ArchRails ("ArchRails," "we," "our," or "us") provides a federated cross-repo architecture governance platform built on the FINOS CALM v1 open standard (the "Service"). This Privacy Policy explains how we collect, use, share, and protect personal information when individuals access archrails.io, register for Evaluation Access, or use the Service as an Authorized User of a Customer organization.
This policy applies to personal information about (a) individuals who register for the Service, (b) Authorized Users of a Customer organization, (c) visitors to archrails.io, and (d) prospects who contact us through the sales process. Capitalized terms not defined here have the meanings set out in the Terms of Service.
For Paid Subscriptions, ArchRails generally acts as a processor of personal information on behalf of the Customer, which is the controller. For Evaluation Access and for personal information collected via archrails.io (account registration, marketing, support), ArchRails acts as a controller. A Data Processing Agreement reflecting this allocation is available on request to privacy@archrails.io.
When an individual registers for Evaluation Access or for a Paid Subscription, we collect:
To deliver the Service, ArchRails receives and uses short-lived CI tokens (the workflow-issued GITHUB_TOKEN for GitHub Actions, or a GitLab CI job token) that Customer's pipeline forwards on a per-PR basis. Tokens are processed in memory and not persisted; if any operational state must be cached, it is encrypted at rest in the cloud account where the Service runs (Customer's cloud account in a BYOC Deployment).
To validate a pull request against Customer's CALM Files, the Service fetches the pull-request diff from the Customer's source-control system, processes it in memory, posts the resulting review comments, and discards the diff. Pull-request diffs and Customer source code are not stored. See Section 7 for the explicit retention schedule.
The Service stores CALM Files (architecture definitions), the derived cross-repo graph, blast-radius computations, merge metadata (pull-request identifiers, timestamps, approver identities, rule results), Audit Artifacts, and operational telemetry. In a BYOC Deployment, these are stored in Customer-owned cloud storage under Customer-managed encryption keys.
We collect server logs and operational telemetry, including IP address, user-agent string, timestamps, request paths, response codes, and latency. This data supports security, abuse detection, and Service reliability.
If you contact us through the contact form, email, or sales engagement, we retain the message content, your contact details, and any follow-up correspondence to respond to your request and maintain a record of the conversation.
The signup flow uses Cloudflare Turnstile to mitigate automated abuse. Turnstile collects browser-environment signals (assessed by Cloudflare) and a short-lived verification token, which is forwarded to our pre-sign-up Lambda for validation. See Cloudflare's privacy notice for additional detail on Turnstile data handling.
| Purpose | Category of personal information | Legal basis (GDPR Art. 6) |
|---|---|---|
| Provide and operate the Service | Account info, integration tokens, architecture data, telemetry | Contract performance (Art. 6(1)(b)) |
| Generate Audit Artifacts for compliance evidence | Merge metadata, approver identity, rule results | Contract performance (Art. 6(1)(b)) and legal obligation of Customer (Art. 6(1)(c)) |
| Authenticate Authorized Users and protect accounts | Account info, telemetry, IP address | Legitimate interest in security (Art. 6(1)(f)) |
| Detect, prevent, and respond to abuse, fraud, and security incidents | Telemetry, IP address, Turnstile signals | Legitimate interest in security (Art. 6(1)(f)) |
| Maintain Service reliability and performance | Telemetry, diagnostic logs | Legitimate interest in service quality (Art. 6(1)(f)) |
| Respond to support requests and sales inquiries | Account info, support content | Contract performance / legitimate interest (Art. 6(1)(b)/(f)) |
| Comply with legal obligations (tax, audit, regulatory requests) | Billing records, account info, Audit Artifacts | Legal obligation (Art. 6(1)(c)) |
| Send transactional emails (verification, security alerts, billing) | Account info | Contract performance (Art. 6(1)(b)) |
| Send marketing communications | Account info, contact details | Consent (Art. 6(1)(a)); withdrawable at any time |
We do not use Customer Data — including CALM Files, the cross-repo graph, Audit Artifacts, or any in-memory pull-request diff — to train any machine-learning model, including any model used by the Service or by a Subprocessor, except (i) aggregated or de-identified data that cannot reasonably be re-associated with Customer or any individual or (ii) as expressly permitted in an executed MSA.
