# Archonite > Next-generation KYC and identity verification platform combining biometrics and global compliance into a single powerful API. ## Guides ### What is Archonite? Archonite is a next-generation Know Your Customer (KYC) and identity verification platform that combines advanced biometric technology with comprehensive global compliance capabilities,all accessible through a single, powerful API. Whether you're launching a fintech application, cryptocurrency exchange, digital marketplace, or any platform requiring user verification, Archonite eliminates the complexity of building identity verification infrastructure from scratch. Join hundreds of companies worldwide who trust Archonite to secure their onboarding processes while maintaining exceptional user experiences. ## Why Archonite? In today's digital economy, identity verification is no longer optional,it's essential. However, building a compliant, secure, and user-friendly verification system requires: - **Legal expertise** across multiple jurisdictions - **AI and biometric engineering** teams - **Security infrastructure** that meets global standards - **Continuous maintenance** as regulations evolve - **Significant time and capital** investment Archonite solves these challenges by providing enterprise-grade identity verification that's ready to integrate today. ## Built for Scale, Designed for Trust Archonite delivers everything you need to verify identities globally with confidence, compliance, and control, all from a unified dashboard. ### **Compliance-native** AML, CTF, GDPR and regional regulations embedded at the core of the engine. ### **Biometric intelligence** Advanced face liveness, confidence scoring, and 3D spoof resistance checks. ### **Global document logic** Localized rules for passports, IDs, and permits with 198 countries across Asia, Europe, Americas, Africa, and Oceania. ### **Composable APIs** Modular architecture. Use only what you need. Extend as you scale. ### **Real-time monitoring** Live dashboards with instant alerts, audit trails, and verification analytics. ### **Fraud detection** AI-powered anomaly detection to identify synthetic identities and document tampering, plus sanctions list and politically exposed person (PEP) screening. ### **Enterprise-grade security** Built with end-to-end encryption, zero-trust architecture, and robust access controls. Your sensitive data is protected at rest and in transit with industry-leading security practices. ### **Developer-friendly SDKs** RESTful APIs with comprehensive documentation, sandbox testing environments, and code samples. Note that whether our AI-powered fraud and risk analyst is able to detect a spoof or not, it will still be reviewed by a human analyst to ensure accuracy. ## Verification Flow Simplified Archonite transforms complex identity verification into three straightforward steps: ### 1. **Collect**: Secure Data Capture Users submit identity information through your integrated application: - **Document Capture**: Mobile camera or desktop upload with automatic edge detection and image quality validation - **Selfie Verification**: Single photo capture with real-time liveness checks - **End-to-End Encryption**: All data encrypted in transit (TLS 1.3) and at rest (AES-256) - **Privacy First**: Users control their data with transparent consent workflows - **Cross-Platform**: Web, iOS, Android; consistent experience everywhere ### 2. **Analyze**: AI-Powered Verification Our verification engine processes submissions in real-time: - **Liveness Detection**: AI algorithms analyze facial features, micro-movements, and depth to confirm a live person is present - **Document Authentication**: Computer vision models validate security features, detect tampering, and verify authenticity - **Data Extraction**: OCR technology extracts names, dates, document numbers, and other information with 99%+ accuracy - **Cross-Reference Checks**: Compare selfie against document photo with configurable match thresholds - **Risk Scoring**: Machine learning models assess fraud probability based on hundreds of signals - **Watchlist Screening**: Optional checks against PEP (Politically Exposed Persons), sanctions, and adverse media databases ### 3. **Decide**: Actionable Results Clear verification outcomes delivered to your system: - **Instant Results**: Most verifications complete in under 10 seconds - **Structured Data**: Standardized JSON responses with all extracted information - **Confidence Scores**: Numerical assessment of verification reliability - **Webhook Integration**: Real-time notifications sent to your endpoints as verifications complete - **Compliance Reports**: Audit-ready documentation for regulatory requirements - **Manual Review Option**: Flagged cases can be escalated to human reviewers ## More Than KYC-Trust Infrastructure Archonite isn't just a KYC provider. We're building the foundational infrastructure for digital trust. Our platform eliminates the traditional trade-off between stringent security measures and seamless user experiences. **The Challenge**: Most security systems frustrate users with complex requirements. Most user-friendly systems sacrifice security. **Our Solution**: Archonite uses advanced technology to maximize security while minimizing user friction. The result? Higher conversion rates, better compliance, and satisfied customers. ## Our Journey ### **The Zero-Day** (October 2024) Founded in a simple workspace, Archonite was born from a simple observation: cross-border businesses were struggling with document fraud detection. We set out to build a solution that could verify identities from any country with equal accuracy and reliability. ### **Biometric Breakthrough** (February 2025) We launched our proprietary 3D liveness detection technology, dramatically improving fraud prevention while reducing user drop-off by 40%. This innovation made Archonite one of the first platforms to successfully balance security with user experience at scale. ### **The Global Standard** (August 2025) Archonite reached a major milestone: processing hundreds of identity verifications across several jurisdictions. Our platform became the de facto standard for businesses requiring truly global verification capabilities. ### **Partnership Growth** (October 2025) We proudly partnered with several companies worldwide, spanning fintech, cryptocurrency, healthcare, e-commerce, and other industries. Archonite became the trusted choice for businesses that refuse to compromise on security or user experience. ### **Today and Beyond** (2026) We continue to innovate, expanding our capabilities with document verification enhancements, new compliance features, and emerging identity technologies. Our roadmap includes decentralized identity support, continuous authentication, and age verification solutions. ## Our Mission & Vision ### **Mission** To empower businesses worldwide with secure and intelligent identity verification, making trust programmable, compliance effortless, and global onboarding accessible to everyone, regardless of company size or technical resources. ### **Vision** To become the global trust infrastructure that enables frictionless digital identity, where individuals and businesses can verify once, connect everywhere, and operate securely across borders without redundant verification processes. ## Uncompromising Defense We protect your users' identities with the same rigor used by national intelligence agencies. Explore our multi-layered approach to infrastructure, data, and application security. ### Infrastructure Security Built on a global, serverless edge network backed by hardened compute instances. - **Global Edge Network:** Our application logic is distributed across a CDN with points of presence (PoPs) in 100+ cities, mitigating DDoS attacks at the edge before they reach core servers. - **Hardened US Compute:** Sensitive processing occurs on isolated Virtual Private Server (VPS) nodes located in Tier-4 US data centers, protected by strict firewall rules and VPC peering. - **Active DDoS Mitigation:** We utilize automated traffic analysis to identify and scrub volumetric attacks (L3/L4) and application-layer floods (L7) in real-time. ### Data Persistence How we store, isolate, and backup your mission-critical data. - **Row-Level Security (RLS):** We enforce strict SQL-level isolation. A tenant's query can strictly only access rows associated with their specific Organization ID. Cross-contamination is mathematically impossible. - **Encryption at Rest:** All persistent data is encrypted using AES-256 at rest. Encryption keys are managed via AWS KMS and rotated automatically. - **Point-in-Time Recovery:** Our database clusters perform continuous write-ahead logging (WAL), allowing us to restore the state of the system to any second in the last 30 days. ### Hollistic Security Defense strategies to integrate physical, technical, and administrative safeguards to protect our entire ecosystem. - **Data Residency:** In addition, our Privacy Policy incorporates the EU Commission's latest Standard Contractual Clauses (SCCs) for transfers to third countries. - **Zero-Knowledge API:** Our internal nodes process data in volatile memory (RAM), ensuring that unencrypted PII never touches a permanent disk. - **Officer Vetting:** Every Archonite Compliance Officer undergoes monthly background checks and operates in a high-security biometric environment. ### Application Logic Secure coding practices and rigorous testing methodologies. - **SDLC:** Every line of code undergoes static analysis and peer review before merging. We strictly adhere to OWASP Top 10 mitigation strategies. - **Token Management:** API keys are cryptographically hashed using AES-256 before storage. We never display full secrets after initial generation. - **Sanitized Logs:** Our logging pipeline automatically detects and redacts PII (Personally Identifiable Information) to ensure logs remain compliant. - **Rate Limiting:** Intelligent rate limiting per IP and API token prevents brute-force attacks and resource exhaustion. ### Privacy by Architecture Identity data is the most sensitive asset on the web. At Archonite, we don't just manage data'we secure it through a proprietary multi-layer encryption protocol and a rigorous hybrid review process. ### Enterprise-grade security standards. We built Archonite to meet the strictest data protection requirements