arxdura Logo
Loyalty Rewards:Earn up to 20% off on repeat orders.

Privacy Policy

Last updated: November 27, 2025

arxdura is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights as a customer. We believe in transparency and being upfront about our data practices.

Overview

arxdura provides S3 bucket hardening and compliance services. Our business model is unique: we deploy infrastructure directly into your AWS account, not ours. This design minimizes the personal and sensitive information we need to store.

Key privacy principles:

  • Your data stays in your AWS account – We never store your actual data
  • Minimal personal information – Only what's necessary to deliver services
  • Transparent data practices – No hidden data collection or sharing
  • Secure by design – Encryption, access controls, and audit logging
  • Your rights respected – Access, deletion, and portability options

Information We Collect

Order Processing Information

When you place an order, we collect:

  • Contact information: Name, email address, phone number (optional)
  • Business information: Company name (optional)
  • Payment information: Processed through Cognito + Stripe (we do not store payment details)
  • Order details: Selected tier, bucket count, compliance requirements

AWS Account Information

To deploy to your AWS account, you provide:

  • AWS Account ID: 12-digit identifier (this is public information)
  • AWS Region: Where you want resources deployed (e.g., us-east-1)
  • AWS IAM Role: You deploy a cross-account role; we assume it temporarily for deployment
  • Bucket names: List of S3 buckets to harden

Important: We never access your AWS credentials (access keys, secret keys). All access is via your cross-account role, which you can delete at any time.

Technical Logs

For service delivery, we collect:

  • Deployment logs: Timestamps, success/failure status, resource ARNs created
  • Compliance scan results: Prowler/Cloud Custodian outputs stored in S3 (your account or shared evidence bucket)
  • Order queue data: Order status, timestamps, configuration metadata

How We Use Your Information

Service Delivery

We use your information to:

  • Deploy hardened S3 buckets to your AWS account
  • Generate compliance evidence and reports
  • Communicate about your order status and delivery
  • Process payments and issue invoices
  • Provide customer support

Account Management

If you create an account on our website, we use:

  • Email and authentication credentials (Supabase Auth)
  • Profile information for admin panel access (if applicable)
  • Tenant/bucket data for tracking your orders

What We Do NOT Collect

  • Your AWS credentials: No access keys, secret keys, or passwords from you
  • Your actual data: Nothing stored in your S3 buckets or other AWS resources
  • Payment details: Processed through Stripe; we do not store card numbers
  • Behavioral tracking: No cookies, pixel tags, or cross-site tracking (beyond essential functionality)
  • Location/identity beyond what you provide: No IP tracking, browser fingerprinting

Third-Party Services

We use trusted third-party services to deliver arxdura:

Supabase

  • Purpose: Authentication, database (tenants, buckets, orders), content management
  • Data stored: User accounts, order metadata, website content blocks
  • Location: Supabase-owned PostgreSQL database (EU/US regions)
  • Privacy Policy: supabase.com/privacy

Stripe

  • Purpose: Payment processing (via Cognito integration)
  • Data stored: Payment information (or fractional portions of it). Stripe handles PCI compliance
  • Privacy Policy: stripe.com/privacy

Render

  • Purpose: Website and order bridge hosting
  • Data processed: Website traffic, API requests (logs retained 30 days)
  • Privacy Policy: render.com/privacy

Cognito Forms

  • Purpose: Order intake and payment processing (current MVP implementation)
  • Data stored: Order details, contact information, Stripe payment data
  • Privacy Policy: cognitoforms.com/privacy-policy

Tally.so

  • Purpose: AWS project details collection (account ID, bucket list, region)
  • Data stored: Form submissions linked to your order
  • Privacy Policy: tally.so/privacy

CloudTrail Logging in Your AWS Account

When we deploy to your account, CloudTrail logs record:

  • API calls made by the cross-account role
  • Timestamps and source IP addresses (our deployment environment)
  • Resource modifications (S3 buckets, KMS keys, IAM policies)

These logs are stored in your AWS account in a Cloud-managed log bucket. You control retention, access, and deletion. We never access these logs after deployment.

Compliance Frameworks

Our privacy and security practices align with:

  • HIPAA/HITECH: PHI baseline bucket configurations (for healthcare customers)
  • SOC 2 Type II: Security controls, logging, and audit trail documented in evidence bundles
  • GDPR: Data minimization, right to deletion, transparent data practices
  • PCI-DSS: Payment processing via Stripe (PCI-compliant), no card data stored

Data Security

We protect your information with:

  • Encryption in transit: All connections use TLS 1.2+
  • Encryption at rest: Supabase databases use encryption; S3 evidence buckets use customer-managed KMS keys
  • Access controls: Cross-account IAM roles, Supabase Row-Level Security (RLS)
  • Audit logging: CloudTrail in your account; request logs on our systems
  • Regular security scanning: Prowler scans for compliance verification

Your Rights

Under GDPR and similar regulations, you have the right to:

  • Access: Request a copy of your personal information
  • Correction: Request updates to inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Portability: Request transfer of your data
  • Objection: Object toζŸδΊ› processing activities
  • Withdraw consent: When processing is based on consent

To exercise these rights, contact us at privacy@arxdura.com.

Data Retention

  • Order records: Retained for 7 years (for tax/compliance purposes)
  • Compliance evidence logs: Retained in your AWS account according to your retention policy (typically 1-7 years for audit requirements)
  • Website analytics: We do not use third-party analytics; server logs retained 30 days
  • Account data: Retained until account deletion or as required by law

Children's Privacy

arxdura is not intended for children. We do not knowingly collect personal information from individuals under 16. If we become aware of such collection, we will delete it immediately.

International Data Transfers

arxdura operates primarily in the United States. Our third-party services (Supabase, Render, AWS) may process data in their US or EU regions. We ensure these providers provide adequate protection (EU-US Data Privacy Framework, Standard Contractual Clauses, or equivalent mechanisms).

Changes to This Policy

We may update this privacy policy to reflect changes in our practices, regulations, or services. We will notify customers of material changes via email or prominent website notice.

Contact Us

For privacy-related questions, data access requests, or concerns:

Key Takeaway

arxdura's design prioritizes your data sovereignty. We deploy infrastructure to your AWS account, not ours. We collect minimal information, are transparent about third-party services, and give you control over evidence retention and access. Your data stays under your control.