ARCSLISTRequest access

Security & Data Handling

Last updated: May 2026

ARCSLIST is designed around structured, traceable, and privacy-conscious handling of product evidence, manufacturer documents, and project-related information. This page describes our approach to data security and access control as of the current pilot phase.

Access control

  • Access to the ARCSLIST platform is invite-only. No open self-service registration is available during the pilot phase.
  • Every access request is reviewed manually before an invitation is issued.
  • Project data is isolated per account. Users can only access data associated with their own account and projects.
  • Access permissions are enforced at the database level using row-level security (RLS) policies.

Data isolation

Project-specific information — including product lists, evidence records, and workspace data — is strictly isolated between accounts. No cross-account data access is possible by design.

Infrastructure

  • Platform: Vercel (hosting), Supabase (database and storage)
  • Database location: Frankfurt, Germany — eu-central-1, Central EU region
  • Storage location: Supabase Storage, Frankfurt (eu-central-1)
  • All data in transit is encrypted using TLS
  • Environment separation: development, staging, and production environments are maintained separately

Document handling

Manufacturer documents referenced in ARCSLIST (EPDs, product declarations, certificates) are sourced from publicly available manufacturer publications. Source attribution is maintained for every document referenced.

ARCSLIST does not store confidential manufacturer information beyond what is publicly disclosed.

Sub-processors

ARCSLIST relies on the following infrastructure providers as data processors:

  • Supabase, Inc. — database and storage (Frankfurt, eu-central-1)
  • Vercel, Inc. — hosting and content delivery

Both providers operate under data processing agreements and applicable transfer mechanisms for EU/UK data compliance.

Vulnerability and incident handling

If you identify a security concern or potential vulnerability, please contact us directly at: contact@arcslist.com
We take all security reports seriously and will respond promptly.

Current limitations (pilot phase)

ARCSLIST is in early-stage pilot operation. While we apply security-conscious principles from the outset, enterprise-grade certifications (ISO 27001, SOC 2) are not yet in place. We are transparent about this and will update this page as the platform matures.