from day one. Trusted by organizations that value integrity and privacy. - **HIPAA Compliant:** Fully compliant with Health Insurance Portability and Accountability Act standards for handling medical data, ensuring PHI is encrypted and protected at rest and in transit. [Learn More](/docs/general/00005-hipaa-compliance) - **GDPR Regulated:** Strict adherence to General Data Protection Regulation for data privacy and sovereignty. We provide built-in tools for data subject access requests and [Learn More](/docs/general/00006-gdpr-compliance) - **MVSP Declaration:** Designed to meet Minimum Viable Secure Product baselines, providing a solid foundation for enterprise-grade security controls, vendor assessments, and compliance audits. [Learn More](/docs/general/00007-mvsp-declaration) ### The Archonite Signed Payload A breakdown of how your customer's data travels through our infrastructure. #### 01. Input **ASP Encryption** Data is instantly wrapped in an Archonite Signed Payload logic protocol on the client side before transmission. #### 02. Processing **Node Decryption** Internal API endpoints decode the ASP for AI review. Once verified, data is re-encrypted before state persistence. #### 03. Audit **Officer Review** Encrypted assets are decrypted in a sandboxed session for review by well-tested MCP-connected AI sentinel for processing CTF, AML, PEP, and other KYC-related checks. #### 04. Egress **Secure Webhook** Once finalized, a signed and encrypted payload is dispatched to your destination endpoint. ## Need help? You may reach us out through [support@archonite.xyz](mailto:support@archonite.xyz). ### Acceptable Use Policy This Acceptable Use Policy ("AUP") governs the access to and use of the services, API, SDKs, and platforms provided by **Archonite Ltd. (Malta)** ("we," "us," or "our"). This policy applies to all Customers, Developers, End-Users, and entities ("you") accessing Archonite’s infrastructure. By accessing or using any part of the Archonite ecosystem, you agree to strictly abide by this AUP. Violation of this policy may result in the immediate suspension or termination of your access, legal action, and notification to relevant law enforcement or regulatory authorities. ## **1. Core Principles** The Archonite "Trust Infrastructure" is built upon three fundamental pillars. Your use of our services must always align with these values: 1. **Integrity:** Verification must be conducted in good faith, targeting legitimate identification needs without deceptive intent. 2. **Security:** You must prioritize the preservation of our technical infrastructure and the confidentiality of the data passing through it. 3. **Privacy:** Respect for the individual's right to data protection is paramount. Collection and processing must be minimal, transparent, and lawful. ## **2. Purpose and Scope** Archonite provides high-assurance tools designed to make global identity verification secure, programmable, and compliant. Because our platform handles sensitive **Personally Identifiable Information (PII)**, **Electronic Protected Health Information (ePHI)**, and **Biometric Data**, we enforce rigorous standards to maintain the health and safety of our digital ecosystem. ## **3. Prohibited Activities** You may not use Archonite’s services for any illegal, harmful, or fraudulent activity. The following categories represent a non-exhaustive list of prohibited behaviors. ### **3.1. Illegal Activity & Regulatory Violations** You strictly cannot use Archonite to: - **Facilitate Crime:** Support illegal gambling, drug trafficking, human trafficking, arms dealing, or terrorist financing. - **Evade Sanctions:** Conduct business with individuals or entities on global sanctions lists (e.g., OFAC, UN, EU sanctions lists) or located in embargoed jurisdictions. - **Violate Payment Rules:** Engage in activities that violate the rules or regulations of payment processors or credit card networks (e.g., Visa, Mastercard, and Polar rules). - **Facilitate Age-Restricted Sales:** Verify identities for the unauthorized sale of drugs, alcohol, tobacco, or vaping products in jurisdictions where prohibited. ### **3.2. Identity Fraud & Manipulation** As a security-first provider, we maintain zero tolerance for attacks against our verification engine: - **Synthetic Identities:** Creating or testing records using artificially generated or combined "Frankenstein" records to deceive credit or identity systems. - **Deepfakes & Injection Attacks:** Utilizing AI-generated imagery, high-resolution masks, pre-recorded media, or software-based camera injection tools to bypass our **3D Biometric Liveness Detection**. - **Document Forgery:** Uploading known counterfeit, altered, or stolen IDs. ### **3.3. Commercial Integrity & Consumer Protection** We reserve the right to suspend accounts we consider deceptive, high-risk, or of low quality. You may not use Archonite in connection with: - **High-Risk Disputes:** Business models that cause or present a significant risk of excessive refunds, chargebacks, fines, or damages to Archonite or our partners. - **Reputational Threat:** Activities that threaten the brand reputation of Archonite. - **Deceptive Marketing:** "Get rich quick" schemes, multi-level marketing (MLM), pyramid schemes, or fake testimonials/social proof platforms. - **Low-Quality Offerings:** Sites or services that are buggy, quickly/poorly executed, or deemed to have a "low trust score" (e.g., selling AI-generated e-books of minimal value at inflated prices). ### **3.4. System Abuse & Network Security** You must not compromise the technical excellence of the Archonite network: - **Interference:** Attempting to overload, flood (DoS/DDoS), or crash our API endpoints. - **Unauthorized Access:** Probing for vulnerabilities or attempting to access data segments outside of your authorized organization ID. - **API Cloaking:** Using services to circumvent IP bans or API rate limits. - **Malicious Software:** Distributing viruses, spyware, or malware. ## **4. API Usage & Operational Standards** To ensure high availability and fair access across all tiers, the following operational rules are enforced: ### **4.1. Rate Limiting & Resource Management** - **Tier Compliance:** You must respect the requests-per-second (RPS) limits associated with your subscribed plan. - **Shadowing Prohibited:** Creating multiple accounts to aggregate free-tier quotas or bypass throttling is strictly prohibited. - **Efficient Polling:** You are required to use our **Webhook** event system for asynchronous status updates. Polling the `GET /verification/{id}` endpoint more than once every 5 seconds for a single ID is considered abusive. ### **4.2. Credentials & Authentication Security** - **Secret Hygiene:** API keys must never be exposed in client-side code, mobile binaries, or public version control systems. - **Token Binding:** Authentication tokens are bound to specific CIDR blocks or domains where configured; attempting to share tokens across unauthorized environments is a violation. ## **5. Data Privacy & Global Compliance** Archonite acts as a **Data Processor**. You, the client, act as the **Data Controller**. You bear the sole responsibility for ensuring your use of our services conforms to local and international law. ### **5.1. Global Frameworks** - **GDPR (Europe):** You must provide a clear "Privacy Notice" and establish a Lawful Basis before initiating a verification. - **HIPAA (USA):** Verification of healthcare providers or patients involving ePHI requires a signed Business Associate Agreement (BAA). - **CCPA/CPRA (California):** You must honor "Do Not Sell or Share" requests and maintain transparency regarding biometric processing. - **LGPD (Brazil) & APPI (Japan):** You must comply with local residency and consent requirements for data processing across these jurisdictions. ### **5.2. Biometric Consent** Where legally required (e.g., Illinois BIPA, Texas CBO, or GDPR Article 9), you must obtain explicit, affirmative consent from the end-user specifically regarding the collection and analysis of their facial geometry. ### **5.3. Data Retention & Minimization** - Archonite is not a long-term storage vault. You must retrieve your verification results and store them in your own secure systems. - You agree to propagate "Right to Erasure" (Deletion) requests to our platform via the API within 48 hours of receipt from an end-user. ## **6. Prohibited Industries** Archonite does not support the following industries. We reserve the right to review and terminate accounts associated with: ### **6.1. Financial & Investment Services** - **Unregulated Financial Services:** Facilitating transactions, investments, or holding balances without proper licensing. - **High-Risk Trading:** Trading bots, binary options, signals, or "investment insights" platforms. - **Crypto & NFTs:** Sale or exchange of NFT/Crypto assets without an Enterprise agreement and enhanced due diligence. - **Financial Advice:** Unregulated tax guidance, wealth management, or investment strategies. ### **6.2. Adult & Content Services** - **Adult Content:** Pornography, cam-sites, or adult-oriented dating applications. - **AI Companions:** AI "Girlfriend/Boyfriend" services or explicit/NSFW content generated via AI. - **OnlyFans Support:** Services explicitly related to OnlyFans management or automation. ### **6.3. Digital Goods & Gaming** - **Game Manipulation:** Macros, cheat codes, hacks, or unauthorized modifications to gameplay. - **License Reselling:** Selling software licenses at reduced prices without authorization (grey market keys). - **Circumvention Services:** Tools designed to bypass rules, gameplay mechanics, or pricing structures of other vendors (e.g., IPTV services, Watermark removal). ### **6.4. Physical Goods & Human Services** - **Physical Goods:** SaaS services offering or requiring fulfillment via physical delivery (e.g., drop-shipping). - **General Consulting:** Generic marketing, design, or web development agencies without a specific verified platform use-case. - **Travel Services:** Timeshares, travel clubs, or reservation services. ### **6.5. Marketing & Lead Generation** - **Unsolicited Marketing:** Generating, scraping, or selling leads. - **Bulk Automation:** Services that automate mass content generation, submission, or bulk SMS/WhatsApp messaging (spam risks). - **Review Inflation:** Selling fake reviews or social proof. ### **6.6. High-Risk & Other Verticals** - **Gambling:** Casinos, sportsbooks, loot boxes, mystery boxes, or pack openings of a random nature. - **Pseudo-Science:** Clairvoyance, horoscopes, fortune-telling, etc. - **Medical Advice:** Unlicensed pharmaceutical sales, weight loss, or muscle-building products. - **Telecommunications:** eSIM services or VoIP resale without proper carrier compliance. - **Donations:** Platforms where price exceeds product value or there is no exchange (pure money transfer), excluding approved open-source sponsorships. ## **7. Restricted Businesses** The following business categories are not strictly prohibited but are classified as **Restricted**. They require a closer review, a higher bar of quality, and specific compliance standards to be accepted on the Archonite platform: 1. **Directories & Job Boards:** Listings verification. 