Security & Compliance
Compliance Documentation
This document describes how Quest Guardian, the child safety platform developed by Arc Sentinel SRL, is designed to meet the requirements of the EU Cyber Resilience Act and other applicable regulations. Compliance is built into the product architecture — not applied as a post-launch audit exercise.
Applicable Regulations
Quest Guardian is designed with the following regulatory frameworks in mind: the EU Cyber Resilience Act (Regulation 2024/2847), the General Data Protection Regulation (GDPR), the U.S. Children's Online Privacy Protection Act (COPPA 2025), and the EU Artificial Intelligence Act. This document focuses primarily on CRA compliance, with cross-references to other frameworks where relevant.
1. EU Cyber Resilience Act (CRA)
The Cyber Resilience Act (Regulation 2024/2847) establishes cybersecurity requirements for products with digital elements placed on the EU market. Quest Guardian, as a software product processing sensitive data in a connected environment, falls within scope. The following sections map our architecture and practices to specific CRA obligations.
1.1 Article 10 — Security Properties of Products
Article 10 requires that products with digital elements are designed, developed, and produced to ensure an appropriate level of cybersecurity. Quest Guardian addresses this through:
Encryption Architecture
- RSA-4096 encryption for all child monitoring data — key pairs generated on parent's device
- Parent holds the private key; the server stores only encrypted data it architecturally cannot decrypt
- AES-256-GCM for symmetric content encryption, with RSA-4096 wrapping the AES keys
- Encrypted key backup using PBKDF2 (600,000 iterations) — recovery requires the parent's passphrase
Secure Defaults
- No default passwords — all authentication tokens are cryptographically random
- CUID identifiers used throughout — no sequential integers that leak information about system scale or user ordering
- Minimal data collection: only data necessary for safety classification is captured
- Token storage uses SHA-256 hashes only — raw tokens are never persisted in the database
- Access tokens expire after 15 minutes; refresh tokens rotate on every use
No Cloud Fallback
- AI processing runs on the Ratio1.ai decentralized network — distributed GPU nodes, not centralized cloud data centers
- No AWS, Google Cloud, or Microsoft Azure SDKs in the codebase
- If decentralized processing capacity is full, jobs queue — they never fall back to centralized cloud infrastructure
- This is an architectural constraint enforced in code, not a policy decision that could be overridden
1.2 Article 13 — Technical Documentation
Article 13 requires manufacturers to draw up technical documentation that demonstrates the product's conformity with CRA requirements. Quest Guardian provides:
| Requirement | Implementation | Status |
|---|---|---|
| Software Bill of Materials (SBOM) | Complete SBOM for all components, generated from package manifests and container images | In progress |
| Vulnerability disclosure policy | Published policy with coordinated disclosure process and CSIRT notification procedures | In progress |
| Threat model and risk assessment | Documented threat model covering supply chain, communication channels, encryption, and AI pipeline | In progress |
| Technical architecture documentation | Comprehensive technical specifications including system architecture, component specifications, and data flow diagrams | Complete |
| Dependency tracking | Automated vulnerability scanning via GitHub Dependabot and CI/CD pipeline checks | In progress |
1.3 Article 14 — Vulnerability Handling
Article 14 requires manufacturers to handle vulnerabilities effectively throughout the product's support period. Quest Guardian's approach:
Incident Response
- Structured incident response procedures with defined severity levels (P0 through P4)
- 24-hour vulnerability notification capability to affected users and relevant authorities
- Automated dependency vulnerability alerts integrated into CI/CD pipeline
- Coordinated vulnerability disclosure with CSIRT as required by CRA
- Post-incident security review process with documented findings and remediations
Ongoing Security
- Automatic security updates delivered through Shield's auto-update mechanism
- Real-time security event logging and monitoring via structured logging infrastructure
- Separation of security patches from feature updates to minimize user disruption
- Version-controlled security documentation maintained alongside codebase
2. GDPR Compliance
Quest Guardian processes personal data of both parents and children within the EU. Our approach to GDPR is documented in detail in the Privacy Policy. Key architectural decisions:
| GDPR Principle | How Quest Guardian Addresses It |
|---|---|
| Data minimization (Art. 5(1)(c)) | Only gaming communications flagged by on-device pre-filtering are processed. Unflagged content is never transmitted. |
| Purpose limitation (Art. 5(1)(b)) | Data is processed exclusively for child safety classification. No advertising, profiling, or secondary use. |
| Storage limitation (Art. 5(1)(e)) | Evidence retention is time-limited by tier (24h–72h). Encrypted data is automatically purged after the retention window. |
| Integrity and confidentiality (Art. 5(1)(f)) | RSA-4096 + AES-256-GCM encryption. Parent holds decryption keys. Server cannot read child data. |
| Children's data (Art. 8) | Parental consent required for all child profiles. Children never create accounts directly. |
| Data processing location | All infrastructure hosted in EU (Railway Netherlands, Neon Frankfurt, Upstash Frankfurt). Decentralized AI processing on EU-preferred Ratio1 nodes. |
2.1 Data Retention & Lifecycle
Automated lifecycle management ensures COPPA and GDPR compliance. All retention periods are enforced by nightly deletion jobs. Encrypted evidence blobs are the most sensitive data category and have the shortest retention windows.