For individuals in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following lawful bases under Article 6 of the GDPR:
Where ArchRails acts as a processor on behalf of a Customer (the controller), the controller is responsible for establishing the appropriate lawful basis for the processing instructed.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We share personal information only with the categories of recipients listed below.
ArchRails engages the following Subprocessors to support the Service. Each Subprocessor is bound by a written agreement that requires the Subprocessor to protect personal information consistent with this policy and the DPA.
| Subprocessor | Purpose | Jurisdiction(s) | Cross-border transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure for ArchRails-operated environments (Evaluation Access, control plane components) | United States (primary: us-east-2). EU customer environments hosted in eu-central-1 (Frankfurt) or eu-west-1 (Ireland) on request. | EU Standard Contractual Clauses (Modules 2 & 3) where data is transferred outside the EEA/UK |
| GitHub, Inc. | Repository integration (GitHub Actions workflow); pull-request webhooks and review-comment posting | United States | EU Standard Contractual Clauses (GitHub published terms) |
| GitLab, Inc. | Repository integration (GitLab CI); pipeline webhooks and review-comment posting | United States | EU Standard Contractual Clauses (GitLab published terms) |
| Cloudflare, Inc. | Bot protection (Turnstile) at signup; edge security | United States (global edge) | EU Standard Contractual Clauses |
| Anthropic, PBC [LAWYER REVIEW: confirm subprocessor agreement and current scope of LLM use] | LLM provider used to generate human-readable explanations attached to PR-time review comments. Scoped strictly to the diff already being processed for that PR; the LLM is not used for repository scans, bootstrap, or any full-codebase analysis. | United States | EU Standard Contractual Clauses (Anthropic published terms) |
| Amazon Simple Email Service (SES) [LAWYER REVIEW: confirm transactional email provider — currently SES; if SendGrid or Mailgun is also in use, list separately] | Transactional email (verification, security alerts, billing notifications) | United States | EU Standard Contractual Clauses |
The current Subprocessor list is the canonical source. We will update this list at least thirty (30) days before adding a new Subprocessor that processes Customer personal information; Customers on a Paid Subscription may object to a new Subprocessor in accordance with the DPA.
We may disclose personal information to comply with applicable law, valid legal process (including subpoenas and court orders), or a lawful request by a government authority. Where legally permitted, we will notify the affected Customer and seek to limit the disclosure to what is required.
If ArchRails undergoes a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, personal information may be transferred to the acquirer or successor entity, subject to standard confidentiality protections. We will provide notice of any such change of control and any resulting change in data practices.
ArchRails is incorporated in the United States and operates from South Florida. Personal information processed by ArchRails or its Subprocessors may be transferred to, stored in, or processed in countries outside the data subject's country of residence, including the United States.
For transfers of personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (Modules 2 and 3, as applicable) or, where applicable, the UK International Data Transfer Addendum or the Swiss equivalent. Where a Subprocessor maintains its own published SCCs (e.g., AWS, GitHub, GitLab, Anthropic), those clauses apply. For Customers requiring EU data residency, EU-hosted cloud regions (eu-central-1 / eu-west-1) are available on request.
A copy of the SCCs applicable to a specific data transfer is available on request to privacy@archrails.io.
| Category | Retention period | Basis |
|---|---|---|
| Customer source code | Never stored | Pull-request diffs are processed in memory only and discarded post-processing |
| CALM Files and cross-repo graph | Duration of the Paid Subscription, or duration of Evaluation Access | Necessary to operate the Service |
| Audit Artifacts (Compliance Enforcement, Release Governance) | Seven (7) years from generation | SOX ITGC change-management evidence requirement; in a BYOC Deployment, enforced via S3 Object Lock in compliance mode (or cloud-provider equivalent) on Customer-owned storage |
| Account data (name, email, company, BU, role, hashed password) | Duration of the relationship; deleted within thirty (30) days of account closure | Necessary to maintain the account; routine post-termination cleanup |
| Integration authentication tokens | Until revoked by Customer or termination; rotated periodically | Necessary to operate the Service |
| Usage logs and operational telemetry | Ninety (90) days | Security, abuse detection, Service reliability |
| Support communications | Two (2) years from last interaction | Continuity of support; quality and training |
| Billing records and invoices | Seven (7) years | U.S. and equivalent foreign tax-record retention requirements |
| Evaluation Access workspaces after read-only conversion | Ninety (90) days, then deletion absent conversion to Paid Subscription | Allows time for conversion without indefinite carrying cost |
Where ArchRails acts as a processor, Customer retention instructions in an executed MSA or DPA supersede the schedule above to the extent of any conflict.
