A ARKSOFT software development agency

Policy

Information Security Policy

Effective May 25, 2026

ARKSOFT protects client information, project materials, credentials, source code, design notes, and production systems with controls appropriate to each engagement's scope and sensitivity.

Security Governance

Security is treated as part of delivery, not a separate afterthought. Project decisions should consider confidentiality, integrity, availability, maintainability, auditability, and the practical risk of misuse or accidental exposure.

Access Control

  • Access to repositories, infrastructure, client systems, and project materials is limited by need-to-know and least privilege.
  • Administrative access should be reviewed when team roles, vendors, or project phases change.
  • Shared accounts should be avoided where individual accounts and auditable access are practical.

Secrets and Credentials

Secrets, private keys, API tokens, certificates, production passwords, and live customer credentials must not be committed to source control, pasted into public issue trackers, or sent through the website contact form. Credential exchange should use an approved secure channel.

Secure Development

  • Review code changes for authentication, authorization, validation, logging, dependency, and configuration risks.
  • Use environment-specific configuration and avoid hard-coded production values.
  • Run project-appropriate tests, smoke checks, and deployment verification before release.
  • For AI-generated or AI-assisted code, perform human review for security, correctness, maintainability, and licensing risk.

Data Protection

Client materials should be separated by project, retained only as needed, and protected from unauthorized disclosure. Sensitive files should be encrypted or access-controlled when the project risk profile requires it.

Vendor and Service Provider Controls

Vendor tools may be used for hosting, source control, collaboration, email, infrastructure, security, analytics, and deployment. Vendor access should be limited to the work performed and reviewed when the engagement changes or ends.

Incident Response

Suspected security incidents are assessed for scope, impact, containment, remediation, and communication requirements. ARKSOFT coordinates with affected clients when a project system or client material may be involved.

Business Continuity

Projects should use appropriate backups, version control, rollback paths, and deployment records so work can continue after accidental deletion, service interruption, or infrastructure failure.

Client Responsibilities

  • Share credentials through approved secure channels and rotate access when personnel or vendors change.
  • Tell ARKSOFT before sharing regulated, export-controlled, health, payment, government, or other restricted data.
  • Report suspected security issues involving active ARKSOFT work as soon as practical.

Contact

Security questions, vulnerability reports, or access concerns may be sent through the website contact form or by email to info@arksoft.dev.