| Data Category | Retention Period | Notes |
|---|---|---|
| User accounts | Until deletion requested | Parent can request account deletion at any time |
| Device records | Until device unlinked | Removed when parent unlinks Shield from their account |
| Alert metadata | 90 days (configurable) | Severity, category, timestamp — no encrypted content |
| Encrypted evidence blobs | 24–72 hours by tier | Free: 24h, Guardian: 48h, Sentinel: 72h. Server cannot decrypt. |
| Audit logs | 1 year | Authentication events, access records, system events |
| Anonymized analytics | 2 years | Aggregated, non-identifiable usage patterns only |
3. COPPA 2025 Compliance
The Children's Online Privacy Protection Act (as amended, effective April 2026) imposes requirements on operators of online services directed to children under 13, or that have actual knowledge of collecting data from children under 13. Quest Guardian's architecture is designed to exceed COPPA requirements:
Key COPPA Safeguards
- Verifiable parental consent: Children's monitoring is activated only by an authenticated parent account
- Minimal collection: Only flagged gaming communications are processed — not all activity
- No third-party disclosure: Child data is encrypted end-to-end and never shared with advertisers or data brokers
- Parental access and deletion: Parents can view all data collected about their children and request deletion at any time
- Data security: RSA-4096 encryption ensures that even in the event of a breach, child data remains unreadable
4. EU AI Act Considerations
Quest Guardian uses AI models for content safety classification. While the product is not classified as a high-risk AI system under the EU AI Act, we apply high-risk-equivalent transparency and documentation practices as a matter of principle:
| Practice | Implementation |
|---|---|
| Model transparency | AI model names, versions, and quantization levels are documented. Parents are informed that AI classification is used. |
| Human oversight | AI generates alerts; parents make decisions. No automated actions are taken on children's accounts. |
| Severity classification | Five-level severity system (P0–P4) provides nuanced assessment rather than binary flags. |
| Model documentation | Four-layer AI pipeline documented: on-device pre-filter, safety classification, vision-language analysis, grooming pattern detection. |
5. Infrastructure Security
Quest Guardian's infrastructure is designed with defense-in-depth principles:
| Component | Provider | Location | Purpose |
|---|---|---|---|
| Backend API | Railway | EU (Netherlands) | Application server, authentication, routing |
| Database | Neon | EU (Frankfurt) | Serverless PostgreSQL — stores encrypted data only |
| Cache / Queue | Upstash | EU (Frankfurt) | Redis for session management, job queuing |
| Static Assets | Cloudflare Pages | Global CDN | Dashboard, marketing sites — no sensitive data |
| Shield Downloads | Cloudflare R2 | EU | Electron installer distribution |
| AI Processing | Ratio1.ai | EU (preferred) | Decentralized GPU network — no centralized cloud |
Core Architectural Principle
Quest Guardian does not use Amazon Web Services, Google Cloud Platform, or Microsoft Azure for any data processing. All sensitive data processing occurs on user-controlled hardware (Shield desktop app) or through the Ratio1.ai decentralized network. This is enforced at the code level — there are no cloud provider SDKs in the dependency tree and no fallback paths to centralized cloud infrastructure.
6. Contact
For compliance-related inquiries, vulnerability reports, or security concerns:
Arc Sentinel
Email: [email protected]
Website: arcsentinel.tech
Product: questguardian.tech