Archculator
Log inGet started

Security Overview

No critical findings in our latest review

Last updated: 28 February 2026

Security at a glance

  • AI usage transparency. AI features generate assistive outputs and require user review before use. Outputs may not be accurate in all cases.
  • Encrypted in transit. All connections use HTTPS/TLS.
  • Stateless auth verification. API requests are verified against Supabase Auth (no client-side JWT trust).
  • Abuse prevention. Dual rate limiting (IP + account) with pro-aware limits and safe fallbacks.
  • Admin protection. Admin access is enforced via database checks (not UI-only rules).
  • Webhook integrity. Stripe webhooks are verified using signature validation.
  • Input validation & size limits. Requests enforce payload limits and allowlists to reduce misuse.
  • No card data stored. Payments are handled by Stripe (PCI-compliant).

1. Security Approach

Archculator is built with security as a core principle. We apply reasonable technical and organisational safeguards designed to protect user data, maintain system integrity, and reduce the risk of unauthorised access.

No system is 100% secure, but we continuously improve controls and respond promptly to issues that arise.

2. Infrastructure

  • Managed authentication and database infrastructure via Supabase
  • Environment separation for production and development
  • Secure secrets handling (keys are never embedded in client code)
  • Operational monitoring and backups to support availability and recovery

3. Authentication & Access Control

  • Secure user authentication managed by Supabase Auth
  • Stateless token verification on protected API routes
  • Admin-only areas are protected with database-level authorisation checks
  • Row-level security (RLS) policies on database tables where applicable

4. Data Protection

  • Encryption in transit across all services
  • Request size limits and input allowlists to reduce abuse
  • File uploads are validated using type allowlists and signature checks
  • Deactivated accounts are blocked from using AI features until restored
  • Regular dependency and security updates
  • Data minimisation: we collect only what we need to operate the Service

5. Payment Security

Payments are processed by Stripe, a PCI-compliant payment provider. Archculator does not store, log, or have access to full payment card details.

6. AI Processing & Output Responsibility

When AI features are used, relevant input data is transmitted securely to OpenAI (or our AI service provider at the time) over encrypted connections to generate the requested output.

Important — user responsibility: AI-generated outputs are assistive drafts only. They may contain inaccuracies, incomplete reasoning, or content that is not suitable for every project or client context. Users are solely responsible for reviewing, validating, and approving all generated content — including proposals, fee estimates, scope descriptions, and suggestions — before using them in any professional, client-facing, or contractual context.

Archculator does not provide legal, financial, architectural, or professional advice. No generated output should be relied upon as a substitute for independent professional judgement.

No training on your content: Archculator does not use your private workspace content to train its own AI models. Our AI provider's processing is governed by their terms and applicable contractual safeguards.

For more details, see our Privacy Policy.

7. Incident Response

In the event of a security incident affecting personal data, we take appropriate steps to investigate, mitigate, and restore service. Affected users and, where applicable, relevant authorities will be notified in accordance with applicable law (including within 72 hours under UK GDPR where required).

Business customers may also refer to our Data Processing Addendum for breach notification commitments.

8. Your Responsibility

Users are responsible for maintaining strong, unique passwords and protecting account credentials. Do not share login details. If you suspect unauthorised access, contact us immediately.

Users are also responsible for reviewing all AI-generated outputs before professional or client-facing use. Archculator is a drafting tool — final decisions, approvals, and professional judgements remain with the user at all times.

9. Vulnerability Reporting

If you discover a potential security vulnerability in Archculator, please report it responsibly by emailing security@archculator.com with a clear description and reproduction steps (if available).

General support enquiries: support@archculator.com.

  • Please avoid social engineering, phishing, or physical attempts to access systems.
  • Please do not access or exfiltrate data that does not belong to you.
  • Please do not publicly disclose vulnerabilities before we have a reasonable opportunity to fix them.