2. **Ticket Sales:** Event access and secondary market verification. 3. **Pre-orders & Paid Waitlists:** High-risk for non-delivery. 4. **eBooks & Information Products:** Subject to quality review to prevent PLR (Private Label Rights) spam. ## **7. Security Research** We value the security community and encourage responsible disclosure. - **Permissible Research:** Must be conducted against your own test accounts in the sandbox environment and reported via **[dpo@archonite.xyz](mailto:dpo@archonite.xyz)**. - **Disclosure:** We subscribe to a standard **90-day** disclosure window. Public release of details before Archonite has deployed a patch is a violation of this AUP. ## **8. Enforcement & Reporting** ### **8.1. Continuous Monitoring** We utilize AI-driven anomalies detection to monitor traffic patterns and payload integrity. As outlined in our **Immutable Logs** documentation, we maintain immutable logs of API interactions for forensic and audit purposes. ### **8.2. Remediation Tiers** 1. **Notification:** For minor limit exceeding or configuration errors, we will coordinate with your technical team. 2. **Suspension:** Immediate suspension of API keys occurs if we detect active fraud, liveness injection, or credential leakage. 3. **Termination:** Malicious intent or illegal activity results in permanent account closure and forfeiture of all service credits. ### **8.3. Legal Cooperation** We cooperate fully with global law enforcement agencies (e.g., Interpol, FBI) in the investigation of money laundering, human trafficking, or threats to national security. ## **9. Enforcement & Reporting** ### **9.1. Monitoring & Remediation** We utilize AI-driven anomalies detection to monitor traffic patterns. 1. **Notification:** We will coordinate with you on minor errors. 2. **Suspension:** Immediate suspension occurs for active fraud or AUP violations. 3. **Termination:** Malicious intent results in permanent account closure. ### **9.2. Legal Cooperation** We cooperate fully with global law enforcement agencies in the investigation of money laundering, human trafficking, or threats to national security. ## **9.3. Contact & Inquiries** For clarifications regarding specific use cases or to report a violation: - **Legal & Compliance:** [legal@archonite.xyz](mailto:legal@archonite.xyz) - **Security Operations:** [dpo@archonite.xyz](mailto:dpo@archonite.xyz) - **Technical Support:** [support@archonite.xyz](mailto:support@archonite.xyz) --- _For Enterprise clients, this policy is subject to the Governing Law defined in your Master Services Agreement (MSA). For all other users, this policy shall be governed by and construed in accordance with the Laws of Malta. Any disputes arising under this AUP shall be resolved exclusively in the courts of Valletta, Malta._ ### Service Pricing At Archonite, we believe that world-class identity verification and compliance should be accessible to everyone—from start-up developers to global enterprises. Our pricing model is designed to be transparent, predictable, and scalable, ensuring you only pay for what you verify while maintaining the highest standards of security. ## Core Pricing Philosophy - **Pay Per Use**: No subscriptions, no monthly commitments. Pay only for successful verifications. - **No Hidden Fees**: We don't charge for API integration or webhook setup. - **Transparent Billing**: Clear per-verification pricing with minimum package purchases. - **Security First**: Every tier benefits from our core security architecture and device fingerprinting. ## Pay-Per-Use Model All pricing is based on a **per-verification** model. You purchase verification packages in advance and consume them as needed. No expiration dates, no monthly caps—just simple, flexible usage. ### Device Signature (All Tiers) Every verification tier automatically captures basic device information: - **IP Address**: Geographic location and network information - **User Agent**: Device and browser fingerprinting for fraud detection ## Pricing Tiers ### 1. Data Sense **Perfect for: E-commerce platforms, CRMs, and email marketing systems** The most affordable entry-level tier for low-risk environments where you need basic data validation. - **Price**: $0.05/Verification - **Minimum Package**: $10.00 (200 verifications) - **Focus**: Entry-level API tier for low-risk environments. Verify user existence and data formatting. **What's Included**: - Personal information verification - IP Address capture - User Agent capture ### 2. DocuVerify **Perfect for:** Age-restricted websites, gig-economy driver registration, visitor management systems\*\* Basic identity proofing with document verification but without biometric linking or criminal background checks. - **Price**: $0.50/Verification - **Minimum Package**: $20.00 (40 verifications) - **Focus**: Verify authenticity of government ID without biometric linking or criminal checks. **What's Included**: - Personal information verification - Standard ID check (3,000+ document types worldwide) - IP Address capture - User Agent capture ### 3. BioGuard **Perfect for: High-value transactions, password resets, crypto-wallet access recovery** Anti-impersonation and account security through biometric verification and liveness detection. - **Price**: $0.85/Verification - **Minimum Package**: $30.00 (35 verifications) - **Focus**: Ensure the person holding the ID is the owner and physically present. **What's Included**: - Standard ID check - 3D biometrics (depth-sensing anti-spoofing) - Liveness detection - IP Address capture - User Agent capture ### 4. ComplyScreen **Perfect for: Insurance companies, real estate agencies, periodic customer reviews** Regulatory screening and compliance checks against global watchlists without requiring ID document uploads. - **Price**: $1.25/Verification - **Minimum Package**: $50.00 (28 verifications) - **Focus**: Backend batch processing against global watchlists without ID upload friction. **What's Included**: - Personal information verification - Global PEP (Politically Exposed Persons) screening - Global AML (Anti-Money Laundering) checks - Global CTF (Counter-Terrorism Financing) lists - IP Address capture - User Agent capture ### 5. OmniShield **Perfect for: Neobanks, Cryptocurrency Exchanges, Fintech Lenders, Traditional Banks** Our flagship tier providing Enhanced Due Diligence (EDD) with comprehensive KYC coverage and maximum security. - **Price**: $2.25/Verification - **Minimum Package**: $100.00 (30 verifications) - **Focus**: All-in-one flagship tier covering the entire KYC funnel with maximum security. **What's Included**: - Personal information verification - Standard ID check - 3D biometrics - Liveness detection - Global PEP screening - Global AML checks - Global CTF lists - IP Address capture - User Agent capture ## Feature Glossary Understanding our technology helps you choose the right plan: | Feature | Description | | :------------------------------------ | :----------------------------------------------------------------------------------------------------------------------------------- | | **Personal Information Verification** | Validates name, date of birth, address, and contact details against formatting rules and basic existence checks. | | **Standard ID Check** | Automated verification for 3,000+ government-issued document types worldwide using OCR and template matching. | | **3D Biometrics** | Uses advanced spatial analysis and depth-sensing to prevent high-resolution photos or video replays from spoofing the system. | | **Liveness Detection** | A process that confirms the verification subject is a real person and not a synthetic or static image. | | **PEP Screening** | Checking individuals against lists of people who hold prominent public positions, identifying potential legal or reputational risks. | | **AML Checks** | Anti-Money Laundering screening against global sanctions and financial crime watchlists (OFAC, UN, EU). | | **CTF Lists** | Counter-Terrorism Financing checks to identify individuals or entities associated with terrorist organizations. | | **IP Address** | Captures the user's IP address for geographic location tracking and fraud prevention. | | **User Agent** | Browser and device fingerprinting to detect suspicious patterns and prevent automated attacks. | ## Operational Details ### Verification Packages All packages are pre-paid and have **no expiration date**. Purchase when you need them, use them at your own pace. - Packages are automatically deducted with each successful verification - Failed verifications (e.g., document not recognized, liveness check failed) are charged as well when submitted successfully - Package balance can be viewed in your dashboard at any time ### Support Response Times Support is tiered based on your total monthly usage volume: - **< 100 verifications/month**: 2-3 business days (Community Support) - **100-500 verifications/month**: Under 24 hours (Priority Support) - **500+ verifications/month**: Under 4 hours (Premium Priority Support) Note that the Service Level Agreement for response time does not apply to vulnerability and other critical reports, which are handled via [dpo@archonite.xyz](mailto:dpo@archonite.xyz) regardless of usage tier. ### External Costs Please note that our pricing does not include any transaction fees levied by our 3rd party payment processor (Polar). ## Frequently Asked Questions **Is there a monthly subscription?** No. Archonite uses a pure pay-per-use model. You only pay for verifications you perform, with no recurring subscriptions or monthly fees. **Do verification packages expire?