Security @ BCNY

Our commitment to you

We love the internet and it’s important for our members to feel safe while exploring. That’s why we built a browser to make the internet better, while keeping your data to yourself.

Security @ BCNY

Effective DateSep 27, 2024

The Browser Company Bounty Program

At The Browser Company of New York, we care deeply about safeguarding the security and privacy of everyone who uses our products. We also recognize the security research community’s invaluable role in this mission. If you spot a vulnerability, we want to hear about it so we can make things right as soon as possible. Your work helps us build a safer, more secure browsing experience for all.

Our Bug Bounty Program is ran through HackerOne. Please visit our HackerOne program page to review our program policy, scope, and to submit your findings.

How to Submit your Research

If you believe you’ve identified a security or privacy issue that affects BCNY products, services, or software, please submit it to us through our HackerOne program.

Keeping Arc Secure

Your browser is a portal to the whole internet, and everything in it. So ensuring your browser is airtight, and secure as it can possibly be, is of incredible importance to us.

We’re a small (but mighty) team working to ensure you never have to worry that your data is being misused, misappropriated, or sold in ways you’re not aware of.

But don’t take our word for it. Below, we’ve listed everything we can think of that you might want to know about our security practices. For more on privacy, click here.

And if you have any questions, just shoot us an email at any time at [email protected]. We’re all ears!

Outside Security Assessments

Since we are a small security team, we’ve contracted with Latacora to do regular outside security reviews and trainings across a wide range of different systems:

  • Corporate systems
  • Infrastructure
  • Build and tooling systems
  • Full codebase audits
  • Desktop and mobile apps

Browser Engine

Building a browser from the ground up is really hard, which is why Arc is built on Chromium — the same engine that powers Google Chrome and Microsoft Edge. So, Arc benefits from the same foundation that makes those browsers reliable and secure. But since Chromium is open source, we can augment it to further protect your privacy. Click here for more on the differences between Chromium and Chrome.

As for security, Chromium is constantly updated with security fixes for new vulnerabilities, and we take staying up to date with the newest version of Chromium very seriously. We even have a dedicated team of lovely Chromium engineers! Our upgrade process guarantees that Arc is always using the latest version of Chromium within 48 hours of a new version or hotfix being released.

List of Disabled Chromium Features

  • Google Accounts Integration (GAIA) disabled
    • Chromium won’t send requests for accounts on startup to accounts.google.com
    • No syncing of Chromium profiles, cookies, passwords, bookmarks to Google via your Google account
  • Google metrics (UMA) reporting is disabled
    • No session fingerprinting
    • No logging of your browsing activities (creating bookmarks, searching, autofills, links you click, etc.)
    • No telemetry or crash report data is sent to Google
  • Uploading settings after resetting profile is disabled
  • Reporting Observers and Reporting API are disabled
  • Network logging to file is disabled

Infrastructure

Arc uses GCP Firebase for user authentication, storage for Notes & Easels, and Cloud Functions for certain application features like referral code generation. All data stored in Firebase is encrypted-at-rest by default.

Direct access to any production data is limited to a few select teams based on their roles. Access is logged and reviewed at regular intervals. We store as little PII as possible and routinely audit our data to ensure we’re not storing anything sensitive. Please see the privacy policy for a list of what user data is stored.

Logging & Analytics

Over the course of using the Browser, we collect certain telemetry data related to internal actions that the Browser is taking and actions that cause the Browser to crash. We collect this information to improve the Browser and understand categories of issues that members are experiencing.

Our philosophy for analytics is that they should be helpful in improving the product while simultaneously protecting member privacy. To ensure this, we do NOT log the following:

Data Categories We Don’t LogExamples
Personally-identifiable information (PII)Email address, name
Information about what members are viewingURLs, bookmarks, page content, history
User-generated contentNote text, Easels, space names, search terms

Logs are stored for 30 days in our third-party provider Datadog and is encrypted in transit. Access to logs is locked down to only BCNY employees whose roles require access. We have automated monitoring and alerting for any unauthorized access attempts to any logs. We routinely run internal audits of access to logs to ensure that BCNY employees only have access to information they need to complete their jobs.

Third-party tools used

  • Sentry for collecting analytics data from crashes and other bugs in the application.
  • LaunchDarkly is used for rolling out and managing all feature flags in Arc.
  • Segment is used for collecting anonymized telemetry data to assist our development teams in making application improvements. No PII is ever shared with the Browser Company of New York. Please see the list of what we do NOT log above.
  • BigQuery is used for collecting anonymized product usage data to understand feature usage and improve our product. This data NEVER includes the websites you visit, files you download, or content you create in the product.

FAQ

  • Why does Arc require an account to use?
    Here’s a link to our forum that explains the rationale behind requiring an account to use Arc: Why do I need an account?
  • Do you have a SOC2 or ISO 27001 certification?
    We are not SOC2 or ISO 27001 certified currently but will look at achieving SOC2 compliance in the near future.
  • How will you monetize without selling user data?
    That’s a great question! While we don’t have specifics to share at this time, we don’t plan to ever sell user data. For more information, please see this video from our CEO for more details.
  • Does Arc come with a built in ad-blocker?
    Arc comes with uBlock Origin already installed but the user has full control of their browser and can uninstall it if that’s preferred. We currently don’t have a custom built ad-blocking but are looking at building further member protections into Arc in the future. Since we’re using Chromium under the hood, any ad-blockers or privacy tooling that is available in the Chrome app store works with Arc.
  • Can I configure multi-factor authentication (MFA) for my Arc account?
    We currently do not have the option of configuring MFA for your account but that is a feature we plan to implement.