Security¶

Archivus is built with security at its core. This document outlines our security practices, certifications, and controls.

Security Overview¶

Defense in Depth¶

Archivus implements multiple security layers:

Layer 1: Network Security
    └── Firewalls, WAF, DDoS protection

Layer 2: Authentication
    └── SAML, OIDC, MFA, API keys

Layer 3: Authorization
    └── RBAC, workspace permissions, RLS

Layer 4: Encryption
    └── TLS 1.3 in transit, AES-256 at rest

Layer 5: Audit & Monitoring
    └── Complete audit trail, anomaly detection

Security Principles¶

Principle	Implementation
Zero Trust	Every request authenticated and authorized
Least Privilege	Minimum access required for each role
Defense in Depth	Multiple layers of security controls
Secure by Default	Security enabled without configuration

Certifications¶

SOC 2 Type II¶

Annual third-party audit covering:

Security
Availability
Confidentiality
Processing Integrity
Privacy

ISO 27001¶

Information Security Management System (ISMS) certification.

Additional Compliance¶

HIPAA - BAA available for healthcare
GDPR - EU data protection compliance
CCPA - California privacy compliance

See Compliance for details.

Data Protection¶

Encryption¶

State	Method
In Transit	TLS 1.3 with modern cipher suites
At Rest	AES-256 encryption
Backups	Encrypted with separate key management

Key Management¶

Keys stored in hardware security modules (HSM)
Automatic key rotation
Customer-managed keys available (Enterprise)
Key escrow for disaster recovery

Data Residency¶

Choose where your data is stored:

US - United States
EU - European Union
APAC - Asia-Pacific

BYOB Storage enables storage in your own infrastructure.

Access Control¶

Authentication¶

Method	Availability
Email/Password	All tiers
SAML 2.0	Enterprise
OIDC	Pro and above
API Keys	All tiers
MFA	All tiers

Authorization¶

Role-Based Access Control (RBAC):

Role	Permissions
Viewer	Read-only access to shared documents
Member	View, upload, and edit documents
Admin	Manage workspace settings and users
Owner	Full control including billing

Workspace Permissions:

Documents inherit workspace permissions
Custom sharing overrides for specific documents
Time-limited access grants
External sharing with restrictions

Multi-Tenant Isolation¶

Each tenant is completely isolated:

Separate database schemas
Row-level security (RLS) on all tables
Isolated storage paths
No cross-tenant data access

Network Security¶

Infrastructure¶

Hosted in SOC 2 certified data centers
DDoS protection at network edge
Web Application Firewall (WAF)
Intrusion detection and prevention

API Security¶

Rate limiting to prevent abuse
Request validation and sanitization
CORS policies for browser access
API key scoping and rotation

TLS Configuration¶

TLS 1.3 required
Strong cipher suites only
HSTS enabled
Certificate transparency logging

Application Security¶

Secure Development¶

Security training for all developers
Secure code review process
Automated security scanning in CI/CD
Dependency vulnerability monitoring

Input Validation¶

All inputs validated and sanitized
Parameterized database queries
Content Security Policy (CSP)
Protection against OWASP Top 10

Session Security¶

Secure, HTTP-only cookies
Session timeout configuration
Concurrent session limits
Session revocation on logout

Audit & Monitoring¶

Audit Logging¶

Every security-relevant event is logged:

Event Type	Details Logged
Authentication	Login, logout, failed attempts, MFA events
Authorization	Permission changes, access denials
Data Access	Document views, downloads, searches
Data Changes	Uploads, edits, deletions
Admin Actions	User management, settings changes

Log Retention¶

Default: 1 year
Configurable up to 7 years
Immutable storage for audit purposes
Export capability for external SIEM

Monitoring¶

24/7 security monitoring
Anomaly detection for unusual patterns
Real-time alerting for security events
Incident response procedures

Vulnerability Management¶

Security Testing¶

Type	Frequency
Penetration Testing	Annual (third-party)
Vulnerability Scanning	Weekly (automated)
Dependency Scanning	Continuous
Code Analysis	Every pull request

Responsible Disclosure¶

We welcome security researchers:

Email: security@archivus.app
PGP Key: Available on request
Response Time: 24 hours for critical issues
Recognition: Bug bounty program

Patch Management¶

Severity	Response Time
Critical	24-48 hours
High	7 days
Medium	30 days
Low	Next release

Incident Response¶

Response Process¶

Detection - Automated monitoring and alerting
Containment - Isolate affected systems
Investigation - Root cause analysis
Recovery - Restore from clean state
Post-Incident - Documentation and improvement

Customer Notification¶

In the event of a security incident:

Affected customers notified within 72 hours
Clear communication of impact and remediation
Ongoing updates during resolution
Post-incident report provided

Business Continuity¶

Multi-region backup infrastructure
Disaster recovery testing quarterly
RTO/RPO targets documented
Failover procedures tested

Your Responsibilities¶

Account Security¶

Use strong, unique passwords
Enable MFA for all users
Review user access regularly
Report suspicious activity

API Key Security¶

Keep API keys confidential
Rotate keys periodically
Use scoped keys with minimum permissions
Revoke unused keys

Data Classification¶

Identify sensitive documents
Apply appropriate sharing restrictions
Use encryption for highly sensitive data
Follow your organization's data policies

Security Resources¶

Documentation¶

Compliance - Certifications and compliance
BYOB Storage - Data sovereignty
BYOB AI - AI processing control

Contact¶

Security Team: security@archivus.app
Status Page: status.archivus.app
Trust Center: trust.archivus.app

Security Updates¶

This document is updated as our security practices evolve. Last updated: February 2026.

For the latest security information, visit our Trust Center.