** No. All pre-purchased verification packages have no expiration date. Use them at your own pace. **What happens if a verification fails?** Failed verifications (e.g., document illegible, liveness check failed) are deducted from your package balance as well. **Can I switch between tiers?** Yes. Each verification can use any tier you choose. You can specify the tier at verification time via the API calls. **What if I need higher volumes?** For enterprise volume customers requiring 10,000+ verifications per month, please [Contact Sales](mailto:sales@archonite.xyz) for custom pricing and dedicated support. **Is there a free trial?** At the moment, Archonite does not offer a free trial except when an offer is made available. However, we do offer a limited sandbox environment for developers to test our API. Please [Contact Support](mailto:support@archonite.xyz) for more information. ## Pricing Disclaimer Pricing is subject to change. For the latest rates and to purchase verification packages, always refer to the [Pricing Page](https://archonite.xyz/pricing). ### Supported Countries, Regions & Territories Archonite provides global identity verification coverage, supporting government-issued IDs from over 200 countries and territories. Our document checking engine is continuously updated to recognize new document versions and security features. ## Supported Users and Clients Our supported regions are categorized based on the issuing authority of the identity documents. This list allows you to determine where your users can be onboarded from. ### European Region Archonite offers extensive coverage across the European continent, fully aligned with the **Public Register of Authentic Travel and Identity Documents Online (PRADO)** standards maintained by the Council of the European Union. This includes support for all EU Member States, the Schengen Area, and key non-EU jurisdictions. We support National ID Cards, Passports, Residence Permits, and Driving Licenses for these regions to facilitate seamless GDPR-compliant onboarding. | Code | English Name | Native / Official Name | | :--- | :------------- | :----------------------------------------------------------- | | EUE | European Union | | | AUT | Austria | Republik Österreich | | BEL | Belgium | Royaume De Belgique / Koninkrijk België / Königreich Belgien | | BGR | Bulgaria | Република България | | CYP | Cyprus | Κυπριακή Δημοκρατία / Kibris Cumhuri̇yeti̇ | | CZE | Czechia | Česká Republika | | DEU | Germany | Bundesrepublik Deutschland | | DNK | Denmark | Danmark | | ESP | Spain | España | | EST | Estonia | Eesti Vabariik | | FIN | Finland | Suomi | | FRA | France | République Française | | GRC | Greece | Ελληνική Δημοκρατία | | HRV | Croatia | Republika Hrvatska | | HUN | Hungary | Magyarország | | IRL | Ireland | Éire / Ireland | | ITA | Italy | Repubblica Italiana | | LTU | Lithuania | Lietuvos Respublika | | LUX | Luxembourg | Grand-duché De Luxembourg | | LVA | Latvia | Latvijas Republika | | MLT | Malta | Malta | | NLD | Netherlands | Koninkrijk Der Nederlanden | | POL | Poland | Rzeczpospolita Polska | | PRT | Portugal | Portugal | | ROU | Romania | România | | SVK | Slovakia | Slovenská Republika | | SVN | Slovenia | Republika Slovenija | | SWE | Sweden | Sverige | | CHE | Switzerland | Schweiz / Confédération Suisse / Svizzera / Svizra | | ISL | Iceland | Ísland | | NOR | Norway | Kongeriket Norge / Kongeriket Noreg / Norgga Gonagasriika | ### Non-EU Region We provide robust verification for countries outside the European Union, covering the Americas, Africa, Asia, and Oceania. This includes specialized handling for diverse regional formats (such as state-level IDs in the US/Canada and non-Latin scripts in Asia and the Middle East). | Code | English Name | Native / Official Name | | :--- | :------------------------------------------------- | :---------------------------------------------------------------------------------------- | | LIE | Liechtenstein | Fürstentum Liechtenstein | | AFG | Afghanistan | Islamic Republic Of Afghanistan | | AGO | Angola | República De Angola | | AIA | Anguilla | Anguilla | | ALB | Albania | Republika E Shqipёrisё / Republic Of Albania | | AND | Andorra | Andorra | | ARE | United Arab Emirates | | | ARG | Argentina | Republica Argentina | | ARM | Armenia | Republic Of Armenia | | AUS | Australia | Australia | | AZE | Azerbaijan | Azәrbaycan Respubli̇kasi | | BDI | Burundi | Republika Y'uburundi / Republique Du Burundi / Republic Of Burundi | | BEN | Benin | Republique Du Benin | | BFA | Burkina Faso | Burkina Faso | | BGD | Bangladesh | People's Republic Of Bangladesh | | BHR | Bahrain | Kingdom Of Bahrain | | BHS | Bahamas | Commonwealth Of The Bahamas | | BIH | Bosnia And Herzegovina | Bosna I Hercegovina / Босна И Херцеговина | | BLR | Belarus | Рэспублiкa Беларусь / Рeспублика Беларусь / Republic Of Belarus | | BLZ | Belize | Belize | | BMU | Bermuda | Government Of Bermuda | | BRA | Brazil | República Federativa Do Brasil | | BRN | Brunei Darussalam | | | BTN | Bhutan | Kingdom Of Bhutan | | BWA | Botswana | Republic Of Botswana | | CAF | Central African Republic | République Centrafricaine | | CAN | Canada | Canada | | CHL | Chile | República De Chile | | CHN | China | People's Republic Of China | | CIV | Côte D'ivoire (ivory Coast) | République De Côte D'ivoire | | CMR | Cameroon | Republique Du Cameroun / Republic Of Cameroon | | COD | Democratic Republic Of Congo | République Démocratique Du Congo | | COG | Republic Of The Congo | Republique Du Congo | | COL | Colombia | Republica De Colombia | | COM | Comoros | Union Des Comores | | CPV | Cape Verde | República De Cabo Verde | | CRI | Costa Rica | Republica De Costa Rica | | CUB | Cuba | Republica De Cuba | | DJI | Djibouti | République De Djibouti | | DMA | Dominica | Commonwealth Of Dominica | | DOM | Dominican Republic | República Dominicana | | DZA | Algeria | Republique Algerienne Democratique Et Populaire / People's Democratic Republic Of Algeria | | ECU | Ecuador | Republica Del Ecuador | | EGY | Egypt | Arab Republic Of Egypt | | ERI | Eritrea | Eritrea | | ETH | Ethiopia | Federal Democratic Republic Of Ethiopia | | FRO | Faroe Islands | Føroyar Danmark | | GAB | Gabon | Republique Gabonaise | | GBD | British Overseas Territories Citizen | British Overseas Territories Citizen (b.o.t.c.) | | GBR | United Kingdom | United Kingdom Of Great Britain And Northern Ireland | | GEO | Georgia | Georgia | | GGY | Guernsey | British Islands Bailiwick Of Guernsey | | GHA | Ghana | Republic Of Ghana | | GIB | Gibraltar | Gibraltar | | GIN | Guinea | Republique De Guinee | | GMB | Gambia | Republic Of The Gambia | | GNB | Guinea-bissau | República Da Guiné - Bissau | | GNQ | Equatorial Guinea | | | GRD | Grenada | Grenada | | GRL | Greenland | Kalaallit Nunaat Danmark | | GUY | Guyana | Republic Of Guyana | | HKG | Hong Kong | Hong Kong Special Administrative Region People's Republic Of China | | HND | Honduras | República De Honduras | | HTI | Haiti | Republique D'haiti / Repiblik D Ayiti | | IMN | Isle Of Man | British Islands Isle Of Man | | IND | India | Republic Of India | | IRN | Islamic Republic Of Iran | | | IRQ | Iraq | Republic Of Iraq | | ISR | Israel | State Of Israel | | JAM | Jamaica | Jamaica | | JEY | Jersey | British Islands Bailiwick Of Jersey | | JOR | Jordan | The Hashemite Kingdom Of Jordan | | JPN | Japan | Japan | | KAZ | Kazakhstan | Қазақстан Республикасы / Republic Of Kazakhstan | | KEN | Kenya | Republic Of Kenya | | KGZ | Kyrgyzstan | Kьipгьiз Pecпубʌиkacьi / Kьipгьiзckaя Pecпубʌиka / The Kyrgyz Republic | | KHM | Cambodia | Kingdom Of Cambodia / Royaume Du Cambodge | | KNA | Saint Kitts And Nevis | St. Christopher (st. Kitts) And Nevis | | KOR | Republic Of Korea | Republic Of Korea | | KWT | Kuwait | State Of Kuwait | | LAO | Lao | République Démocratique Populaire Lao / Lao People's Democratic Republic | | LBR | Liberia | Republic Of Liberia | | LBN | Lebanon | Republique Libanaise / Republic Of Lebanon | | LBY | Libya | Libya | | LKA | Sri Lanka | Democratic Socialist Republic Of Sri Lanka | | LSO | Lesotho | Kingdom Of Lesotho | | MAC | Macao | Macao Special Administrative Region People’s Republic Of China | | MAR | Morocco | Royaume Du Maroc / Kingdom Of Morocco | | MCO | Monaco | Principauté De Monaco | | MDA | Republic Of Moldova | Republica Moldova | | MDG | Madagascar | | | MDV | Maldives | Republic Of Maldives | | MEX | Mexico | Mexico / Estados Unidos Mexicanos | | MKD | North Macedonia | Република Сeβepha Македониja / Republique De Macedoine Du Nord | | MLI | Mali | Republique Du Mali | | MNE | Montenegro | Crna Gora / Montenegro | | MNG | Mongolia | Mongolia | | MOZ | Mozambique | República De Moçambique | | MRT | Mauritania | Republique Islamique De Mauritanie / Islamic Republic Of Mauritania | | MSR | Montserrat | Colony Of Montserrat | | MWI | Malawi | Republic Of Malawi | | MYS | Malaysia | Malaysia | | NAM | Namibia | Republic Of Namibia | | NCL | New Caledonia | République Française / Nouvelle-calédonie | | NGA | Nigeria | Federal Republic Of Nigeria | | NIC | Nicaragua | Republica De Nicaragua | | NPL | Nepal | Nepal | | NZL | New Zealand | New Zealand / Aotearoa | | OMN | Oman | Sultanate Of Oman | | PAK | Pakistan | Islamic Republic Of Pakistan | | PAN | Panama | República De Panamá | | PER | Peru | Republica Del Peru | | PHL | Philippines | Republika Ng Pilipinas | | PLW | Palau | Republic Of Palau | | PRK | Democratic People's Republic Of Korea | | | PRY | Paraguay | Republica Del Paraguay | | PYF | French Polynesia | République Française - Polynésie Française | | QAT | Qatar | State Of Qatar | | RUS | Russian Federation | Российсkая Федерация | | RWA | Rwanda | Republika Y'u Rwanda / Republic Of Rwanda / Republique Du Rwanda / Jamhuri Ya Rwanda | | SAU | Saudi Arabia | Kingdom Of Saudi Arabia | | SDN | Sudan | The Republic Of The Sudan | | SEN | Senegal | République Du Sénégal | | SGP | Singapore | Republic Of Singapore | | SHN | Saint Helena | St. Helena | | SLE | Sierra Leone | Republic Of Sierra Leone | | SLV | El Salvador | Republica De El Salvador | | SMR | San Marino | Repubblica Di San Marino | | SOM | Somalia | Jamhuuriyadda Soomaaliya / Somali Republic | | SRB | Serbia | Република Србија | | SSD | South Sudan | Republic Of South Sudan | | STP | Sao Tome And Principe | República Democrática De São Tomé