IT & Security Guide

Information for IT administrators to configure network access and security policies for AssetArc. Use this page to whitelist domains, configure web proxies (Zscaler, Forcepoint, Symantec, etc.), and review our security posture.

Security Questionnaire

Pre-filled responses to 50+ enterprise security, privacy, and compliance questions. Ready to share with your CISO or procurement team.

Platform Scope

AssetArc provides 120+ interactive tools across 17 categories. All tools run within the single web application — no additional software, plugins, or separate domains required.

Analytics — 16 tools
Benchmarking — 9 tools
Intelligence — 12 tools
Planning — 18 tools
Project Mgmt — 7 tools
Construction — 6 tools
Formwork — 5 tools
Scaffolding — 5 tools
Building/Fitout — 6 tools
Landscaping — 5 tools
Grounds — 6 tools
Catering — 5 tools
Health & Safety — 7 tools
Security — 5 tools
Cleaning — 5 tools
Fleet — 5 tools
Concierge — 5 tools

Domain & Network Whitelisting

To ensure uninterrupted access to AssetArc, whitelist the following domains and IPs in your web proxy, firewall, or content filter.

Primary Domain

assetarc.io
*.assetarc.io

API Endpoint

assetarc.io/api/v1/*

IP Address

170.64.215.67 (DigitalOcean SYD1)

CDN Dependencies

cdn.tailwindcss.com — CSS framework
unpkg.com — HTMX, Alpine.js
cdn.jsdelivr.net — Chart.js
fonts.googleapis.com — Google Fonts

Payment Processing

js.stripe.com
api.stripe.com
checkout.stripe.com

Email (outbound only)

smtp.resend.com

File Upload & Import

AssetArc supports CSV file imports for data analysis. If your web proxy (Zscaler, Forcepoint, Symantec, etc.) blocks file uploads to external sites, use one of the options below.

Option 1: Whitelist file uploads to assetarc.io

URL pattern: https://assetarc.io/import-mapper/*
File types: .csv, .txt
Method: POST (multipart/form-data)

Option 2: Use alternative import methods (no file upload required)

Paste CSV: Copy/paste CSV data directly into a text field
Paste JSON: Paste data as a JSON array
Google Sheets: Link a published Google Sheet URL

These methods use standard form POST requests (not file uploads) and are not blocked by file upload restrictions.

Endpoints requiring file upload whitelisting

POST https://assetarc.io/import-mapper/preview — CSV upload + column mapping
POST https://assetarc.io/*/import — direct tool imports

Security & Compliance

Data Handling

All data transmitted over HTTPS (TLS 1.2+)
HSTS enabled (Strict-Transport-Security)
X-Frame-Options: DENY — clickjacking protection
X-Content-Type-Options: nosniff
CSRF protection on all POST requests
Rate limiting on authentication endpoints
Session cookies: Secure, HttpOnly, SameSite=Lax

Data Storage

PostgreSQL database on DigitalOcean Sydney (SYD1) region
Data residency: Australia (configurable per company)
No data shared with third parties
User data deletable on request

Authentication

Email/password with bcrypt hashing
Optional TOTP two-factor authentication
JWT tokens for password reset (24h expiry)
API key authentication (SHA-256 hashed, prefix-visible only)

No tracking scripts beyond optional Google Analytics (configurable by admin).

API Access

REST API available on Pro and Team plans.

Endpoints

Base URL: https://assetarc.io/api/v1/
Authentication: Bearer token (API key)
OpenAPI Spec: https://assetarc.io/api/v1/openapi.json

Firewall Rules for API Access

Allow HTTPS (443) outbound to assetarc.io
Allow API key in Authorization header
Response format: JSON

Rate Limits

Pro: 2,000 requests/day per key
Team: 5,000 requests/day per key

Browser Requirements

Supported Browsers

Chrome 90+ (recommended)
Firefox 90+
Safari 14+
Edge 90+

Required

JavaScript enabled
Cookies enabled
localStorage enabled

Not Required

No browser plugins
No desktop software
No Java, Flash, or ActiveX

Contact

For IT-specific questions or security review requests:

Subject: IT Whitelisting Request

Include your organisation name and we can provide:

  • Signed security questionnaire responses
  • Data processing agreement (DPA)
  • Custom data residency configuration
  • SSO integration (Enterprise plan)