutical data at every layer.

Encryption

AES-256 encryption at rest for all stored data, databases, and backups. TLS 1.3 in transit enforced for all communications. Encryption keys managed via hardware security modules (HSMs).

Multi-Tenant Isolation

Dedicated compute per customer with logical data segregation enforced at the database, storage, and application layers. No client can access another client's data, models, or outputs.

Data Residency

AWS eu-west-1 (Ireland) primary, with configurable data residency options for EU, US, and other regions. Default EU data storage for all clients with geographic redundancy.

Zero-Trust Architecture

Zero-trust network architecture with identity-based access controls, micro-segmentation, continuous authentication, and least-privilege enforcement across all platform services.

Independent Penetration Testing

Regular penetration testing conducted by independent third-party security firms. Annual full-scope assessments with continuous vulnerability scanning on a weekly cadence. Findings remediated to completion.

Full Security & Compliance Details →

Request Security Package

Receive our complete compliance documentation bundle -- including SOC 2 report, ISO 27001 certificate, security whitepaper, DPA template, BAA, and completed SIG/CAIQ questionnaire -- prepared for your vendor assessment process.

Request Security Package