Skip to main content

Customer Security Testing

Arc XP has invested in a pragmatic approach to platform security, including developer training, threat modeling, code and design reviews, code scanning, infrastructure assessment and scanning, and third-party vulnerability assessments. In addition to these activities, Arc XP's platform is built on security best practices, which align with our ISO 27001 compliance requirements. You can learn more about how Arc XP approaches security engineering in the Security - Intro to Arc XP Security Arc XP Learning Center article.

Security of an Arc XP powered site results from a shared security model between Arc XP and you, our customer. Our team of security experts works tirelessly to ensure the security of the Arc XP platform, and as a customer, you also play an important role in the shared responsibility of keeping your site secure. Custom solutions you build on top of the Arc XP platform have the potential to introduce security vulnerabilities in to your site, and identifying and mitigating security issues in these custom solutions is part of your responsibility. We have several Security articles available to provide guidance as you develop any such custom solutions. See Security.

We perform regular security assessments of the Arc XP platform and applications, and it is your responsibility to ensure any of your custom solutions built on top of Arc XP are secure once. You are welcome and encouraged to perform security testing against your Arc XP site to ensure you are providing the best level of security to your users. Because of the nature of security testing, there are certain guidelines and policy requirements that you must adhere to while performing such assessments against your Arc XP site.

Arc XP is built on Amazon Web Services (AWS) and other cloud and SaaS providers. As such, you must abide by any policies and acceptable use terms our providers have in place regarding performing security testing against applications hosted on them.

If you would like to perform security testing against your Arc XP site, review our complete Customer Security Testing Policy below.

Customer Security Testing Policy

As an Arc XP customer, you agree to the following:

  1. Authorization to Conduct Security Testing

    1. This policy applies only to the Services purchased by the Customer, and only for Services configured for the Customer. This policy does not authorize action against any Arc XP property that belongs to another customer.

    2. The Customer is permitted to perform security testing (web application/API penetration testing, parameter fuzz testing, etc.) against services associated with their account.

    3. This policy only concerns the Arc XP platform and Services. Neither Arc XP nor this policy can grant authorization to perform testing against any services owned or operated by any other provider or organization.

  2. Third Party Services

    1. Arc XP is built on Amazon Web Services (AWS) and other cloud and SaaS providers. As such, you must abide by any policies and acceptable use terms our providers have in place regarding performing security testing against applications hosted on them. During testing, it is your responsibility to identify and abide by the policies of any such providers. These policies include, but are not limited to, the following:

      1. Penetration Testing - Amazon Web Services (AWS)

      2. Privacy and Policies - Acceptable Use Policy | Akamai

    2. Your site's own customizations and extensions may include functionality from other providers and be in the form of remotely loaded scripts or other content. You are responsible for determining if you have authorization to perform testing against any such services.

  3. Restrictions

    1. You must follow all applicable data privacy and security laws.

    2. Notice must be given to Arc XP 14 days prior to test execution. Notice must include the following:

      1. Scope of testing

      2. Time period of testing

      3. Parties who will be executing the testing, including the organization(s) conducting the testing and the IP ranges from which the testing will be conducted

    3. You must provide us with an escalation contact (email, phone), should we need you to halt testing at any time. You may escalate to us at any time through email to .

    4. This policy limits or prohibits certain activities as outlined below:

      1. Testing must not be performed against sites/properties that belong to any other Arc XP customer.

      2. Testing must be not be performed against common or shared Arc XP sites/properties, such as ArcXP.com, Arc XP Learning Center, or any other service made available to all customers.

      3. This policy does not authorize testing the Arc XP editor/administrative web applications (for instance, sites under <your-organization>.arcpublishing.com domain which you must generally authenticate to access.)

      4. Testing scope is limited to Customer's publicly accessible properties.

      5. We reserve the right to prohibit testing, or to modify, or invalidate this agreement at any time and for any reason or no reason.

      6. We reserve the right to restrict or prohibit testing of certain applications during defined periods (maintenance or blackout windows).

      7. You must not attempt to utilize any findings to attempt access to other customer's data, attempt exfiltration of data, or attempt lateral movement within Arc XP systems.

      8. You must not perform Denial of Service attacks, including termination/resets of infrastructure systems. Any load testing for your site should be discussed separately with Arc XP.

      9. You must not upload commodity malware, viruses, Command & Control agents, or other malicious executables/scripts.

    5. If you obtain any data belonging to another customer, or Arc XP proprietary/confidential data, you must immediately destroy all copies of that data and inform Arc XP through of the occurrence.

    6. If you believe you have identified a security issue in the Arc XP platform or any property of Arc XP's, you must inform Arc XP through with the details of the finding. Any such findings are to be considered confidential, and must remain private between the Customer and Arc XP.

  4. Third Party Security Assessments

    1. If a third party is engaged to perform security testing of your site, they must abide by this policy. You are welcome to have them contact us for any clarification prior to testing.

    2. If you are establishing a bug bounty program for your site, you must ensure its policy and any testing performed by researchers in the program adheres to all requirements set out in this policy. Inform us at least 14 days prior to going public with any bug bounty program that includes your Arc XP site in its scope.

    3. Any reports containing details of security issues in the Arc XP platform or any property of Arc XP’s must be shared with Arc XP within a reasonable time of their delivery to you.

  5. Potential for Degradation of Services, Impact to Services Quality, and incurred costs

    1. Conducting security testing against your site may cause negative performance, availability, or content accuracy depending on what actions are taken during the course of your testing. The Customer accepts responsibility for any degradation or service of impact to their site as a by-product of security testing activity performed within the scope of this policy.

    2. Claims against any prior SLA (Service Level Agreement), availability, or quality terms present in any other agreements or contracts are not enforceable against Arc XP if the fault is due to security testing activity performed within the scope of this policy.

    3. We will not treat traffic/requests that are part of customer security testing differently than normal traffic. Arc XP’s platform security controls may automatically filter or block requests as part of normal operation, we will not perform allow-listing or special treatment of test traffic in response to being notified under this policy.

    4. The Customer is responsible for any incurred overages/costs due to performing testing under this policy, including excessive data transfer/compute/engineering time as defined in existing contracts between Arc XP and the Customer.

In this section: