Securing your data is a daily commitment. This page describes the architecture, technical controls and processes we apply to protect the information you entrust to us. For the legal framework and data-subject rights, see our privacy policy and our nLPD page.
An isolated instance per customer
Every customer runs on their own application instance and their own database. No application data is shared between customers, with three concrete consequences:
- No cross-tenant leakage — a faulty request cannot expose another customer's data, because no application code has concurrent access to two databases.
- Targeted restore — we can roll an instance back to a specific point in time without touching the others.
- Staged rollouts — a release can be reversed instance by instance if something surfaces.
Encryption
Data at rest is encrypted with AES-256, using a dedicated key per customer plus a master key stored away from the database. In transit, everything runs over HTTPS (TLS 1.3), with automatic redirection from any non-encrypted connection.
Backups — GFS strategy
We apply a Grandfather-Father-Son strategy across several horizons:
- 6-hour snapshot — retained for 48 hours.
- 24-hour snapshot — retained for 7 days.
- Weekly — retained for 30 days.
- Monthly — retained for 12 months.
Backups are encrypted end-to-end and stored on infrastructure separate from the primary server. We run a quarterly restore test to validate backup integrity.
Hosting
All of our infrastructure is hosted at Infomaniak, datacenters in Lausanne & Geneva, Switzerland. Infomaniak is certified ISO 27001 (information security), ISO 9001 (quality management) and ISO 14001 (environmental management). Data centres run on 100% renewable hydroelectricity. No customer data is hosted outside Switzerland during normal operations.
Authentication and sessions
- Passwords — stored in encrypted form using Argon2id, a widely recognised reference algorithm, with parameters we harden periodically.
- Sessions — secure cookies, renewed whenever a user's privilege level changes.
- Two-factor authentication — time-based one-time codes on a mobile app, available to everyone and mandatory on administrator accounts.
- CSRF protection — cryptographic signature on every action that modifies data.
Logging and audit
Sensitive actions (sign-ins, exports, deletions, user or role changes, configuration changes) are recorded in an audit log we keep for at least 12 months. The log can be provided to the customer upon a written, motivated request.
Defence in depth
- Host firewall with a default-deny policy: only the required ports are open.
- Cloudflare in front, with DDoS protection and active OWASP rules.
- Attempt rate limits per IP on sensitive entry points (sign-in, signup).
- 24/7 monitoring, automatic anomaly alerts, TLS certificates renewed without human intervention.
Development and dependency chain
- Mandatory code review — no change reaches production without peer review.
- Audited dependencies — third-party libraries are automatically scanned on every build.
- Automated testing — frontend, backend and end-to-end user journeys run on every commit.
- Passwords and technical keys live in environment variables, never in source code.
Responsible disclosure
If you believe you have identified a vulnerability, please write to security@ark.swiss. We commit to acknowledging receipt within 72 business hours and providing a first diagnosis within 10 days. Please do not disclose the vulnerability publicly until we have had an opportunity to remediate.
Governance and documents
Our privacy policy and our nLPD compliance page detail the applicable legal framework and the rights you can exercise: Privacy policy, nLPD compliance, Terms of service.