FAQ
Getting Started
What is Arch?
Arch is a distributed application platform — a catalog of production-ready microservices that handle the security, authentication, identity, storage, and communication infrastructure every application needs. You deploy the services your application requires, configure them through the Control Panel, and build your application on top of them. The platform is self-hosted: you own and operate the installation in your own environment.
Who is Arch designed for?
Development teams building distributed applications who want production-quality infrastructure without building it themselves. Arch is particularly suited to teams with demanding security requirements — it was originally designed to protect the kind of sensitive government data that must hold even against sophisticated state-level threats.
What language does Arch support?
The Arch platform is built in C# and client packages are distributed as NuGet packages for .NET applications. Blazor UI components are available for some APIs. JavaScript and additional language bindings are planned as demand grows.
Do I need to deploy all the APIs?
Each API is independently deployable — you deploy only what your application needs. The Application API is the one required service, as it provides the authorization model that every other service in the platform depends on.
Architecture
What is the Application Api?
The Application Api is the authorization authority for the entire platform. Every microservice — whether from the Arch catalog or built by your team — must register with it before it can communicate with any other service in the network. It enforces the security model that makes the rest of the platform trustworthy. The system has no bypass.
Can I build my own Apis on Arch?
Custom Apis built on the Arch framework register with the Application Api exactly as every built-in service does and gain the same horizontal capabilities — encrypted communication, structured logging, telemetry, database management, and automatic resilience. Your services become full participants in the platform.
How do services communicate?
Services communicate through clients — NuGet packages embedded in the calling application or service. Every request is encrypted and wrapped in an envelope before it leaves the process; the receiving service unwraps and decrypts it on the other side. The encryption holds even if the underlying network is compromised.
What databases does Arch support?
Sql Server is supported today. Each Api that uses a database manages its own, and as a best practice each should run on its own server. Additional database technologies will be added as demand requires.
Security
What encryption does Arch use?
Arch applies multiple layers of end-to-end encryption using AES and SHA. Data is encrypted at rest in the database, in transit across the network, and during processing in memory — its protected state never lapses as it moves through the system. Quantum-resistant algorithms are planned as recommended by NIST.
What is zero-knowledge authentication?
Zero-knowledge authentication proves identity through a shared mathematical structure — the client and server hold the same large encrypted graph, and authentication is a series of questions about it that only someone who holds the graph can answer correctly. The Users Api implements this protocol so that no password hash ever exists in the system. Users authenticate with two passwords and an encrypted key file.
Do I need a Hardware Security Module?
An HSM is optional — it is a capability for deployments that demand the highest level of key protection. When HSM mode is enabled on the Application Api, the platform starts in a sealed state and requires a physical operator to unseal it through the Control Panel after every restart. The Bootstrap Key is stored in tamper-resistant hardware and can never be extracted from software alone. Arch supports the YubiHSM 2.
Is Arch safe to deploy in an untrusted environment?
Arch was designed specifically for untrusted environments, including hardware with potential firmware surveillance. Encryption is the guarantee: even if traffic is intercepted or memory is read, the data cannot be understood without the keys — and Arch keeps those keys behind a controlled authorization model at every layer of the system.
Deployment
Where can I deploy Arch?
Arch supports Docker and IIS. You can run it on your own hardware, in a private data center, or on a cloud provider — the choice is entirely yours. Arch is self-hosted by design, so your data and infrastructure remain under your control.
Where does the Control Panel run?
The Control Panel runs on your internal network, outside the production deployment environment. It reaches into your deployed services to configure and manage them, but its own database and data must be kept separate from production infrastructure. It is available as a Docker image or as a .zip package for IIS installation.
Can Arch be deployed without Docker?
Every microservice in the platform is available as both a Docker image and a .zip package for IIS installation on Windows Server.
What infrastructure is required to get started?
The Control Panel requires Docker and a SQL Server database. Each Api that uses persistent storage requires its own SQL Server database — as a best practice, on its own server. Building applications on Arch requires .NET. Other languages will be supported as demand requires.
Tech Sovereignty
Arch
Company
About Contact