Compliance & Certifications¶
Archivus is designed for regulated industries with comprehensive security controls and compliance certifications.
Security Certifications¶
SOC 2 Type II¶
Archivus maintains SOC 2 Type II compliance, audited annually by independent third parties.
Trust Service Criteria Covered:
- Security - Protection against unauthorized access
- Availability - System uptime and performance
- Confidentiality - Protection of confidential information
- Processing Integrity - Accurate and complete processing
- Privacy - Personal information handling
Report Availability
SOC 2 reports are available under NDA for enterprise customers.
ISO 27001¶
Information Security Management System (ISMS) certification covering:
- Risk assessment and treatment
- Security policies and procedures
- Asset management
- Access control
- Cryptography
- Incident management
Industry Compliance¶
HIPAA¶
For healthcare organizations handling Protected Health Information (PHI):
| Requirement | Implementation |
|---|---|
| Access Controls | Role-based access, audit logging |
| Encryption | TLS 1.3 in transit, AES-256 at rest |
| Audit Trail | Complete activity logging |
| Data Isolation | Multi-tenant separation |
| BAA | Business Associate Agreement available |
HIPAA-Ready Features:
- Automatic PHI detection and flagging
- Access logging for all PHI documents
- Session timeout controls
- MFA enforcement options
GDPR¶
For organizations processing EU personal data:
| Right | Implementation |
|---|---|
| Right to Access | Self-service data export |
| Right to Erasure | Document deletion with audit trail |
| Right to Portability | Standard format exports |
| Data Minimization | Configurable retention policies |
GDPR Features:
- EU data residency option
- Data Processing Agreement (DPA) available
- Privacy impact assessment documentation
- Consent management integration
FedRAMP¶
For US federal agencies and contractors:
- FedRAMP Moderate authorization pathway
- FIPS 140-2 validated cryptography (on-premises)
- US-only data residency
- Air-gapped deployment option
PCI DSS¶
For organizations handling payment card data:
- Encryption of cardholder data
- Access control and logging
- Vulnerability management
- Network segmentation support
Data Security¶
Encryption¶
| State | Method |
|---|---|
| In Transit | TLS 1.3 with modern cipher suites |
| At Rest | AES-256 encryption |
| In Processing | Encrypted memory for sensitive operations |
Key Management¶
- Customer-managed keys (BYOK) for Enterprise tier
- Automatic key rotation
- HSM integration available
- Key escrow for disaster recovery
Data Isolation¶
graph TB
subgraph "Tenant A"
A1[(Database Partition)]
A2[(Storage Partition)]
end
subgraph "Tenant B"
B1[(Database Partition)]
B2[(Storage Partition)]
end
A1 -.- B1
A2 -.- B2
style A1 fill:#e1f5fe
style A2 fill:#e1f5fe
style B1 fill:#fff3e0
style B2 fill:#fff3e0Multi-Tenant Security:
- Row-level security on all database tables
- Separate storage paths per tenant
- Isolated API authentication contexts
- Cross-tenant access prevention
Access Control¶
Authentication¶
| Method | Availability |
|---|---|
| SAML 2.0 | Enterprise |
| OIDC | Pro and above |
| Local Auth | All tiers (on-premises) |
| API Keys | All tiers |
| MFA | All tiers |
Authorization¶
- Role-based access control (RBAC)
- Workspace-level permissions
- Document-level sharing controls
- API scope restrictions
Session Security¶
- Configurable session timeouts
- Concurrent session limits
- Geographic access controls
- Device trust policies
Audit & Logging¶
Comprehensive Audit Trail¶
All security-relevant events are logged:
| Event Category | Examples |
|---|---|
| Authentication | Login, logout, failed attempts |
| Authorization | Permission changes, access denials |
| Data Access | Document views, downloads, searches |
| Data Modification | Uploads, edits, deletions |
| Administrative | User management, settings changes |
Log Retention¶
- Default: 1 year
- Configurable: Up to 7 years for compliance
- Immutable storage for audit purposes
- Export capability for external SIEM
Monitoring & Alerting¶
- Real-time security event monitoring
- Anomaly detection for unusual access patterns
- Configurable alert thresholds
- Integration with security tools (Splunk, Sentinel, etc.)
Vulnerability Management¶
Security Testing¶
- Penetration Testing - Annual third-party assessments
- Vulnerability Scanning - Weekly automated scans
- Dependency Scanning - Continuous CVE monitoring
- Code Analysis - Static analysis in CI/CD
Responsible Disclosure¶
Security researchers can report vulnerabilities through our responsible disclosure program:
- security@archivus.app
- PGP key available for encrypted communication
- Response within 24 hours for critical issues
- Recognition program for valid reports
Patch Management¶
- Critical vulnerabilities: Patched within 24-48 hours
- High severity: Patched within 7 days
- Medium severity: Patched within 30 days
- Automatic security updates for SaaS customers
Business Continuity¶
Disaster Recovery¶
| Metric | SaaS | Dedicated | On-Premises |
|---|---|---|---|
| RTO | 4 hours | 4 hours | Customer-defined |
| RPO | 1 hour | 15 minutes | Customer-defined |
| Backup Frequency | Hourly | Continuous | Customer-defined |
Geographic Redundancy¶
- Multi-region replication available
- Automatic failover for SaaS
- Cross-region backup storage
Incident Response¶
- Detection - Automated monitoring and alerting
- Containment - Isolate affected systems
- Investigation - Root cause analysis
- Recovery - Restore from clean backups
- Post-Incident - Report and remediation
Compliance Documentation¶
Available Documents¶
| Document | Description | Availability |
|---|---|---|
| SOC 2 Type II Report | Security audit results | NDA required |
| Penetration Test Summary | Third-party security assessment | NDA required |
| Security Whitepaper | Architecture overview | Public |
| DPA | Data Processing Agreement | On request |
| BAA | Business Associate Agreement | Enterprise |
| SCC | Standard Contractual Clauses | On request |
Questionnaire Support¶
We support common security questionnaires:
- CAIQ (Cloud Assessment Initiative Questionnaire)
- SIG (Standardized Information Gathering)
- VSAQ (Vendor Security Assessment Questionnaire)
- Custom questionnaires
Getting Started¶
For Regulated Industries¶
- Review compliance documentation for your requirements
- Contact sales for specific certifications and agreements
- Assess deployment options (SaaS, Dedicated, On-Premises)
- Validate security controls meet your policies
Request Documentation¶
Contact your account team or security@archivus.app for:
- SOC 2 reports
- Penetration test results
- Custom compliance questionnaires
- BAA or DPA execution
Next Steps¶
- Deployment Options - Choose your deployment model
- BYOB Storage - Data sovereignty options
- BYOB AI - Air-gapped AI processing