The posture, named.

Site: EU edge infrastructure. Contact-form endpoint: EU region, no transatlantic data transfer in the default path. Build deployments: per-engagement, named in the SOW. Typical default is AMS with FRA failover.

Backups are encrypted at rest, held in the same region as the primary, and retained per the engagement retention schedule.

The list below is the default marketing-site and contact-form chain. Build deployments have their own sub-processor list in the SOW. You will see it before the engagement starts.

Web hosting

{{web-host}} · EU region

Form endpoint

{{form-host}} · EU region

Email routing

{{email-provider}} · EU sending domain

Domain + DNS

{{dns-registrar}}

Tokens are placeholders while the final vendor choice lands in writing. Updated on this page and in the SOWs when confirmed.

Production access is held by the two founders and scoped to named engineers on the team when an engagement requires it. No offshore support, no shared accounts, no “break glass” credentials sitting in chat.

Two-factor authentication is required on every service that supports it. Password manager with audit trail. SSO where a customer environment requires it.

If something breaks on a live engagement, email hello@arcken.nl with the details. A named human replies within four business hours during working hours, and within a business day out of hours.

For personal-data breaches, we notify the customer controller within 72 hours of becoming aware, per Article 33 of the GDPR. The SOW names the primary contact.

We use global vendors inside Arcken itself (the coding assistants, the design tools, the meeting recorder) where they ship best. None of that tooling is in the path of your product or your customer data. The moat is only defensible if we’re honest about it.