Security & Compliance

The artifacts procurement needs.

Every ARCG Systems customer can ask for, and receive, the security and compliance artifacts their legal team requires — in the format they expect.

Who this page is for. Procurement, legal, and security teams evaluating SourceDeck for mid-market and enterprise use. SourceDeck does not currently claim SOC 2, HIPAA, FedRAMP, CMMC, ISO 27001, or HITRUST certification. Items below marked Live are real artifacts we produce today under a signed MSA. Items marked not held are not certified; readiness controls are planned, and formal audit work begins only when a paying enterprise contract requires it. Under a signed MSA we will commit to specific remediation milestones and an evidence-delivery timeline per-customer.
SOC 2 Type II · not held

SOC 2 Type II attestation

Not certified. SourceDeck is not SOC 2 Type II attested today. No active audit is currently open. Readiness controls (security · availability · processing integrity · confidentiality) are planned; formal audit work begins only when a paying enterprise contract requires it. Under a signed MSA we will commit to specific remediation milestones and an evidence-delivery timeline.

Request readiness discussion →
Live

Data Processing Addendum (DPA)

Standard DPA + GDPR / CCPA data-subject rights, data-transfer SCCs where applicable. Counter-signed within one business day of request.

Request signed DPA →
Live

MSA & SOW templates

Standard Master Services Agreement and statement-of-work template attached to every Operator proposal. Redline-friendly.

Request templates →
HIPAA · not held

HIPAA BAA

Not certified. SourceDeck is not HIPAA-compliant today and no signed BAA is currently offered. PHI must not touch the platform under the current posture. Under a signed MSA with a paying customer who requires HIPAA, we will commit to specific BAA terms and a remediation timeline.

Request readiness discussion →
FedRAMP · not held

FedRAMP authorization

Not certified. SourceDeck is not FedRAMP authorized, has no ATO, and is not currently pursuing FedRAMP Moderate. NIST 800-171 and CMMC Level 2 are operator-internal readiness tracking under ARCG Systems as an SDVOSB; they are not customer-facing certifications. Under a signed MSA with a paying customer whose contract requires FedRAMP, we will commit to a specific authorization-path timeline.

Request readiness discussion →
Live

Retention & deletion policy

Per-workspace retention. Workspace reset purges localStorage, cached analytics, saved campaign state. Full account deletion on request; 30-day verifiable purge window.

Public retention policy →
Scaffolded · shipping in Phase 2

Audit log

Every state change (approvals, secret reads, workspace mutations, webhook deliveries) written to an append-only audit log. UI surface in Phase 2; log schema already in SELF_SETUP_SQL_AND_API_SPEC.md §19.1.

Live

Security review questionnaire

SIG Lite, CAIQ, CIS, and custom vendor questionnaires. Turnaround ≤ 5 business days under a signed NDA.

Submit questionnaire →
Live

Subprocessor list

Current subprocessors — Stripe (billing), Cloudflare (edge + Workers), Postmark (transactional email), Basin (form intake), Tidio (chat). Full DPAs in place with each. Updated on change, notice-first.

Live

Insurance

General liability + professional liability + cyber liability. COIs issued per customer request within one business day.

Request COI →

What to expect on a procurement call

  1. Operator-tier scoping call within one business day of proposal request.
  2. Signed NDA routed via DocuSign within 2 business days; security pack released on receipt.
  3. Written proposal with DPA, MSA, SOW, and any requested compliance artifacts within 5 business days.
  4. Security-review questionnaire turned in ≤ 5 business days with evidence cited per control.
  5. Kickoff once signed; workspace provisioned via the activation flow.