Information Security on Archipelago

What is Archipelago?

Archipelago is a SaaS platform featuring a suite of applications designed for ingesting, improving, and centralizing property documents and data for use by commercial property brokers, owners, and insurance underwriters.

Property risk data often exists in ad hoc spreadsheets and email attachments shared freely and insecurely between parties for purposes of commercial insurance. Archipelago provides a secure alternative to these common practices and we go to great lengths to the ensure the confidentiality, integrity, and access of your data.


Authentication and Access Controls

Archipelago provides customers direct capabilities to manage access between users and organizations.

Data Storage and Transmission

We work to maintain a high level of data security for both the storage and transmission of our customers’ data. 

Data at Rest: We use AWS as the hosting provider of the Archipelago platform and use server-side encryption on our S3 instances (SSE-KMS, AES-256) with annual key rotation.

Data in Transit:  All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a Virtual Private Cloud (VPC) and between peered VPCs across regions is transparently encrypted at the network layer. At the application layer, Archipelago utilizes Transport Layer Security (TLS 1.2) to create a secure HTTPS connection.

Security Image 1
Security Image 2

API Security

For those interested in integration, our APIs are developed in the GraphQL programming language and allow our customers to:

  • Retrieve property risk data on demand
  • Integrate data into your systems
  • Use your property data in custom applications
Archipelago provides credentials to customers to authenticate to the Archipelago API. 

Other Security Programs and Practices



Archipelago achieved SOC 2, Type 1 attestation across the platform in 2022. We are currently working on the SOC 2, Type 2 attestation.


Vulnerability Testing

We conduct vulnerability scanning constantly and apply fixes both within our standardly bi-weekly release cycle as well as ad hoc releases for emergency fixes.


Penetration Testing

We regularly perform penetration testing to determine if our platform is susceptible to attacks, most notably DDOS, injection, and CSS attacks.