E Príncipe | | SUR | Suriname | | | SYC | Seychelles | Republic Of Seychelles / République Des Seychelles | | SYR | Syrian Arab Republic | Syrian Arab Republic / Republique Arabe Syrienne | | TCA | Turks And Caicos Islands | | | TCD | Chad | République Du Tchad | | TGO | Togo | Republique Togolaise | | THA | Thailand | Thailand | | TKM | Turkmenistan | Türkmenistan / Turkmenistan | | TLS | Timor-leste | República Democrática De Timor-leste | | TUN | Tunisia | Republique Tunisienne / Republic Of Tunisia | | TUR | Türkiye | Türki̇ye Cumhuri̇yeti̇ / Republic Of Türki̇ye | | TUV | Tuvalu | Tuvalu | | TWN | Taiwan | Taiwan | | TZA | United Republic Of Tanzania | United Republic Of Tanzania | | UAP | African Union Staff | African Union / Union Africaine / União Africana / Umoja Wa Afrika | | UGA | Uganda | Republic Of Uganda | | UKR | Ukraine | Укрaїнa / Ukraine | | UNO | United Nations Official | United Nations / Nations Unies | | URY | Uruguay | República Oriental Del Uruguay | | USA | United States | United States Of America | | UZB | Uzbekistan | O'zbekiston Respublikasi / Republic Of Uzbekistan | | VAT | Vatican City State / Holy See | Stato Della Città Del Vaticano Santa Sede | | VEN | Venezuela | República Bolivariana De Venezuela | | VGB | British Virgin Islands | The Virgin Islands | | VNM | Viet Nam | Cộng Hòa Xã Hội Chủ Nghĩa Việt Nam / Socialist Republic Of Viet Nam | | YEM | Yemen | Republic Of Yemen | | ZAF | South Africa | Republic Of South Africa / Republique D'afrique Du Sud | | ZMB | Zambia | Republic Of Zambia | | ZWE | Zimbabwe | Zimbabwe | | XEC | Economic Community Of West African States (ecowas) | Communauté Économique Des Etats De L'afrique De L'ouest (cedeao) | | XOM | Sovereign Military Order Of Malta | Ordre Souverain Militaire De Malte | ### Special Cases This section includes international organizations and entities that issue valid travel documents recognized by specific jurisdictions, such as Interpol and other International Organisations. | Code | English Name | Native / Official Name | | :--- | :----------------------------- | :--------------------- | | XPO | Interpol | | | INT | International Organisations | | | OPT | Occupied Palestinian Territory | | | XKX | Kosovo | | ## Unsupported Clients Origin Archonite maintains a strict policy regarding the onboarding of business clients. While our identity verification engine **technically supports** the processing of documents from the countries listed below (meaning end-users with these IDs can be verified), we **do not accept service agreements, payments, or onboarding requests** from business entities (Clients) domiciled in these jurisdictions. This policy ensures our compliance with international banking regulations and sanctions protocols. | Code | English Name | Native / Official Name | | :--- | :------------------------------------ | :------------------------------------------------------------------ | | CUB | Cuba | Republica De Cuba | | IRN | Islamic Republic Of Iran | | | PAN | Panama | República De Panamá | | PRK | Democratic People's Republic Of Korea | | | RUS | Russian Federation | Российсkая Федерация | | SYR | Syrian Arab Republic | Syrian Arab Republic / Republique Arabe Syrienne | | VEN | Venezuela | República Bolivariana De Venezuela | | VNM | Viet Nam | Cộng Hòa Xã Hội Chủ Nghĩa Việt Nam / Socialist Republic Of Viet Nam | | YEM | Yemen | Republic Of Yemen | | ZAF | South Africa | Republic Of South Africa / Republique D'afrique Du Sud | ### HIPAA Compliance & Security Standards Archonite is committed to maintaining the highest standards of data security and privacy, particularly when handling electronic Protected Health Information (ePHI). This document outlines our adherence to the Health Insurance Portability and Accountability Act (HIPAA) through our technical infrastructure, administrative policies, and physical safeguards. ## **Technical Safeguards** Archonite's architecture is built on the principle of **Security by Design**. ### **1. Access Control** We ensure that only authorized personnel and systems can access ePHI through a multi-layered identity framework. - **Unique User Identification (Fingerprinting):** Archonite employs a proprietary "Fingerprinting" system. Every entity—including users, businesses, customers, API logs, and data records—is assigned a unique, immutable cryptographic fingerprint. This ensures absolute traceability and prevents identity collision across our global infrastructure. - **Emergency Access Procedure:** In the event of a critical system failure or emergency, authorized administrators can initiate a secure recovery protocol. This involves a multi-stage verification: 1. Request initiated via [dpo@archonite.xyz](mailto:dpo@archonite.xyz). 2. An encrypted, time-sensitive verification link is sent to the registered primary contact. 3. Upon successful 2FA verification, a secondary single-use link is generated, allowing the secure download of necessary information in a hardened environment. - **Automatic Logoff:** To prevent unauthorized access from unattended workstations, Archonite enforces strict session timeouts: - **Internal Support Staff:** Sessions expire and require re-authentication every **4 hours**. - **Client Dashboard/Portal:** Sessions expire after **4 hours**. - **Encryption & Decryption:** - **At Rest:** All sensitive data is encrypted using **AES-256** encryption at rest. - **Credential Security:** User passwords and sensitive identifiers are hashed, digested, and salted using the **AES-256** algorithm, the industry standard for resisting brute-force and GPU-based attacks. ### **2. Audit Controls** Archonite maintains a comprehensive and immutable audit trail for all activities within the ecosystem. - **Activity Logging:** We log all internal and external API calls, authentication events (logins/logouts), account configuration changes, billing activities, and KYC/Identity verification milestones. - **Log Immutability & Governance:** Log databases are decoupled from primary application databases and are accessible only to **Tier-3 Management (e.g., CTO)**. Manual modifications to database schemas or records are strictly prohibited without documented CTO approval and are subject to internal compliance audits. ### **3. Integrity & Authentication** - **Authentication of ePHI:** We use digital signatures and checksums to ensure that ePHI has not been altered or destroyed in an unauthorized manner during storage or transit. - **Entity Authentication:** Archonite enforces **Mandatory Multi-Factor Authentication (MFA/2FA)**. Users and clients cannot disable these security methods, ensuring that possession of a password alone is never sufficient for account access. - **Data Integrity & Disaster Recovery:** Archonite maintains encrypted, immutable backups ("Retrievable Exact Copies") of all databases. These backups are generated every **1 hour** and stored in a geographically redundant region to ensure business continuity and data restoration in the event of a catastrophic failure or ransomware attack. ### **4. Transmission Security** - **Integrity Controls:** Data is exclusively transferred over **HTTPS (TLS 1.3)** connections. Plaintext or unsecured connections (HTTP) are blocked by default, except in isolated, sandboxed test environments. - **Archonite Signed Payload (ASP):** In addition to standard transport layer security, we utilize **Archonite Signed Payloads (ASP)** for all data transfers containing ePHI. This adds a layer of application-level encryption and signing, ensuring that payloads cannot be intercepted or tampered with even if the underlying TLS layer were compromised. ## **Administrative Safeguards** Our administrative policies focus on the "Human Element" of security, managed by a combination of AI-driven oversight and expert human review. ### **1. Risk Analysis & Management** Archonite utilizes a **Guardrail Sentinel AI**—a specialized autonomous agent that monitors system health and security patterns in real-time. - **Real-time Analysis:** The Sentinel AI performs continuous risk analysis, identifying potential fraud or security anomalies. - **Human Oversight:** While the Sentinel provides high-speed analysis, all critical security escalations, sanction policies, and risk management decisions are reviewed by a human **Security Official** before final action is taken. ### **2. Workforce Security & Management** All employees at Archonite undergo rigorous vetting and continuous monitoring. - **Workforce Clearance:** All personnel are required to submit and renew a valid **Police Clearance** (or international equivalent) upon expiration of their previous one. - **Zero Tolerance Policy:** Failure to maintain valid clearances or adhere to security protocols results in immediate suspension and potential termination. - **Termination Procedures:** Access to all systems, including Cloud VMs and internal tools, is revoked instantly upon the termination of a workforce member's contract. - **Security Awareness Training:** Beyond initial vetting, all personnel undergo mandatory **Security Awareness and HIPAA Training** upon hire and annually thereafter. This ensures every team member remains up-to-date on current phishing tactics, social engineering threats, and privacy obligations. ## **Physical Safeguards** As a cloud-native platform, Archonite extends physical security from the data center to the employee's workstation. - **Cloud-Native Workstations:** Archonite employees do not handle data on local hardware. All work is performed within **Custom Cloud VMs**. These environments are locked down to prevent data extraction (copy-pasting or downloading information outside the VM is disabled). - **IP Whitelisting & Monitoring:** Employee workstations are monitored 24/7. Support tools are only accessible from the specific IP addresses assigned to the Cloud VMs; all other connection attempts are automatically blocked. - **Media & Device Controls:** - **Disposal:** Disposal of customer information is governed by the specific mandated laws of the customer's jurisdiction (e.g., GDPR-compliant erasure or HIPAA-compliant data destruction). - **Media Re-use:** We follow strict NIST-compliant procedures for the removal of ePHI from electronic media before any hardware is repurposed or decommissioned by our cloud providers. - **Business Associate Agreements (BAA):** Archonite ensures that all third-party vendors handling