SECURITY AND COMPLIANCE
Security and PCI Compliance: Summary
We take your security seriously. Our infrastructure is protected by industry-leading physical safeguards, strict system access controls, and proactive OS patching. We back this with continuous vulnerability scanning and enterprise-grade support. For payment processing, we rely on PCI DSS Level 1 compliant partners, and we can support your own PCI compliance efforts whether you use a third-party e-commerce provider or handle payment data directly.
Security
Overview
We are committed to ensuring the security of our infrastructure and protecting our users' data. Our information security program is based on the ISO/IEC 27002 guidelines, refined and updated over more than 25 years of delivering shared, dedicated, and virtual server products to tens of thousands of clients worldwide.
Physical Security
Each data center provider we colocate with enforces multiple layers of physical security through both technological measures and on-site personnel. All Arcustech equipment is housed in video-monitored, locked cages and/or cabinets for additional protection.
System/OS Controls
For our Managed VPS Services, we maintain full, strict control over root/sudo access. This allows us to manage IP address ranges, network interfaces, active and available ports (via managed firewall rules), and all installed services on client virtual machines. For Self-Managed VPS offerings, we enforce VLAN segregation, prevent IP and MAC address spoofing, and apply other security measures to protect both client systems and our infrastructure.
OS Security and Patching
Our pre-Gen5 virtualization platform (accounts prior to February 2, 2025) uses LXD, Ubuntu/Canonical’s container hypervisor, to deliver bare-metal performance with full logical container isolation by default. Our physical servers are covered by commercial updates and Ubuntu Pro 24/7 Support.
Our Gen5 platform (accounts after February 2, 2025) is powered by Proxmox Virtual Environment and Proxmox Backup Server, both with full “Premium” Enterprise Support for rapid security updates and direct access to their engineering teams.
For Managed VPS plans, we use Ubuntu Landscape and Expanded Security Maintenance via Ubuntu Pro to track and deploy OS updates and patches efficiently. Internal tracking and audit reports are continuously monitored by our Technical Team.
Continuous infrastructure scanning is performed with tools such as Intruder.io and Tenable Nessus Expert, giving our Technical Team visibility into vulnerabilities and emerging threats.
SSH Access Hardening and Monitoring
Arcustech VPS servers are deployed with a hardened SSH configuration aligned with current security best practices. SSH services are configured to meet the recommendations of widely used audit tools (such as ssh-audit), including modern ciphers, key exchange algorithms, and protocol settings.
For managed VPS servers, password-based SSH authentication is enabled by default to support customers who may be unfamiliar with SSH key management, including non-technical users and early-stage development teams. While password authentication is supported, the use of SSH key-based authentication is strongly recommended for improved security and is fully supported on all VPS plans.
In addition to configuration hardening, SSH access attempts are actively monitored. Automated intrusion detection is used to identify repeated failed authentication attempts, and abusive IP addresses are temporarily blocked to reduce the risk of brute-force attacks while avoiding disruption to legitimate access.
For teams with more advanced access control requirements, such as remote developers, contractors, dynamic IP environments, or CI/CD automation, Arcustech offers SSH Jump Servers as an optional security add-on. Jump servers provide a centrally managed access gateway that allows customers to further restrict direct SSH exposure on their VPS servers while maintaining secure, auditable access workflows.
Customer-Requested Security Audits or Surveys
We respond to audit and survey requests only for accounts with a Custom Hosting Solution of $2,500/month or more ($30,000/year) on a yearly contract. A standalone per-request option is available for $3,000, payable in advance. All services are provided “AS IS” under our Terms of Service and are not guaranteed to meet specific project requirements.
PCI Compliance
Is Arcustech PCI DSS Compliant?
Yes. All subscription and invoicing services are processed through PCI DSS Level 1 compliant providers, including Chargify and our payment gateway provider Stripe.
Can my website be PCI DSS compliant on Arcustech?
Yes. There are two options:
- Offload e-commerce to a PCI DSS compliant provider, so payment data never passes through your site.
- If your site handles payment data before passing it to a gateway, you must follow PCI Security Standards and work with a certified PCI audit/scanning company to validate compliance.
If you receive a PCI report with server-related findings on Arcustech, our Support and Technical Teams can assist with questions or concerns related to the server environment.