Security
Last updated: April 8, 2026
This page summarizes how ARPORTAL approaches security for our immigration case management platform (the “Service”). It is provided for general awareness and is not a contractual commitment; technical details may change as we improve the Service. For how we handle personal information, see our Privacy Policy.
1. Multi-tenant isolation
The Service is built so each organization’s data is logically separated. Access controls and application design aim to ensure users only see data belonging to their organization, except where a designated global administrator role is required for platform operations.
2. Authentication and access
Accounts are protected with passwords (stored using industry-standard hashing) and session management appropriate to a web application. We support Sign in with Google for convenience; Google’s authentication flows are subject to Google’s security practices. Optional connections such as Google Calendar use OAuth with limited scopes intended only for syncing tasks and related calendar events you enable.
Role-based permissions limit what each user can do within their organization (for example, viewing leads, managing applications, or company settings).
3. Data in transit and at rest
Traffic between your browser and the Service should be served over HTTPS (TLS) in production environments. Sensitive configuration and credentials used by the platform are handled according to secure practices (for example, encryption where supported by our framework and hosting).
4. Infrastructure and operations
The Service may run on infrastructure you or we operate (for example, containerized deployments with application servers, database, cache, and queue workers). We recommend:
- Keeping servers, dependencies, and Docker images updated
- Restricting network access to databases and admin interfaces
- Using strong, unique passwords and, where available, multi-factor authentication for hosting and DNS accounts
- Regular backups and tested restore procedures for your database
5. Integrations
Optional integrations (email, SMS, voice, payments, cloud storage, calendar) rely on third-party providers. Their security and availability are governed by their respective terms. You should store API keys and secrets only in the secure settings provided by the Service and rotate them if compromised.
6. Application security practices
We follow common web application practices including protection against cross-site request forgery on browser forms where applicable, validation of user input, and audited access to sensitive actions where the product design allows. Security features evolve with the codebase; we encourage reporting issues responsibly (see below).
7. Your responsibilities
Organizations and users share responsibility for security: use strong passwords, do not share accounts, sign out on shared devices, and limit access to staff who need it. Report suspected unauthorized access to your administrator or our contact channel immediately.
8. Incident response and reporting
If you believe you have found a security vulnerability in the Service, please contact us through the channels published on our website with enough detail to reproduce the issue. We ask that you do not perform testing that could harm other customers or degrade the Service without prior agreement.
9. Changes
We may update this page from time to time. The “Last updated” date at the top reflects the latest revision.