ePHI (such as cloud hosting and database providers) are bound by valid Business Associate Agreements, ensuring they maintain compliance with HIPAA security and privacy rules. ## **Privacy Rule & Software Features** The HIPAA Privacy Rule establishes the "Patient's Right of Access." Archonite includes features to support these rights technically. - **Right of Access:** End-users (customers) may request access to their verified data through the client business's portal or by direct request to Archonite support. - **Right of Amendment:** To maintain data integrity, records can only be updated via authorized API calls or manual requests from the verified client business, ensuring changes are documented and legitimate. - **Accounting of Disclosures:** Every instance where user information is accessed is logged and made visible to authorized administrators with the appropriate privilege level, providing a transparent history of data disclosure. - **Minimum Necessary Principle:** Archonite strictly adheres to the "Minimum Necessary" standard. We do not collect or store clinical histories (e.g., patient medical records). Our scope is limited to identity verification; as such, support representatives can never view clinical data that is irrelevant to the verification process. ## **Breach Notification Rule** In the unlikely event of a security incident, Archonite has a clear and rapid response plan. - **Detection & Identification:** Affected users and data segments are immediately identified and filtered using our auditing tools. - **Notification:** Archonite will notify affected clients within **48 hours** without undue delay, providing a full report on the incident and steps taken to remediate the damage. ### GDPR Compliance - Data Privacy & Protection Standards Archonite is committed to upholding the highest standards of data privacy and organizational security. For our partners operating within the European Economic Area (EEA) or managing the data of EU citizens, we ensure comprehensive alignment with the **General Data Protection Regulation (GDPR)**. This document provides a technical and operational overview of our legal framework, architecture, and the features designed to facilitate our clients' compliance obligations. ## **I. Legal Framework & Data Governance** Adherence to GDPR requires a transparent and legally binding framework governing the relationship between Data Controllers and Data Processors. ### **1. Data Processing Agreement (DPA)** Archonite serves as a **Data Processor** under the GDPR. We require all EU-based clients and businesses processing data of EU subjects to execute a **Data Processing Agreement (DPA)** prior to account activation. - **Article 28 Compliance:** Our DPA serves as the legal instrument defining the scope, nature, and purpose of data processing, ensuring that Archonite acts only upon the documented instructions of the Data Controller. - **Sub-Processor Management:** Archonite utilizes a rigorously vetted network of infrastructure providers. We maintain an up-to-date list of all sub-processors, their locations, and their processing roles. We agree to notify the Controller prior to any changes to this list, granting the right to object to new sub-processors. [List of Archonite sub-processors](/docs/general/00009-archonite-subprocessors) ### **2. Lawful Basis for Processing (Articles 6 & 9)** We facilitate the collection of valid lawful bases for all processing activities performed within the Archonite ecosystem. - **Explicit Biometric Consent:** Processing biometric data (Special Category Data under Article 9) necessitates explicit, informed consent. Archonite's KYC flow includes a mandatory consent module: _"I consent to the processing of my biometric data for the sole purpose of identity verification and fraud prevention."_ - **Regulatory Conflict Resolution (AML vs. GDPR):** Under the "Legal Obligation" basis (Article 6(1)(c)), Archonite's adherence to **Anti-Money Laundering (AML)** regulations requires the retention of specific identity records for a minimum of **6 years** that starts during active relationship. - **Retention Primacy:** In instances where AML laws mandate data retention, this legal obligation takes precedence over a "Right to Erasure" request, but only for the specific data points required by law. ### **3. Data Protection Officer (DPO)** Archonite has appointed a dedicated Data Protection Officer to oversee our privacy strategy and serve as a point of contact for supervisory authorities. - **Contact:** [dpo@archonite.xyz](mailto:dpo@archonite.xyz) ## **II. Technical Architecture & Security (Article 32)** Archonite's infrastructure is built on the principle of **Privacy by Design**, implementing robust technical and organizational measures to safeguard data. ### **1. Data Residency & Sovereignty** We recognize the importance of data residency for EU-based enterprises. - **EU Region Hosting:** Enterprise customers with high verification volumes have the option to provision resources within EU-based data centers, ensuring that personal data remains within the EEA. - **Data Transfer Safeguards:** Archonite operates legally as a "Third Country" processor. To guarantee compliance with Chapter V of the GDPR (Transfers), we automatically incorporate the latest Standard Contractual Clauses (SCCs) into our Data Processing Agreement. Furthermore, our "Cloud-Native Workstation" policy ensures that our support staff access EU data only through secure, non-persistent Virtual Desktop Environments (VDI) located within the EEA, minimizing data export risks. ### **2. Cryptographic Controls** - **Encryption at Rest:** All PII—including names, identification numbers, and ID document images—is stored using **Argon2** encryption. - **Encryption in Transit:** We enforce **TLS 1.3** across all API endpoints. Unsecured connections are programmatically rejected. - **Pseudonymization & Fingerprinting:** To ensure absolute auditability for AML compliance, Archonite utilizes our proprietary "Identity Fingerprinting" system. While data is not pseudonymized in the active processing layer to facilitate immediate fraud detection, every record is cryptographically anchored to a unique, immutable ID. This allows us to precisely segregate and retrieve data for DSARs without exposing the raw identity set to unauthorized sub-systems. ### **3. Data Minimization & Accuracy** - **Storage of Intent:** Archonite does not retain unsubmitted or abandoned sessions. For incomplete verifications, we only store metadata (session fingerprint, connection logs, and intent ID) for security and debugging purposes. - **Minimal Biometric Footprint:** We store only the raw high-resolution frames required for facial verification. Archonite does **not** retain or store audio or video recordings during the KYC process. ## **III. Data Subject Rights** We provide the technical tools necessary for our clients to honor Data Subject Access Requests (DSARs). ### **1. The Right to Erasure (Article 17)** Clients can programmatically initiate the deletion of user data via our **Delete User API Endpoint**. The API automatically evaluates whether the user's data is eligible for deletion or must be retained for the mandatory AML holding period. ### **2. Fraud Prevention Exception (Legitimate Interest)** If a user is flagged for fraudulent activity, Archonite retains a non-invertible cryptographic hash of the user's identity markers. This is documented under **"Legitimate Interest"** (Article 6(1)(f)), as it is essential for preventing future fraud across the Archonite network. ### **3. Backup Integrity & Rotation** Deletion requests propagate to our backup systems through a **30-day rotation cycle**. Once a record is deleted from production, it will be fully purged from all backup media within 30 days. ## **IV. Operational Readiness & Accountability** ### **1. Record of Processing Activities (RoPA)** Archonite maintains a rigorous RoPA detailing: - **Data Categories:** KYC metadata, PII, and biometric data. - **Processing Purpose:** Identity verification and regulatory AML compliance. - **Retention Policy:** Data is retained for the duration of the client relationship, or for **6 years** following account closure as mandated by global financial regulations. ### **2. Security Incident Response** In the event of a suspected data breach, Archonite follows a structured Incident Response Plan: - **Identification:** Rapid filtering of affected segments using immutable audit logs. - **Notification:** In accordance with Article 33(2), Archonite will notify affected Data Controllers **without undue delay (and in no case later than 48 hours)** after becoming aware of the breach, enabling our partners to fulfill their 72-hour reporting obligations to supervisory authorities. ## **V. Compliance-Centric Features** - **Immutable Audit Logs:** Access logs detailing every instance of PII retrieval are available via API, supporting the principle of **Accountability**. - **Data Portability (Article 20):** Clients can export a user's full verification package in a machine-readable **JSON** format, accompanied by a secure archive of all associated images, to facilitate portability requests. ## **Support & Compliance Inquiries** For inquiries regarding our Data Processing Agreement or to submit a regulatory request, please contact our Compliance Team: - **General Support:** [support@archonite.xyz](mailto:support@archonite.xyz) - **Data Protection Officer:** [dpo@archonite.xyz](mailto:dpo@archonite.xyz) --- Archonite Ltd., 69 Patri Felicjan Bilocca St, Marsa, Malta MRS1521 ### Minimum Viable Secure Product (MVSP) Declaration **Archonite Ltd. (Malta)** is built on a foundation of defensive security and radical transparency. We recognize that in the modern threat landscape, trust is not granted—it is verified. This document serves as our formal attestation against the **Minimum Viable Secure Product (MVSP)** framework. It details the specific technical implementations, administrative policies, and architectural decisions that ensure Archonite meets the rigorous security baselines required by enterprise application procurement teams. ## **1. Business Controls** _Governance, Compliance, and Incident Management._ ### **1.1 Vulnerability Reporting & Disclosure** **Requirement:** Provide a point of contact for security researchers and a clear process for reporting vulnerabilities. **Archonite