Archonite is committed to maintaining the highest standards of data security and privacy, particularly when handling electronic Protected Health Information (ePHI). This document outlines our adherence to the Health Insurance Portability and Accountability Act (HIPAA) through our technical infrastructure, administrative policies, and physical safeguards.

Technical Safeguards

Archonite's architecture is built on the principle of Security by Design.

1. Access Control

We ensure that only authorized personnel and systems can access ePHI through a multi-layered identity framework.

• Unique User Identification (Fingerprinting): Archonite employs a proprietary "Fingerprinting" system. Every entity—including users, businesses, customers, API logs, and data records—is assigned a unique, immutable cryptographic fingerprint. This ensures absolute traceability and prevents identity collision across our global infrastructure.
• Emergency Access Procedure: In the event of a critical system failure or emergency, authorized administrators can initiate a secure recovery protocol. This involves a multi-stage verification:
  1. Request initiated via dpo@archonite.xyz.
  2. An encrypted, time-sensitive verification link is sent to the registered primary contact.
  3. Upon successful 2FA verification, a secondary single-use link is generated, allowing the secure download of necessary information in a hardened environment.
• Automatic Logoff: To prevent unauthorized access from unattended workstations, Archonite enforces strict session timeouts:
  • Internal Support Staff: Sessions expire and require re-authentication every 4 hours.
  • Client Dashboard/Portal: Sessions expire after 4 hours.
• Encryption & Decryption:
  • At Rest: All sensitive data is encrypted using AES-256 encryption at rest.
  • Credential Security: User passwords and sensitive identifiers are hashed, digested, and salted using the AES-256 algorithm, the industry standard for resisting brute-force and GPU-based attacks.

2. Audit Controls

Archonite maintains a comprehensive and immutable audit trail for all activities within the ecosystem.

• Activity Logging: We log all internal and external API calls, authentication events (logins/logouts), account configuration changes, billing activities, and KYC/Identity verification milestones.
• Log Immutability & Governance: Log databases are decoupled from primary application databases and are accessible only to Tier-3 Management (e.g., CTO). Manual modifications to database schemas or records are strictly prohibited without documented CTO approval and are subject to internal compliance audits.

3. Integrity & Authentication

• Authentication of ePHI: We use digital signatures and checksums to ensure that ePHI has not been altered or destroyed in an unauthorized manner during storage or transit.
• Entity Authentication: Archonite enforces Mandatory Multi-Factor Authentication (MFA/2FA). Users and clients cannot disable these security methods, ensuring that possession of a password alone is never sufficient for account access.
• Data Integrity & Disaster Recovery: Archonite maintains encrypted, immutable backups ("Retrievable Exact Copies") of all databases. These backups are generated every 1 hour and stored in a geographically redundant region to ensure business continuity and data restoration in the event of a catastrophic failure or ransomware attack.

4. Transmission Security

• Integrity Controls: Data is exclusively transferred over HTTPS (TLS 1.3) connections. Plaintext or unsecured connections (HTTP) are blocked by default, except in isolated, sandboxed test environments.
• Archonite Signed Payload (ASP): In addition to standard transport layer security, we utilize Archonite Signed Payloads (ASP) for all data transfers containing ePHI. This adds a layer of application-level encryption and signing, ensuring that payloads cannot be intercepted or tampered with even if the underlying TLS layer were compromised.

Administrative Safeguards

Our administrative policies focus on the "Human Element" of security, managed by a combination of AI-driven oversight and expert human review.

1. Risk Analysis & Management

Archonite utilizes a Guardrail Sentinel AI—a specialized autonomous agent that monitors system health and security patterns in real-time.

• Real-time Analysis: The Sentinel AI performs continuous risk analysis, identifying potential fraud or security anomalies.
• Human Oversight: While the Sentinel provides high-speed analysis, all critical security escalations, sanction policies, and risk management decisions are reviewed by a human Security Official before final action is taken.

2. Workforce Security & Management

All employees at Archonite undergo rigorous vetting and continuous monitoring.

• Workforce Clearance: All personnel are required to submit and renew a valid Police Clearance (or international equivalent) upon expiration of their previous one.
• Zero Tolerance Policy: Failure to maintain valid clearances or adhere to security protocols results in immediate suspension and potential termination.
• Termination Procedures: Access to all systems, including Cloud VMs and internal tools, is revoked instantly upon the termination of a workforce member's contract.
• Security Awareness Training: Beyond initial vetting, all personnel undergo mandatory Security Awareness and HIPAA Training upon hire and annually thereafter. This ensures every team member remains up-to-date on current phishing tactics, social engineering threats, and privacy obligations.

Physical Safeguards

As a cloud-native platform, Archonite extends physical security from the data center to the employee's workstation.

• Cloud-Native Workstations: Archonite employees do not handle data on local hardware. All work is performed within Custom Cloud VMs. These environments are locked down to prevent data extraction (copy-pasting or downloading information outside the VM is disabled).
• IP Whitelisting & Monitoring: Employee workstations are monitored 24/7. Support tools are only accessible from the specific IP addresses assigned to the Cloud VMs; all other connection attempts are automatically blocked.
• Media & Device Controls:
  • Disposal: Disposal of customer information is governed by the specific mandated laws of the customer's jurisdiction (e.g., GDPR-compliant erasure or HIPAA-compliant data destruction).
  • Media Re-use: We follow strict NIST-compliant procedures for the removal of ePHI from electronic media before any hardware is repurposed or decommissioned by our cloud providers.
• Business Associate Agreements (BAA): Archonite ensures that all third-party vendors handling ePHI (such as cloud hosting and database providers) are bound by valid Business Associate Agreements, ensuring they maintain compliance with HIPAA security and privacy rules.

Privacy Rule & Software Features

The HIPAA Privacy Rule establishes the "Patient's Right of Access." Archonite includes features to support these rights technically.

• Right of Access: End-users (customers) may request access to their verified data through the client business's portal or by direct request to Archonite support.
• Right of Amendment: To maintain data integrity, records can only be updated via authorized API calls or manual requests from the verified client business, ensuring changes are documented and legitimate.
• Accounting of Disclosures: Every instance where user information is accessed is logged and made visible to authorized administrators with the appropriate privilege level, providing a transparent history of data disclosure.
• Minimum Necessary Principle: Archonite strictly adheres to the "Minimum Necessary" standard. We do not collect or store clinical histories (e.g., patient medical records). Our scope is limited to identity verification; as such, support representatives can never view clinical data that is irrelevant to the verification process.

Breach Notification Rule

In the unlikely event of a security incident, Archonite has a clear and rapid response plan.

• Detection & Identification: Affected users and data segments are immediately identified and filtered using our auditing tools.
• Notification: Archonite will notify affected clients within 48 hours without undue delay, providing a full report on the incident and steps taken to remediate the damage.