Arlo CMMS

Security

Operated by Common Good Labs · Stratford, Ontario, Canada

Arlo CMMS is built to keep your maintenance, property, and financial data safe. Security isn't a feature we bolt on — it's in the architecture. Here's a plain-English overview of how we protect your information and how to reach us if you find a problem.

How we protect your data

  • Strict tenant isolation. Every record is protected by database-level Row-Level Security — your organization can only ever see its own data, enforced by the database itself, not just the app.
  • Encryption. All traffic is encrypted in transit (TLS), and data is encrypted at rest. Sensitive stored secrets (like saved portal logins) are additionally encrypted with AES-256, and only owners/admins can reveal them — every reveal is logged.
  • Strong authentication. Optional two-factor authentication (which owners can require for their team), bot protection on sign-in, and checks against known-breached passwords.
  • Least-privilege access. Role-based permissions, configurable approval flows for financial actions, and audit trails for sensitive operations.
  • Trusted infrastructure. We build on SOC 2-compliant providers (Supabase, Vercel, Stripe, Cloudflare) for hosting, database, auth, and payments.
  • Your data is yours. Export your organization's data anytime, and deletions honour a recovery window before anything is permanently removed.

Compliance

We handle personal information in line with Canada's PIPEDA (see our Privacy Policy) and target WCAG 2 AA / AODA accessibility (see our Accessibility statement). We are preparing toward a SOC 2 Type 2 examination.

Reporting a vulnerability

If you believe you've found a security vulnerability, please tell us — we welcome good-faith reports and will work with you on a fix.

  • Email: security@arlocmms.com
  • Please include steps to reproduce, and give us reasonable time to remediate before any public disclosure.
  • Safe harbour: we will not pursue legal action for good-faith research that respects user privacy, avoids service disruption, and doesn't access or modify data beyond what's needed to demonstrate the issue.
  • Please do not run automated scans that degrade service, access other tenants' data, or perform social-engineering or physical attacks.

Machine-readable contact: /.well-known/security.txt

Privacy Policy·Terms of Service·Accessibility·Security·support@arlocmms.com