Keeping Arc Secure
Your browser is a portal to the whole internet, and everything in it. So ensuring your browser is airtight, and secure as it can possibly be, is of incredible importance to us.
We’re a small (but mighty) team working to ensure you never have to worry that your data is being misused, misappropriated, or sold in ways you’re not aware of.
But don’t take our word for it. Below, we’ve listed everything we can think of that you might want to know about our security practices. For more on privacy, click here.
And if you have any questions, just shoot us an email at any time at [email protected]. We’re all ears!
Outside Security Assessments
Since we are a small security team, we’ve contracted with Latacora to do regular outside security reviews and trainings across a wide range of different systems:
- Corporate systems
- Build and tooling systems
- Full codebase audits
- Desktop and mobile apps
Building a browser from the ground up is really hard, which is why Arc is built on Chromium — the same engine that powers Google Chrome and Microsoft Edge. So, Arc benefits from the same foundation that makes those browsers reliable and secure. But since Chromium is open source, we can augment it to further protect your privacy. Click here for more on the differences between Chromium and Chrome.
As for security, Chromium is constantly updated with security fixes for new vulnerabilities, and we take staying up to date with the newest version of Chromium very seriously. We even have a dedicated team of lovely Chromium engineers! Our upgrade process guarantees that Arc is always using the latest version of Chromium within 48 hours of a new version or hotfix being released.
List of Disabled Chromium Features
- Google Accounts Integration (GAIA) disabled
- Chromium won’t send requests for accounts on startup to accounts.google.com
- No syncing of Chromium profiles, cookies, passwords, bookmarks to Google via your Google account
- Google metrics (UMA) reporting is disabled
- No session fingerprinting
- No logging of your browsing activities (creating bookmarks, searching, autofills, links you click, etc.)
- No telemetry or crash report data is sent to Google
- Uploading settings after resetting profile is disabled
- Reporting Observers and Reporting API are disabled
- Network logging to file is disabled
Arc uses GCP Firebase for user authentication, storage for Notes & Easels, and Cloud Functions for certain application features like referral code generation. All data stored in Firebase is encrypted-at-rest by default.
Logging & Analytics
Over the course of using the Browser, we collect certain telemetry data related to internal actions that the Browser is taking and actions that cause the Browser to crash. We collect this information to improve the Browser and understand categories of issues that members are experiencing.
Our philosophy for analytics is that they should be helpful in improving the product while simultaneously protecting member privacy. To ensure this, we do NOT log the following:
|Data Categories We Don’t Log||Examples|
|Personally-identifiable information (PII)||Email address, name|
|Information about what members are viewing||URLs, bookmarks, page content, history|
|User-generated content||Note text, Easels, space names, search terms|
Logs are stored for 30 days in our third-party provider Datadog and is encrypted in transit. Access to logs is locked down to only BCNY employees whose roles require access. We have automated monitoring and alerting for any unauthorized access attempts to any logs. We routinely run internal audits of access to logs to ensure that BCNY employees only have access to information they need to complete their jobs.
Third-party tools used
- Sentry for collecting analytics data from crashes and other bugs in the application.
- LaunchDarkly is used for rolling out and managing all feature flags in Arc.
- Segment is used for collecting anonymized telemetry data to assist our development teams in making application improvements. No PII is ever shared with the Browser Company of New York. Please see the list of what we do NOT log above.
- BigQuery is used for collecting anonymized product usage data to understand feature usage and improve our product. This data NEVER includes the websites you visit, files you download, or content you create in the product.
- Why does Arc require an account to use?
Here’s a link to our forum that explains the rationale behind requiring an account to use Arc: Why do I need an account?
- Do you have a SOC2 or ISO 27001 certification?
We are not SOC2 or ISO 27001 certified currently but will look at achieving SOC2 compliance in the near future.
- How will you monetize without selling user data?
That’s a great question! While we don’t have specifics to share at this time, we don’t plan to ever sell user data. For more information, please see this video from our CEO for more details.
- Does Arc come with a built in ad-blocker?
Arc comes with uBlock Origin already installed but the user has full control of their browser and can uninstall it if that’s preferred. We currently don’t have a custom built ad-blocking but are looking at building further member protections into Arc in the future. Since we’re using Chromium under the hood, any ad-blockers or privacy tooling that is available in the Chrome app store works with Arc.
- Can I configure multi-factor authentication (MFA) for my Arc account?
We currently do not have the option of configuring MFA for your account but that is a feature we plan to implement.
- Do you have a bug bounty or provide compensation for security reports?
We do not currently have a bug bounty program or provide compensation for reports. Please email [email protected] with documentation (e.g. screen recording or reproduction steps) and a member of our Security team will review it.