Implementation:** We maintain a standards-compliant `security.txt` file at the root of our domain (`https://archonite.xyz/security.txt`), ensuring discoverability for researchers. - **Reporting Channel:** Vulnerabilities may be submitted directly to **[dpo@archonite.xyz](mailto:dpo@archonite.xyz)**. - **SLA:** We commit to a human acknowledgment of all non-automated reports within **48 hours**. - **Safe Harbor:** We guarantee legal safe harbor for researchers acting in good faith to identify issues without exploiting them or affecting user data. ### **1.2 Compliance & Self-Assessment** **Requirement:** Comply with relevant industry standards and perform annual security reviews. **Archonite Implementation:** Archonite operates under a "Continuous Compliance" model rather than relying solely on static annual audits. - **Regulatory Alignment:** We are fully aligned with **HIPAA** (US Healthcare) and **GDPR** (EU Data Privacy). - **Automated Auditing:** Our proprietary **Guardrail Sentinel AI** performs real-time, heuristic analysis of our infrastructure configurations (IaC) and access logs, flagging potential non-compliance events immediately. - **Artifacts:** Detailed compliance papers for HIPAA and GDPR are publicly available for vendor due diligence. ### **1.3 Incident Handling & Notification** **Requirement:** A documented process to handle security incidents and notify customers without undue delay. **Archonite Implementation:** Our Incident Response Plan (IRP) is triggered automatically upon the detection of confirmed unauthorized access or data exfiltration. - **Notification Timeline:** - **Global/HIPAA Clients:** Notified within **48 hours** without undue delay (US Standard) or sooner as dictated by local jurisdiction. - **Communication Method:** Critical security alerts are broadcast via the **Archonite Signed Payload (ASP)** webhook system to ensure the authenticity of the message, followed by email to the registered Primary Contact. ## **2. Application Design Controls** _Architecture, Authentication, and Encryption._ ### **2.1 Password Policy & Storage** **Requirement:** No arbitrary length limits (min 8, max >64); use strong, salted hashing. **Archonite Implementation:** We have deprecated legacy hashing methods (MD5, SHA-1) entirely. - **Algorithm:** All credentials and API secrets are hashed using **Argon2id**, the winner of the Password Hashing Competition (PHC), configured with memory-hard and CPU-hard parameters to resist GPU-based cracking. - **MFA Enforcement:** Multi-Factor Authentication (MFA/2FA) is **mandatory** for all client dashboards. There is no option to disable MFA, mitigating the risk of credential stuffing attacks. ### **2.2 Encryption & HTTPS** **Requirement:** All traffic must be encrypted in transit; sensitive data encrypted at rest. **Archonite Implementation:** - **In Transit:** We enforce **TLS 1.3** across all public and private API endpoints. Older protocols (TLS 1.0/1.1/1.2) are blocked at the load balancer level. We utilize **HSTS (HTTP Strict Transport Security)** with `includeSubDomains` and `preload` directives to prevent protocol downgrade attacks. - **At Rest:** All persistence layers (databases, object storage) are encrypted using industry-standard **Argon2 (GCM mode)**. - **Key Management:** Encryption keys are rotated automatically every 90 days. ### **2.3 Single Sign-On (SSO)** **Requirement:** Support modern federation standards (SAML, OIDC). **Archonite Implementation:** For Enterprise plans, Archonite supports **OIDC (OpenID Connect)** and **SAML 2.0** integration, allowing clients to manage access via their own Identity Providers (Okta, Azure AD, Google Workspace). ## **3. Application Implementation Controls** _Coding Standards, Validation, and Dependencies._ ### **3.1 Sensitive Data Identification (SDI)** **Requirement:** Maintain a catalog of sensitive data and minimize its retention. **Archonite Implementation:** - **Identity Fingerprinting:** Archonite utilizes a proprietary "Fingerprinting" system. Every data packet entering our system is tagged with a unique, immutable ID. This allows us to track the exact location of ePHI and PII across our distributed architecture. - **Data Minimization:** We adhere to strict retention schedules. Unsubmitted KYC sessions are purged automatically after 24 hours. Verified identities are retained only as long as required by AML laws (6 years) or the client's contract. ### **3.2 Input Validation & Injection Prevention** **Requirement:** Validate all input; use parameterized queries to prevent SQLi and XSS. **Archonite Implementation:** - **SQL Injection:** Direct SQL execution is prohibited. All database interactions occur via a strictly typed ORM (Object-Relational Mapping) layer that uses parameterized queries by default. - **Cross-Site Scripting (XSS):** Our frontend architecture relies on **React/Next.js**, which automatically escapes content before rendering. Content Security Policy (CSP) headers are strictly enforced to prevent the loading of unauthorized scripts. ### **3.3 Dependency Management** **Requirement:** Patch libraries regularly and scan for vulnerabilities. **Archonite Implementation:** - **Supply Chain Security:** Our CI/CD pipeline blocks any build that contains a dependency with a **Critical** or **High** severity CVE. - **Automated Scanning:** We utilize automated Software Composition Analysis (SCA) tools to monitor our `npm` packages and container images for known vulnerabilities daily. ## **4. Operational Controls** _Access, Physical Security, and Disaster Recovery._ ### **4.1 Logical Access Control** **Requirement:** Least privilege; timely revocation; logging. **Archonite Implementation:** - **Tiered Access:** Access to production environments is restricted to **Tier-3 Management (CTO/Lead DevOps)**. Support staff have zero direct access to raw database tables. - **JIT Access:** Production access requests require "Just-In-Time" approval and are valid only for a limited window (e.g., 1 hour) to perform a specific task. - **Revocation:** Offboarding is centralized. Terminating a staff member's account in our IdP instantly revokes access to all internal tools, cloud consoles, and code repositories. ### **4.2 Physical & Remote Workstation Security** **Requirement:** Secure the devices used to access the application. **Archonite Implementation:** Archonite solves the "remote endpoint" risk by removing data from the endpoint entirely. - **Cloud-Native Workstations:** All technical staff operate exclusively within isolated **Virtual Desktop Environments (VDI)** hosted in secure data centers. - **Data Exfiltration Block:** These VDI environments are hardened to disable clipboard sharing (copy-paste out), USB mounting, and local file transfers. No customer data ever resides on a physical laptop. ### **4.3 Backups & Disaster Recovery** **Requirement:** Backups stored in a separate location; tested regularly. **Archonite Implementation:** - **Retrievable Exact Copies:** Encrypted snapshots of all databases are taken every **1 hour**. - **Geographic Redundancy:** Backups are replicated to a "Cold Storage" region geographically distinct from the primary cluster to survive regional catastrophes. - **Testing:** We perform a full "Point-in-Time Recovery" drill quarterly to verify data integrity. ### **4.4 Third-Party Vendor Management** **Requirement:** Vet all sub-processors and vendors. **Archonite Implementation:** We minimize our vendor footprint to reduce surface area. All critical infrastructure providers (e.g., Cloud Hosting, Database Providers) must possess **SOC 2 Type II** or **ISO 27001** certifications. We review these reports annually. ## **Attestation** We hereby certify that the security controls detailed above are implemented and active within the Archonite production environment. **Date:** January 21, 2026 **The Archonite Security Team** ### Cookie & Tracking Technologies Use Policy This **Cookie & Tracking Technologies Use Policy** explains how Archonite ("we", "us", or "our") uses cookies and similar storage technologies when you use our API, dashboard, or client-side verification SDKs. ## **1. What are these technologies?** We use two primary types of local data storage to ensure the security and functionality of our platform: - **Cookies:** Small text files stored on your device that allow our servers to recognize your session. - **Local & Session Storage:** Browser-based storage mechanisms that allow us to persist your authentication state within 4-hours (e.g., keeping you logged in) before timeout without sending data to the server with every single request. ## **2. How We Use Them (The Categories)** Under the GDPR and ePrivacy Directive, we categorize our usage into **Strictly Necessary** and **Functional**. Archonite prioritizes a "minimalist" approach to tracking. ### **A. Strictly Necessary (Essential)** These technologies are fundamental to the operation of the Archonite platform. Without them, we cannot provide the services you have requested (such as logging in or verifying an identity). **These do not require user consent.** | Name / Key | Type | Provider | Purpose | Duration | | ------------------------------ | --------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | `c_session` | Cookie | Archonite | **Session Management.** Stores a cryptographically signed JWT containing your session identifier, IP address, and user-agent string to prevent session hijacking. | 4 Hours | | `x-archonite-csrf` | Header | Archonite | **Security.** A unique token managed in our database and passed via request headers to protect against Cross-Site Request Forgery (CSRF) attacks. | Short-lived (Single Use) | | `sb-{id}-auth-token` | Local Storage | Supabase | **Dashboard Auth.** Stores your active dashboard session token for secure communication with our backend persistence layer. | Persistent (until logout) | | `__stripe_mid`, `__stripe_sid` | Cookie / Script | Stripe | **Fraud Prevention.