Archonite Ltd. (Malta) is built on a foundation of defensive security and radical transparency. We recognize that in the modern threat landscape, trust is not granted—it is verified.

This document serves as our formal attestation against the Minimum Viable Secure Product (MVSP) framework. It details the specific technical implementations, administrative policies, and architectural decisions that ensure Archonite meets the rigorous security baselines required by enterprise application procurement teams.

1. Business Controls

Governance, Compliance, and Incident Management.

1.1 Vulnerability Reporting & Disclosure

Requirement: Provide a point of contact for security researchers and a clear process for reporting vulnerabilities.

Archonite Implementation: We maintain a standards-compliant security.txt file at the root of our domain (https://archonite.xyz/security.txt), ensuring discoverability for researchers.

• Reporting Channel: Vulnerabilities may be submitted directly to dpo@archonite.xyz.
• SLA: We commit to a human acknowledgment of all non-automated reports within 48 hours.
• Safe Harbor: We guarantee legal safe harbor for researchers acting in good faith to identify issues without exploiting them or affecting user data.

1.2 Compliance & Self-Assessment

Requirement: Comply with relevant industry standards and perform annual security reviews.

Archonite Implementation: Archonite operates under a "Continuous Compliance" model rather than relying solely on static annual audits.

• Regulatory Alignment: We are fully aligned with HIPAA (US Healthcare) and GDPR (EU Data Privacy).
• Automated Auditing: Our proprietary Guardrail Sentinel AI performs real-time, heuristic analysis of our infrastructure configurations (IaC) and access logs, flagging potential non-compliance events immediately.
• Artifacts: Detailed compliance papers for HIPAA and GDPR are publicly available for vendor due diligence.

1.3 Incident Handling & Notification

Requirement: A documented process to handle security incidents and notify customers without undue delay.

Archonite Implementation: Our Incident Response Plan (IRP) is triggered automatically upon the detection of confirmed unauthorized access or data exfiltration.

• Notification Timeline:
  • Global/HIPAA Clients: Notified within 48 hours without undue delay (US Standard) or sooner as dictated by local jurisdiction.
• Communication Method: Critical security alerts are broadcast via the Archonite Signed Payload (ASP) webhook system to ensure the authenticity of the message, followed by email to the registered Primary Contact.

2. Application Design Controls

Architecture, Authentication, and Encryption.

2.1 Password Policy & Storage

Requirement: No arbitrary length limits (min 8, max >64); use strong, salted hashing.

Archonite Implementation: We have deprecated legacy hashing methods (MD5, SHA-1) entirely.

• Algorithm: All credentials and API secrets are hashed using Argon2id, the winner of the Password Hashing Competition (PHC), configured with memory-hard and CPU-hard parameters to resist GPU-based cracking.
• MFA Enforcement: Multi-Factor Authentication (MFA/2FA) is mandatory for all client dashboards. There is no option to disable MFA, mitigating the risk of credential stuffing attacks.

2.2 Encryption & HTTPS

Requirement: All traffic must be encrypted in transit; sensitive data encrypted at rest.

Archonite Implementation:

• In Transit: We enforce TLS 1.3 across all public and private API endpoints. Older protocols (TLS 1.0/1.1/1.2) are blocked at the load balancer level. We utilize HSTS (HTTP Strict Transport Security) with includeSubDomains and preload directives to prevent protocol downgrade attacks.
• At Rest: All persistence layers (databases, object storage) are encrypted using industry-standard Argon2 (GCM mode).
• Key Management: Encryption keys are rotated automatically every 90 days.

2.3 Single Sign-On (SSO)

Requirement: Support modern federation standards (SAML, OIDC).

Archonite Implementation: For Enterprise plans, Archonite supports OIDC (OpenID Connect) and SAML 2.0 integration, allowing clients to manage access via their own Identity Providers (Okta, Azure AD, Google Workspace).

3. Application Implementation Controls

Coding Standards, Validation, and Dependencies.

3.1 Sensitive Data Identification (SDI)

Requirement: Maintain a catalog of sensitive data and minimize its retention.

Archonite Implementation:

• Identity Fingerprinting: Archonite utilizes a proprietary "Fingerprinting" system. Every data packet entering our system is tagged with a unique, immutable ID. This allows us to track the exact location of ePHI and PII across our distributed architecture.
• Data Minimization: We adhere to strict retention schedules. Unsubmitted KYC sessions are purged automatically after 24 hours. Verified identities are retained only as long as required by AML laws (6 years) or the client's contract.

3.2 Input Validation & Injection Prevention

Requirement: Validate all input; use parameterized queries to prevent SQLi and XSS.

Archonite Implementation:

• SQL Injection: Direct SQL execution is prohibited. All database interactions occur via a strictly typed ORM (Object-Relational Mapping) layer that uses parameterized queries by default.
• Cross-Site Scripting (XSS): Our frontend architecture relies on React/Next.js, which automatically escapes content before rendering. Content Security Policy (CSP) headers are strictly enforced to prevent the loading of unauthorized scripts.

3.3 Dependency Management

Requirement: Patch libraries regularly and scan for vulnerabilities.

Archonite Implementation:

• Supply Chain Security: Our CI/CD pipeline blocks any build that contains a dependency with a Critical or High severity CVE.
• Automated Scanning: We utilize automated Software Composition Analysis (SCA) tools to monitor our npm packages and container images for known vulnerabilities daily.

4. Operational Controls

Access, Physical Security, and Disaster Recovery.

4.1 Logical Access Control

Requirement: Least privilege; timely revocation; logging.

Archonite Implementation:

• Tiered Access: Access to production environments is restricted to Tier-3 Management (CTO/Lead DevOps). Support staff have zero direct access to raw database tables.
• JIT Access: Production access requests require "Just-In-Time" approval and are valid only for a limited window (e.g., 1 hour) to perform a specific task.
• Revocation: Offboarding is centralized. Terminating a staff member's account in our IdP instantly revokes access to all internal tools, cloud consoles, and code repositories.

4.2 Physical & Remote Workstation Security

Requirement: Secure the devices used to access the application.

Archonite Implementation: Archonite solves the "remote endpoint" risk by removing data from the endpoint entirely.

• Cloud-Native Workstations: All technical staff operate exclusively within isolated Virtual Desktop Environments (VDI) hosted in secure data centers.
• Data Exfiltration Block: These VDI environments are hardened to disable clipboard sharing (copy-paste out), USB mounting, and local file transfers. No customer data ever resides on a physical laptop.

4.3 Backups & Disaster Recovery

Requirement: Backups stored in a separate location; tested regularly.

Archonite Implementation:

• Retrievable Exact Copies: Encrypted snapshots of all databases are taken every 1 hour.
• Geographic Redundancy: Backups are replicated to a "Cold Storage" region geographically distinct from the primary cluster to survive regional catastrophes.
• Testing: We perform a full "Point-in-Time Recovery" drill quarterly to verify data integrity.

4.4 Third-Party Vendor Management

Requirement: Vet all sub-processors and vendors.

Archonite Implementation: We minimize our vendor footprint to reduce surface area. All critical infrastructure providers (e.g., Cloud Hosting, Database Providers) must possess SOC 2 Type II or ISO 27001 certifications. We review these reports annually.

Attestation

We hereby certify that the security controls detailed above are implemented and active within the Archonite production environment.

Date: January 21, 2026

The Archonite Security Team