Security

arch0 stores three types of data for each user: projects (name, type, description), conversation messages (your inputs and AI responses), and generated deliverables (diagrams, ADRs, cost estimates). All data is associated with your authenticated account and isolated per tenant — no user can access another user's data. We do not use your architecture data to train AI models. Your conversations and deliverables are used only to provide the service.

All data is encrypted in transit using TLS 1.2+ (HTTPS) between your browser and our servers, and between our servers and third-party services (database, AI provider). Data at rest is encrypted using AES-256 encryption on our database provider (MongoDB Atlas), which manages encryption keys with automatic rotation.

Authentication uses JWT tokens with bcrypt-hashed passwords. Sessions expire after 7 days and can be revoked at any time via logout. All API endpoints enforce ownership checks — you can only access projects, messages, and deliverables that belong to your account. Role-based access is enforced at the API layer with middleware that validates every request.

Your data is retained for as long as your account is active. You can delete individual projects at any time, which removes all associated messages and deliverables. To delete your entire account and all associated data, contact us through the contact page. Account deletion is processed within 30 days and is irreversible. We also support data export — you can download all your project data as a zip file at any time.

We are working toward the following compliance milestones: • SOC 2 Type II certification — targeted for Phase 3 of our product roadmap • GDPR compliance — data processing agreements available on request • Audit logging — immutable logs of all data access and modifications (in development) • Secrets management — integration with cloud-native secret stores for credential handling For questions about our security practices or to request a security questionnaire, please contact us.