Depending on the data subject's jurisdiction, the following rights may apply:
To exercise any of these rights, contact privacy@archrails.io. We will verify the identity of the requester (to protect against unauthorized disclosure) and respond within thirty (30) days, or within the period required by applicable law if shorter. If ArchRails is acting as a processor on behalf of a Customer organization, we will forward the request to that Customer and assist the Customer in responding.
This section applies to California residents and supplements the rights described in Section 8. Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), California residents have the following rights:
Shine the Light (Cal. Civ. Code §1798.83). California residents may request, once per calendar year, information about personal information shared with third parties for the third parties' direct marketing purposes. ArchRails has not shared personal information with third parties for those purposes in the preceding calendar year.
To exercise California rights, contact privacy@archrails.io. Authorized agents may submit requests on behalf of a California resident on receipt of a verified written authorization.
For residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other U.S. states with comprehensive privacy laws: the rights and protections described in this Section 9 and Section 8 are extended on a substantively equivalent basis. State-specific appeal procedures (where required) are described in our response to any request denial.
This section supplements Section 8 for data subjects in the European Economic Area, the United Kingdom, and Switzerland.
The data controller for personal information collected on archrails.io and during Evaluation Access is ArchRails, with operating address in South Florida, United States. [LAWYER REVIEW: insert registered address and confirm whether an Article 27 EU representative is required based on Customer footprint and the volume / nature of EU monitoring; if yes, name the representative here.]
For Customers and Authorized Users in the United Kingdom, the equivalent rights under the UK GDPR apply, and the UK Information Commissioner's Office ("ICO") is the relevant supervisory authority.
A Data Processing Agreement reflecting the controller / processor allocation for Paid Subscriptions is available on request to privacy@archrails.io. The DPA incorporates the EU Standard Contractual Clauses (and UK Addendum where applicable) for cross-border transfers.
ArchRails implements administrative, technical, and physical safeguards designed to protect personal information:
No system can guarantee absolute security. The measures above represent commercially reasonable practices for the categories of personal information processed.
archrails.io uses a minimal set of cookies:
ArchRails does not use advertising cookies, cross-site tracking, third-party analytics that profile individuals, or any "Do Not Track" signal-defeating technique. We do not respond differently to the legacy Do Not Track header because there is no industry-standard interpretation; the absence of advertising / tracking cookies is the substantive answer.
The Service is intended for use by personnel of legal-entity Customers and is not directed to children under eighteen (18). We do not knowingly collect personal information from anyone under eighteen. If we become aware that we have collected personal information from a person under eighteen, we will delete it. Notice of any such collection may be sent to privacy@archrails.io.
We may update this Privacy Policy from time to time. For material changes, we will (a) update the "Last updated" date at the top of this page, (b) post a notice on archrails.io, and (c) for Paid Subscription Customers, notify the Customer's designated contact in advance of the effective date. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
For privacy-related inquiries, rights requests, or to request the DPA or SCCs:
Data Protection Officer. [LAWYER REVIEW: determine whether ArchRails is required to appoint a DPO under GDPR Article 37 (core activities consisting of regular and systematic monitoring on a large scale, or large-scale processing of special-category data). For the current Service scope and customer base, a DPO is likely not strictly required; recommend designating a privacy lead and naming the contact here.]
EU Representative (Article 27). [LAWYER REVIEW: determine whether an EU representative is required based on offering goods or services to EU data subjects or monitoring their behavior; if yes, name the appointed representative and provide their contact details here.]
We will respond to privacy requests within thirty (30) days, or sooner if required by applicable law.