Security

color=dark-green-2

 

Data Security

‍‍This document sets forth Archipelago’s security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms in this attachment shall have the meaning assigned to them in the Agreement unless otherwise defined herein. 

1. Principles

Archipelago emphasizes the following principles in the design and implementation of its security program and practices:  

  • Physical and environmental security to protect the Service against unauthorized access, use, or modification; 

  • Maintaining availability for operation and use of the Service; 

  • Confidentiality to protect Customer Data; and 

  • Integrity to maintain the accuracy and consistency of data maintained in the Service. 

2. Security Program

Archipelago maintains an information security program, which includes: (a) having a formal risk management program aligned with the NIST Cybersecurity Framework; (b) conducting periodic risk assessments of all systems and networks that process Customer Data conducted at least annually; (c) Continuous monitoring for security incidents and a tiered remediation plan to ensure timely resolution of discovered vulnerabilities; (d) a written information security policy and security incident response plan that explicitly addresses the security, confidentiality, integrity, and availability of Customer Data. 

Archipelago has achieved SOC 2 Type II certification. The most recent SOC 2 Type II report is available to prospective and current customers under NDA upon request. Please contact support@onarchipelago.com to request a copy. 

3. Data Centers

Archipelago uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases.  AWS maintains an industry-leading physical security program with certifications including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP authorization. For the full list of AWS compliance programs, visit: https://aws.amazon.com/compliance/programs/.

4. Access, Controls, and Policies

Archipelago applies a principle of least privilege across its environment:

  • Access to Archipelago's AWS environment requires multi-factor authentication (MFA). SSH access is logged. Access to Customer Data is restricted to a limited, approved set of Archipelago personnel. 

  • All personnel with access to Customer Data have completed background checks prior to being granted access. 

  • Personnel are trained on documented information security and privacy procedures. Access requires a valid business justification and is subject to approval by authorized personnel. Access is promptly revoked upon termination of employment or change of duties. 

  • AWS security groups are configured to restrict access to instances and resources using the principle of least privilege. 

  • The Archipelago application implements a role-based access control (RBAC) model that allows configurable access levels for support and onboarding purposes. All access is logged and attributable. 

  • For enterprise customers, Archipelago supports SAML 2.0 SSO integration, enabling centralized identity management through your existing identity provider. Customer administrators can manage user roles and access levels within the platform. 

  • All Customer Data onboarding activity managed by Archipelago on the customer's behalf is executed through a managed onboarding workflow that requires proposed changes to be reviewed and approved by a data manager before going live. An audit trail of all changes is recorded. 

5. Personal Data

Archipelago aims to capture the minimal personally identifiable information about its users in order to provide support for application functionality, analytics on application use, and communication.  Archipelago uses Auth0 (owned by OKTA) for user authentication and identity management. User profile data is stored in Archipelago's dedicated Okta tenant. Okta provides enterprise-grade logging, MFA enforcement, and user lifecycle management including automated and manual account controls. Privileged application roles are managed through Archipelago's role-based access control model with full audit logging. 

6. Encryption

Customer Data is protected by encryption at rest and in transit: 

  • All connections to platform.onarchipelago.com are encrypted in transit using TLS 1.3 (TLS 1.2 minimum). Logins and sensitive data transfers are performed exclusively over encrypted protocols (TLS or SSH).

  • Customer Data at rest is encrypted using AES-256. Encrypted storage is maintained in AWS S3 buckets. Database and S3 encryption keys are managed via AWS KMS Customer Managed Keys (CMK) and are configured to rotate automatically on an annual basis.

  • SSL/TLS certificates are automatically provisioned and renewed using AWS Certificate Manager. 


7. Isolation / Separation

The Archipelago application follows standard multi-tier web application architecture. The main web application is delivered and executed within the user's browser. This connects to a load-balanced API tier over TLS, which in turn connects to the data tier over TLS. Minimal cross-tier access is enforced using standard AWS networking controls. 