** Essential for payment security (Stripe Radar) to detect high-risk transactions and prevent card testing attacks. | 1 Year / 30 Mins | ### **B. Security & Fraud Detection (Operational)** Archonite utilizes specific digital signals to protect our users and infrastructure from automated attacks, account takeovers, and fraudulent verification attempts. - **Client IP Address:** Collected to enforce rate limiting, prevent DDoS attacks, and verify geographic consistency during identity checks. - **User-Agent & Device Fingerprint:** Analyzed (and sometimes salted/hashed) to detect emulators, identify bot traffic, and ensure that a session remains bound to the original device. - **Activity Logging:** We record high-level actions (e.g., "login successful", "document uploaded") alongside session metadata to provide an audit trail for your security. ## **3. Third-Party Analytics & Scripts** _Currently, Archonite does not utilize third-party tracking pixels (such as Meta Pixel) or invasive ad-tech cookies._ Archonite is committed to a clean, privacy-first experience. We have opted out of common third-party trackers to ensure your data remains within our secure perimeter. - **Vercel Analytics:** We use server-side metrics to monitor the latency and error rates of our API endpoints. This process is handled externally to your browser and does not install any cookies or tracking scripts on your device. Note: While we do not use marketing pixels, we do utilize Stripe.js for payment security. This script is strictly limited to tokenizing payment information and detecting fraud (e.g., bot prevention) during the checkout process used mainly by Polar. ## **4. Managing Your Preferences** Because Archonite primarily uses **Strictly Necessary** technologies for security and session integrity, disabling these in your browser will significantly degrade or break the application (e.g., you will be unable to maintain an active session). However, you can control cookie behavior at the browser level: - **Google Chrome:** Settings > Privacy and security > Cookies and other site data - **Mozilla Firefox:** Settings > Privacy & Security > Cookies and Site Data - **Safari:** Preferences > Privacy ## **5. Updates to This Policy** We may update this policy periodically to reflect changes in our technical architecture or security controls. The "Last Update" date at the top of this document will always reflect the most recent version. ### List of Archonite Subprocessors To provide our global Identity Verification (IDV) and Know Your Customer (KYC) services, Archonite engages select third-party entities ("Subprocessors") to process Customer Data. This document serves as our public disclosure in accordance with **Article 28 of the GDPR** and other global privacy frameworks. It details the identity, location, and role of each Subprocessor. ## 1. Definitions - **Subprocessor:** A third-party data processor engaged by Archonite, who has or potentially will have access to or process Service Data (which may contain Personal Data). - **Infrastructure Provider:** A vendor that provides the physical or virtual hardware (cloud) upon which the Archonite platform runs. - **Service Partner:** A vendor that provides specific functionality (e.g., email delivery, payments) integrated into the Archonite platform. ## 2. Authorized Subprocessors The following entities are currently authorized to process data on behalf of Archonite. We ensure that all listed sub-processors are rigorously vetted and bound by data protection obligations consistent with our own standards. | Entity Name | Corporate Location | Purpose / Role | Service Details | | -------------------------------- | ---------------------------------------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Vercel Inc.** | United States | Cloud Infrastructure & Hosting | Hosts our API endpoints and provides server-side metrics to monitor latency and error rates. | | **Google LLC (Gemini API)** | United States | Artificial Intelligence (AI) | Powers our "AI-driven anomalies detection" for traffic patterns and performs "AI review" and "Liveness Detection" on verification data. | | **Supabase Inc.** | United States | Database & Storage | Provides secure database hosting and persistence for encrypted user states and audit logs. | | **Polar Software Inc.** | Sweden (HQ) / United States (Processing) | Payment Processing | Acts as Merchant of Record (MoR). **Powered by Stripe**; payment data is processed via Stripe's global infrastructure (primarily US) for fraud detection and settlement. | | **Hostinger International Ltd.** | Lithuania | Email Services | Facilitates the "Branded Verification Mailbox" services and handles support correspondence (e.g., [support@archonite.xyz](mailto:support@archonite.xyz)). | | **GitHub Inc.** | United States | Source Code Management | Used for version control and CI/CD pipelines to maintain our "Developer-first API" and SDKs. | These Subprocessors are critical to the delivery of the Archonite API and Platform. Removal or failure of these services would result in a total service outage. ## 3. Due Diligence & Security Controls As detailed in our [MVSP Declaration](/docs/general/00007-mvsp-declaration), Archonite adheres to a "Least Privilege" and "Minimal Surface Area" philosophy when selecting vendors. Before onboarding a new Subprocessor, the Archonite Security Team conducts a risk assessment covering: - **Security Certifications:** Preference for SOC 2 Type II, ISO 27001, or equivalent attestations. - **GDPR Alignment:** Verification of the vendor's ability to support Data Subject Rights (deletion, export, rectification). - **Data Residency:** Assessment of the physical location of servers to ensure compliance with data sovereignty laws. ## 4. Data Residency & Sovereignty ### 4.1 Default Region By default, Archonite's primary infrastructure (Vercel/Supabase) is provisioned in EU-Frankfurt for clients subject to European Economic Area (EEA) Standard Contractual Clauses (SCCs) and US-East (N. Virginia) for the rest to ensure maximum global availability and lowest latency. ### 4.2 EU Residency For consignees the uses the packages with AML, CTF, and PEP checks, Archonite utilizes region-pinning features provided by our infrastructure partners (specifically Supabase and Vercel) to ensure that Data at Rest remains within the European Economic Area (EEA), specifically Frankfurt (Germany). ## 5. Updates & Notifications Archonite agrees to notify the Data Controller (our client) prior to any changes to this list, granting the right to object to new sub-processors. For inquiries regarding specific data locations or to request our latest vendor audit reports, please contact our Data Protection Officer at [dpo@archonite.xyz](mailto:dpo@archonite.xyz) ## 6. Right to Object If you have a legitimate reason to object to a new Subprocessor (e.g., due to a competitor conflict or specific compliance failure), you may submit a formal objection to [dpo@archonite.xyz](mailto:dpo@archonite.xyz) within 10 days of the notification. If we cannot accommodate your objection, you may have the right to terminate your agreement with Archonite with predefined conditions. ## API Reference ### API Overview # Overview Welcome to the **Archonite API** documentation. Our API allows you to integrate powerful KYC and identity verification checks directly into your application. ## Getting Started To get started, you will need an API key. You can generate one in your [Founders Console](/dashboard). ```bash curl -X GET "https://api.archonite.xyz/v1/user" \ -H "Authorization: Bearer YOUR_API_KEY" ``` ## Base URL All API requests should be made to: `https://api.archonite.xyz/v1` ### Archonite MCP Server The Archonite MCP Server provides a standardized interface for AI models and agents to interact with Archonite's internal documentation and resources. By leveraging the **Model Context Protocol (MCP)**, Archonite allows LLMs to dynamically discover and read documentation. ## Production Endpoint The Archonite MCP server is available at the following production URL: ```text https://archonite.xyz/mcp ``` This endpoint is a read-only interface specifically optimized for AI agents and developer tools. ## Available Tools The MCP server exposes several tools that agents can use to navigate the Archonite documentation library. ### `list_documentation` Returns a comprehensive list of all documentation files available in the Archonite system. - **Arguments**: None - **Returns**: An array of relative paths (e.g., `help/00001-what-is-archonite.md`). ### `read_documentation` Reads the full content of a specified documentation file. - **Arguments**: - `path` (string, required): The relative path of the file to read (example: `api/00001-introduction.md`). - **Returns**: The raw Markdown content of the file. ## Editor & Agent Setup You can integrate Archonite's documentation directly into your favorite AI-powered development environments. ### Windsurf (Codeium) Archonite MCP is fully compatible with Windsurf's **Cascade** agent. To connect Windsurf to Archonite: 1. Open **Windsurf Settings**. 2. Go to **Cascade** > **MCP Servers**. 3. Click **Add New MCP Server**. 4. Select **HTTP/SSE**. 5. Enter the URL: `https://archonite.xyz/mcp` 6. Click **Save**. Cascade will now be able to retrieve context from the Archonite library. ### Cursor IDE To add Archonite's documentation to Cursor: 1. Open **Cursor Settings** (Cmd+Shift+J or Ctrl+Shift+J). 2. Navigate to **Features** -> **MCP**. 3. Click **+ Add New MCP Server**. 4. Enter the following details: - **Name**: `Archonite` - **Type**: `SSE` (Required for URL-based servers) - **URL**: `https://archonite.xyz/mcp` Click **Save**. Cursor will now be able to use the `list_documentation` and `read_documentation` tools to provide better context for your queries. ### Claude Desktop To connect Claude Desktop to a remote SSE endpoint, you must use a bridge adapter (since Claude Desktop primarily communicates via stdio). Add the following to your `claude_desktop_config.json`: ```json { "mcpServers": { "archonite": { "command": "npx", "args": [ "-y", "mcp-remote", "[https://archonite.xyz/mcp](https://archonite.xyz/mcp)" ] } } } ``` _(Note: This configuration uses the `mcp-remote` package to bridge the remote SSE stream to Claude's local standard input/output)._ ## Usage Example (CURL) You can verify the connection manually using `curl`. Note that because this is an SSE endpoint, a standard POST might hang waiting for an event stream unless you hit the initialization endpoint specifically. To check tool availability (via JSON-RPC POST): ```bash curl -X POST [https://archonite.xyz/mcp/messages](https://archonite.xyz/mcp/messages) \ -H "Content-Type: application/json" \ -d '{ "jsonrpc": "2.0", "method": "tools/call", "params": { "name": "list_documentation", "arguments": {} }, "id": 1 }' ```