Information Security on Archipelago
What is Archipelago?
Archipelago is a SaaS platform featuring a suite of applications designed for ingesting, improving, and centralizing property documents and data for use by commercial property brokers, owners, and insurance underwriters.
Property risk data often exists in ad hoc spreadsheets and email attachments shared freely and insecurely between parties for purposes of commercial insurance. Archipelago provides a secure alternative to these common practices and we go to great lengths to the ensure the confidentiality, integrity, and access of your data.
Authentication and Access Controls
Archipelago provides customers direct capabilities to manage access between users and organizations.
Data Storage and Transmission
We work to maintain a high level of data security for both the storage and transmission of our customers’ data.
Data at Rest: We use AWS as the hosting provider of the Archipelago platform and use server-side encryption on our S3 instances (SSE-KMS, AES-256) with annual key rotation.
Data in Transit: All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a Virtual Private Cloud (VPC) and between peered VPCs across regions is transparently encrypted at the network layer. At the application layer, Archipelago utilizes Transport Layer Security (TLS 1.2) to create a secure HTTPS connection.
API SecurityFor those interested in integration, our APIs are developed in the GraphQL programming language and allow our customers to:
- Retrieve property risk data on demand
- Integrate data into your systems
- Use your property data in custom applications
Other Security Programs and Practices
Archipelago achieved SOC 2, Type 1 attestation across the platform in 2022. We are currently working on the SOC 2, Type 2 attestation.
We conduct vulnerability scanning constantly and apply fixes both within our standardly bi-weekly release cycle as well as ad hoc releases for emergency fixes.
We regularly perform penetration testing to determine if our platform is susceptible to attacks, most notably DDOS, injection, and CSS attacks.