Our Cloud Technology Makes
Arena the Most Secure Choice

To support the growing adoption of SaaS solutions, Arena offers solutions on three platforms.

  • Arena North America
  • AWS GovCloud (US)
  • Arena Europe

Arena North America is described on this page. The architecture differences in the physical and infrastructure layers for AWS GovCloud (US) and Arena Europe are noted.


Arena’s security model is robust, protecting our customers’ valuable product and quality information. This data is crucial to each customer’s business, so protecting it is our core priority. By prioritizing security in our platform architecture, we provide customers one of the most secure places against threats for data at scale, in or out of the Cloud.


Arena’s product lifecycle management (PLM) and quality management system (QMS) solutions use a multilayered approach to protect your intellectual property (IP). Each security layer provides a specific level of protection for your data.

Multi Layer Protection


The first layer of defense is a well-defined, comprehensive set of security processes and policies to ensure the security of our customers’ data and user accounts. Our solution is SOC 2 Type 2 compliant.

We use a formal change control policy to evaluate the system and standard operating procedure (SOP) changes. And, all Arena employees and contractors train annually to ensure employee awareness of and compliance with security policies using Arena Training.


All Arena North America production equipment is owned and operated by Arena, a PTC Business and is co-located at a secure world-class facility. Only a restricted set of Arena operations employees have operational access. 

AWS GovCloud (US) addresses many security and compliance requirements. The Physical Layer is managed by AWS. Use this link for the latest information.  

Arena Europe offers EMEA customers cloud-based software systems hosted in Europe. The Physical Layer is managed by AWS. AWS EU Data Protection measures are described at this link.


The Arena North America perimeter defense layer includes multiple firewalls, operating system-level security measures, and network protocols. No root access is allowed and unnecessary ports are closed. All security patch activities are subject to SOC 2 auditing.

AWS GovCloud (US) addresses many security and compliance requirements. The Infrastructure Layer is managed by AWS. Use this link for the latest information.

Arena Europe offers EMEA customers cloud-based software systems hosted in Europe. The Infrastructure Layer is managed by AWS. AWS EU Data Protection measures are described at this link.


Arena uses many security measures to enable the secure flow of product and quality information from input through the delivery to the end-user or an integrated system. Measures include data encryption, controlled application access, secure API for integrations, redundant and backed-up storage, and isolated multi-tenancy.


User security is enforced by allowing only authorized users to view and modify a strictly defined set of objects and data, enabling users to have access to the information they need. When a user changes product information, the changes are logged in the database. In addition to system-wide measures for passwords and sessions, customer administrators can enforce two-factor authentication and define their users’ access to defined data sets.

For more information on each layer of the solution, read our Security Tech Note.


Your PLM and QMS teams are users of your systems and therefore part of your corporate security success. To help with your security, users can stay current on security topics.

two-factor authentication icon

Two-Factor Authentication

If the administrator does not require it systemwide, Arena users can choose to enable two-factor authentication at an individual account level. This sends a unique code to the user’s email address or mobile number when the user logs in from an unknown computer.

Password Policy

Users create and secure their passwords. Passwords expire at an interval controlled by your Account Administrator (recommended no more than 90 days). When your password expires, you will be prompted to change your password upon login. Depending on how your workspace is configured, you may be able to keep the same password. Arena passwords must be 8-18 characters long and must include at least one lowercase letter, one uppercase letter, and one number.

password policy icon
phishing icon


Brief, formal phishing education may be beneficial for Arena users. Phishing is the fraudulent attempt to obtain information such as usernames, passwords, and data, or disrupt an entire computer system or network. Attackers phish for malicious reasons, by disguising as a trustworthy entity in an email.

Some simple recommendations you can make to your Arena users:

  • Teach users to not be fooled by phishing, and to not click links or open attachments in suspicious emails. One of the most effective cyber attack techniques is tricking someone to click a link or open an attachment that installs malware. These are called phishing emails because they lure you into opening an email. Phishing email can say something intriguing, useful, or appear to be a legitimate message from a real company (package delivery, payroll, IRS, social networking, etc.). They can include logos or other official-looking images.
  • Instruct users to never open emails from unknown sources. Hackers want people to click on their link so that they can infect the user’s computer. Similarly, teach users that emails received from an unknown source should be evaluated based on the source and whether it makes sense. If not, it may be malicious. The sender’s address should always be verified and any links to URLs can be hovered over to validate them. For example, if the link says it’s from Arena, then hovering over the link should show a URL ending in “” or “”.


If you or any of your users have questions about security or are unsure about whether an Arena, a PTC Business email is legitimate, please forward the email to [email protected].