Arkon

01

Your data lives in the EU. You can have it back, or removed, on request — operator-self-served, no ticket queue.

Data residency: Production application is deployed to Vercel EU regions; the Postgres database and object storage are provisioned on a Supabase EU project. No customer audit data leaves the EU at rest. (LLM inference traffic is documented in Section 02.)
Processor obligations: We act as a data processor for any personal data submitted through the audit flow or the platform. A Data Processing Addendum is available on request for paid plans; the same DPA terms apply by default to free-audit usage. The DPA template is finalised with counsel at v1 commercial close.
Right to deletion (Art. 17): Operators can delete an engagement (and all derived audit data, findings, exports and logs tied to it) from Settings → Engagement → Delete. Deletion completes within 7 days across primary, replica and sub-processor caches; confirmation is emailed when the cycle closes.
Right of access & portability (Art. 15, 20): All engagement data is exportable in machine-readable form from the dashboard at any time — see Section 06 below.
Lawful basis: Free-audit processing relies on consent (you start it). Paid-plan processing relies on contract. Telemetry relies on legitimate interest, scoped to platform health and abuse prevention; never sold, never used to train models.

02

AI training disclosure

Your audit answers are not used to train any AI model.

The honest substance behind that line — not a marketing slogan:

How prompts are processed: When the platform needs synthesis (the paraphrase step, the preliminary read, in-platform reasoning turns), the relevant inputs are sent to Anthropic’s API as prompts. Anthropic returns the model output. We persist the input + output in our own database for product functionality (reload your audit, export findings, audit history).
No model fine-tuning on customer data: We do not run fine-tuning, RLHF, distillation or any other training process on customer audit data. We do not export customer prompts to a separate training dataset. The same is true for Arkon’s reasoning inside the platform.
Anthropic’s side of the boundary: Anthropic processes prompts as an API provider under their commercial terms — they do not train their foundation models on API customer data by default. Anthropic Commercial Terms and the Anthropic data-use policy cover the upstream commitment we rely on.
Data flow, end-to-end: your input → our API → Anthropic API → model output → our database → your dashboard. No third destination. No training pipeline branch.
Retention boundary: Audit prompts & outputs persist as part of your engagement. They are deleted with the engagement (operator-initiated) or after the 30-day non-activation window described in Section 03.

03

Audit data lifecycle

If you don’t activate the platform within 30 days, your audit data is permanently deleted.

Activation triggers retention: Once you activate a paid module (or convert a free-audit session into a signed-in engagement on a paid plan), audit data becomes part of your engagement and follows the engagement-deletion controls in Section 01. We keep it for as long as you keep your engagement.
Non-activation triggers deletion: Free-audit sessions that never convert are purged automatically on day 30 from the last engine response. The purge removes prompts, model outputs, derived findings, and the anonymous session token. Aggregate, non-identifying audit-quality metrics (e.g. completion rates) are retained.
Operator-initiated deletion: Even before day 30, anyone can request immediate deletion of a free-audit session by emailing the address in the footer of this page with the session token (visible in the dashboard once signed in, or recoverable from the audit URL).
What is not subject to the 30-day clock: Billing records, security audit logs and sub-processor logs are retained per legal/financial obligations (typically 7 years in the EU). These do not contain audit content.

04

Encryption & authentication

Standard production posture. Where the standard isn't strong enough, we go further. Where it is, we don't theatre it up.

In transit: All HTTP traffic is TLS 1.3 (TLS 1.2 minimum, enforced at the edge). HSTS preloaded. No mixed content. Internal service-to- service calls within Vercel/Supabase use mutually-authenticated TLS.
At rest: Postgres data is encrypted with AES-256 at rest (Supabase managed). Object storage (audit transcripts, exports) is encrypted at rest with per-bucket keys. Backups are encrypted with the same key envelope.
Authentication (operator): Sign-in is handled by Clerk. Default flow supports email + password with TOTP MFA; SSO + SCIM is available on enterprise plans. Session cookies are httpOnly, secure, SameSite=Lax. Session lifetime defaults to 7 days; idle expiry at 24h.
API authentication: All authenticated platform routes (everything outside the public marketing surface and the gated free-audit) require a Clerk session bearer token. API routes verify the token server-side before any data access. Anonymous free-audit routes use a short-lived per-session token, rate-limited per IP.
Secrets & access: Production secrets are scoped per environment in Vercel and Supabase. No shared production credentials. Access to production data is logged and reviewable. Engineering access uses short-lived tokens.

05

Sub-processor list

The full list of third parties that may process customer data on our behalf. We will notify operators by email at least 30 days before adding a sub-processor that materially changes data handling.

Sub-processors that may process customer data on our behalf
Sub-processor	Purpose	Data categories	Residency	Policy
Anthropic LLM inference (paraphrase, preliminary read, platform reasoning)	LLM inference (paraphrase, preliminary read, platform reasoning)	Audit prompts + outputs	API provider — no model training on customer data	Policy →
Clerk Authentication, session management, MFA, SSO/SCIM	Authentication, session management, MFA, SSO/SCIM	Operator identity + session metadata	EU + US (configurable per plan)	Policy →
Supabase Postgres database + object storage	Postgres database + object storage	Engagement data, exports, audit transcripts	EU (Frankfurt) production project	Policy →
Vercel Application hosting, edge runtime, build pipeline	Application hosting, edge runtime, build pipeline	Request metadata, deployment artefacts	EU regions for production	Policy →
Stripe Subscription billing + payment processing	Subscription billing + payment processing	Billing identity, payment methods, invoices	EU (Ireland)	Policy →
Resend Transactional email delivery	Transactional email delivery	Operator email + email body	EU	Policy →

Sub-processor terms are governed by their own published policies; we contract with each on the basis of GDPR-compliant DPAs and EU data residency where the deployment supports it.

06

Data export commitments

You own your engagement data. You can take it with you, at any time, in a format other tools can read.

Operator-controlled export: Every engagement exposes a one-click export of all engagement data: audit transcripts, paraphrases, engine answers, preliminary reads, module bridges, findings, KPI history, attached files. Format: JSON + a CSV companion for tabular sections.
Audit-finding history: Findings carry their full provenance: which audit question surfaced them, which engine produced them, the confidence flag, and the timestamp. Exports preserve this metadata so any downstream tool can reason about the same evidence we did.
Post-cancellation export window: On cancellation, your engagement remains read-only and export-enabled for 30 days. After day 30, the engagement and its data are deleted. Operators can extend the window in writing if migration warrants it.
No vendor lock-in mechanics: We don’t add proprietary headers, watermark exports, or withhold artefacts behind upgrade gates. The methodology is the substance; the export is the substance verbatim.

GDPR compliance posture

AI training disclosure

Audit data lifecycle

Encryption & authentication

Sub-processor list

Data export commitments