Code deployment and infrastructure management follows CI/CD best practices. All changes are peer-reviewed and tested prior to code merge. The production release process is fully automated: certified builds are promoted from the staging environment to production following an approval action by authorized personnel. 

8. Backup and Restoration

Archipelago takes daily encrypted snapshots of its databases. Backups are subject to the same access controls and encryption protections as production data. A secondary failover database is maintained in a separate AWS availability zone to ensure continuity should the primary database or zone become unavailable.  

9. Vendor Management

Archipelago takes reasonable steps to select and retain only third-party service providers that maintain security measures consistent with those stated herein. Before any software or vendor is onboarded, Archipelago's security team reviews the vendor's security policies, certifications, protocols, and track record. Archipelago reserves the right to reject any software or vendor that does not demonstrate sufficient protections for Archipelago's data and users. All sub-processors handling Customer Data are subject to data processing agreements (DPAs) that establish appropriate data protection obligations. 

10. Artificial Intelligence and Machine Learning  

Archipelago uses artificial intelligence and machine learning capabilities, including large language models (LLMs), to power certain platform features such as document data extraction, portfolio analysis, and natural language interfaces. Archipelago works with one or more third-party AI model providers as sub-processors for select features. The following commitments apply to all AI-assisted processing of Customer Data:

  • Data handling: Customer Data is transmitted to AI sub-processors only as necessary to complete a defined task. Customer Data is not used to train, fine-tune, or otherwise improve any third-party AI model. All AI sub-processors are bound by data processing agreements that meet or exceed the protections set out in this document. 

  • AI sub-processor standards: Archipelago engages AI model providers only under enterprise API terms that include contractual data protection commitments. At a minimum, each AI sub-processor must satisfy the following: (a) Customer Data submitted via the API is not used to train, fine-tune, or otherwise improve the provider’s models; (b) Customer Data is not retained beyond the scope of processing the individual request; (c) model processing is stateless — no Customer Data persists between sessions; and (d) the provider maintains recognized third-party security certifications (such as SOC 2 Type II or ISO 27001); (e) data is processed in the United States. Archipelago reviews each AI sub-processor’s security posture as part of its standard vendor management process described in Section 9.

  • Audit trail: All AI-assisted processing actions within the Archipelago platform are logged and attributable within the platform audit trail.

  • Human oversight: AI-generated outputs within the Archipelago platform are surfaced as recommendations subject to human review. No automated AI decision is applied to Customer Data without an opportunity for review and approval by authorized personnel. 

11. Security Incident Response

Archipelago maintains a documented security incident response plan covering detection, containment, eradication, recovery, and post-incident review. The plan is designed to establish a consistent and timely response to security incidents — including accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or unauthorized access to, Customer Data or personal data transmitted, stored, or otherwise processed by Archipelago. 

In the event of a confirmed security incident involving Customer Data, Archipelago will notify affected customers without undue delay and within 72 hours of confirmation of the incident, in accordance with applicable law. Post-incident reports summarizing the nature of the incident and remediation steps are available upon request. 

12. Antivirus and Security Scans

Archipelago deploys endpoint protection and anti-malware tooling across all systems. Software is kept current through an automated patch management process, with Amazon-managed updates applied where applicable. 

Vulnerability scans are conducted at least quarterly across all production systems (both external and internal), with additional scans triggered by significant changes to the production environment. Each identified vulnerability is assigned a severity rating; high and critical findings require remediation within defined SLAs. An independent third-party penetration test is conducted at least annually, with findings remediated according to priority and severity. 

13. Change Management

Archipelago maintains a change management policy to ensure all changes meet its security, confidentiality, and availability requirements. The policy is reviewed and approved by management on an annual basis. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant team holding the area of responsibility prior to deployment. 

Archipelago reserves the right to update this document from time to time and to modify its security practices, provided that any such update or modification will not materially and adversely diminish the overall security of the Service during the customer's Subscription Term. 

Dated: May 6th, 2026