Security at Arrows

Customer trust and security are critical to everything we do at Arrows. Learn how we adhere to industry-leading standards in data protection and security compliance.

Visit our Trust Center

Compliance & data privacy

Arrows is SOC 2 Type II and GDPR compliant, with third-party audits confirming our security practices annually. Our SOC 2 report is available in our Trust Center and has zero exceptions, demonstrating our commitment to security and data protection.

🔒 Infrastructure security

Arrows is hosted on Heroku which utilizes Amazon Web Services (AWS) data centers for hosting.

AWS provides an extensive list of compliance and regulatory assurances. See the AWS compliance and security documents for more detailed information.

⏰ Continuous monitoring

Over 100 security controls are continuously monitored across the organization.

Automated alerts and evidence collection mean Arrows can confidently demonstrate its security and compliance stance any day of the year.

🔑 Data encryption

Customer data is encrypted at rest with AES-256 block-level storage encryption, and in transit with SSL. Battle-tested infrastructure from Heroku and AWS keeps your data secure.

🧪 Annual penetration testing

Arrows works with industry leading third-party security firms to perform annual network and application layer penetration tests.

🛡️ WAF protection

Arrows is defended from threats by a Web Application Firewall (WAF) to prevent unauthorized access and stop threats before they start.

🎓 Employee security training

All Arrows employees complete an annual security training program and employ best practices when handling customer data.

Enterprise-ready security features

Leverage role-based access to control who on your team has access to specific features.

SSO (enterprise only)
Manage user authentication with SAML single sign on and keep access grants up-to-date with SCIM.

Audit logs (enterprise only)
Track, monitor, and search in-app user activity. Export reports and alerts to your preferred tools.

Frequently asked security questions

Can’t find the answer you're looking for? Email us any time:

Is Arrows SOC 2 compliant?

Yes, Arrows is SOC 2 Type II compliant. Our application and security practices undergo hundreds of daily automated tests to ensure consistent compliance and are regularly assessed by a third party auditor. A copy of our most recent SOC 2 report is available in our trust center.

Is Arrows GDPR compliant?

Yes, Arrows is GDPR compliant. We outline all our data processing measures in our Data Processing Addendum.

Where is data stored and processed?

Arrows data is stored in Heroku Postgres. You can view an updated list of our subprocessors here.

How is my HubSpot data protected?

Arrows follows all best practices for interacting with your HubSpot data, including only requesting permissions for data that we need for your onboarding plans. All data is accessed securely using HubSpot's API and we encrypt your access tokens. Additionally, Arrows is certified by HubSpot which requires an in-depth technical review by HubSpot's team of developers.

Can I control who has access to our Arrows plans?

Yes! You have full control over Arrows plan access. Depending on your security needs, you can choose between an open link available for anyone or restrict access to invited participants only.

More privacy and security resources