This Trust Center is the index for C4CI Arch legal, privacy, security, and enterprise procurement materials.
1. Company
| Field | Value |
|---|---|
| Legal name | C4CI Group Belgium BV/SRL |
| Enterprise number | BE 1030.600.254 |
| Registered office | Nieuwstraat 41, 2260 Westerlo, Belgium |
| Contact | support@c4ci.io |
2. Core Public Documents
| Document | Purpose |
|---|---|
| Terms of Service | Public product terms for account use, acceptable use, billing, connected systems, AI-assisted features, liability, and suspension |
| Privacy Policy | GDPR-style transparency notice for controller and processor roles, data categories, lawful bases, recipients, transfers, retention, rights, cookies, and AI-assisted features |
| Cookie Policy | Browser storage notice and inventory covering necessary storage, preferences, optional providers, consent controls, and retention |
3. Enterprise Procurement Pack
| Document | Purpose |
|---|---|
| Enterprise Master Services Agreement | Enterprise contract baseline for order forms and negotiated purchases |
| Data Processing Addendum | Processor terms for Customer Personal Data, including Article 28-style commitments, subprocessors, transfers, breach notice, deletion, and audit support |
| Subprocessor List | Provider and integration list for hosting, identity, billing, source-control, AI, support, and optional design operations |
| Security Exhibit | Technical and organisational measures for identity, tenant isolation, encryption, logging, secure development, operations, vulnerability management, and incident response |
| Support and SLA Policy | Severity levels, response targets, availability target, exclusions, maintenance, service credits, and support boundaries |
| AI Addendum | AI-assisted feature scope, human review, data use, provider options, prohibited use, and output responsibilities |
| Order Form Template | Commercial ordering template for plan, term, scope, fees, attachments, and signatures |
| Vulnerability Disclosure Policy | Safe harbor, scope, rules of engagement, report contents, triage, and coordinated disclosure |
4. Evidence Status
| Evidence area | Current status |
|---|---|
| Versioned legal registry | Current documents are versioned and content-hashed in the product registry |
| Terms, Privacy, and Cookie Policy | Published as current public documents |
| DPA, Enterprise MSA, AI Addendum, Security Exhibit, SLA, Subprocessor List | Published as enterprise procurement reference documents |
| Org-scoped agreement acceptance | Supported through the product org agreement ledger and admin acceptance flow where enabled |
| Vulnerability disclosure | Published as a coordinated disclosure policy |
| Liability and service-credit posture | Default MSA caps are bounded; service credits are available only when expressly selected in an order form |
| Subprocessor evidence | Core and optional providers are named; future helpdesk, CRM, or support-ticket providers must be added before customer-data use |
| Security questionnaires, architecture summaries, data-flow summaries | Prepared request-based evidence pack available for qualified procurement or security reviews |
| Incident-response evidence | Security and privacy incident-response summary available on request; customer notices follow the DPA, Support/SLA Policy, order form, and law |
| Penetration-test summaries, SOC 2, ISO 27001, PCI, or equivalent certifications | Available only when completed and expressly published by C4CI |
5. Security Posture Summary
Arch is designed around:
- authenticated access for protected surfaces;
- organisation-scoped tenancy;
- role-based access control;
- Reader-first cloud discovery where possible;
- audit logging for legal, billing, security, and control-plane events where implemented;
- encrypted transport for supported production routes;
- platform encryption controls for storage layers where available;
- operational runbooks and validation;
- controlled AI provider routing;
- documented legal versioning and content hashes.
6. Data Protection Summary
C4CI acts as controller for account, security, billing, support, legal acceptance, and service-operations data. C4CI generally acts as processor for Customer Content and connected-system data processed on Customer's behalf.
Customers control which users, systems, repositories, subscriptions, prompts, comments, reports, and files are connected or submitted through Arch.
7. Evidence Available on Request
Depending on customer tier and availability, C4CI may provide:
- completed security questionnaire;
- architecture overview;
- data flow summary;
- subprocessor details;
- security control summary;
- backup and restore summary;
- incident-response summary;
- AI provider and data-use summary;
- certification and external-audit status statement;
- penetration-test executive summary, if available;
- insurance certificate, if available;
- open-source license inventory or SBOM, if available;
- accessibility statement or VPAT, if applicable.
8. Current Certification Status
SOC 2, ISO 27001, PCI, or similar certifications apply only when C4CI has completed and published the relevant certification or report. Until then, this Trust Center provides the current contractual and operational evidence baseline.
9. Procurement Contact
Enterprise procurement, security review, DPA, and subprocessor questions should be sent to support@c4ci.io.