Arthur Labs, Inc. (a Wyoming C-Corp, headquartered in Omaha, Nebraska) is committed to protecting the security, confidentiality, and integrity of the data you entrust to HIIE. This policy describes the measures we use to safeguard your data and how we respond if a security incident occurs.

• Encryption in transit. All traffic between your browser and HIIE is encrypted using TLS (HTTPS).
• Encryption at rest. Per-user data is encrypted at rest with AES-GCM. Encryption keys are server-only and are never sent to the browser.
• Per-user data isolation.Each user's data lives in its own encrypted scope, so cross-tenant access is cryptographically impossible — one account cannot read another's data even in the event of a query bug.
• No card storage. We never store payment card numbers. All payment data is handled exclusively by Stripe (PCI-DSS Level 1).
• BYO keys. Provider keys you bring yourself are encrypted at rest and are never returned to the browser. We do not sell your data or train third-party models on it.
• Infrastructure. HIIE runs on Cloudflare (encrypted D1 per-user storage and hosting) and a self-hosted CAD service on Railway, with access to production systems restricted to authorized personnel.
• Dependency monitoring. We monitor application errors and our dependencies via Sentry and keep packages updated to reduce exposure to known vulnerabilities.

If we confirm a security incident involving unauthorized access to, disclosure of, or loss of personal data, Arthur Labs will:

• Investigate promptly. Begin investigating without undue delay after we become aware, to determine the scope, cause, and impact.
• Contain the breach. Take immediate steps to contain and mitigate the incident, including revoking compromised credentials, isolating affected systems, and patching the underlying vulnerability.
• Assess the impact. Determine which data was affected, how many people are impacted, and the likely risk to them.

Supervisory authorities (GDPR Article 33). Where a breach is likely to result in a risk to the rights and freedoms of EU/EEA/UK individuals, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it.

Affected individuals (GDPR Article 34). Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay — via email and/or a prominent notice in the product. That notice will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, the steps we have taken, and how to reach us for more information.

US state laws. We will also comply with breach notification requirements under applicable US state laws, including California (Cal. Civ. Code 1798.82), Wyoming (Wyo. Stat. 40-12-502), Nebraska (Neb. Rev. Stat. 87-803), and any other state where affected individuals reside.

If you discover a security vulnerability in HIIE, we ask that you report it responsibly to [email protected] with enough detail for us to reproduce it. Please:

• Act in good faith and avoid privacy violations or service disruption.
• Do not exfiltrate, modify, or delete data, and do not access other users' data.
• Give us a reasonable embargo to investigate and fix the issue before any public disclosure.

We appreciate responsible research and will not pursue legal action against researchers who follow these guidelines in good faith.

Security issues: [email protected]. Privacy questions: [email protected]. General support: [email protected].