# Archonite Security

Contact: mailto:dpo@archonite.xyz
Preferred-Languages: en
Policy: https://archonite.xyz/security
Canonical: https://archonite.xyz/.well-known/security.txt

## Uncompromising Defense

We protect your users' identities with the same rigor used by national intelligence agencies. Explore our multi-layered approach to infrastructure, data, and application security.

## Infrastructure Security

Built on a global, serverless edge network backed by hardened compute instances.

- **Global Edge Network**
Our application logic is distributed across a CDN with points of presence (PoPs) in 100+ cities, mitigating DDoS attacks at the edge before they reach core servers.

- **Hardened US Compute**
Sensitive processing occurs on isolated Virtual Private Server (VPS) nodes located in Tier-4 US data centers, protected by strict firewall rules and VPC peering.

- **Active DDoS Mitigation**
We utilize automated traffic analysis to identify and scrub volumetric attacks (L3/L4) and application-layer floods (L7) in real-time.

## Data Persistence

How we store, isolate, and backup your mission-critical data.

- **Row-Level Security (RLS)**
We enforce strict SQL-level isolation. A tenant's query can strictly only access rows associated with their specific Organization ID. Cross-contamination is mathematically impossible.

- **Encryption at Rest**
All persistent data is encrypted using AES-256. Encryption keys are managed via AWS KMS and rotated automatically.

- **Point-in-Time Recovery**
Our database clusters perform continuous write-ahead logging (WAL), allowing us to restore the state of the system to any second in the last 30 days.

## Hollistic Security
Defense strategies to integrate physical, technical, and administrative safeguards to protect our entire ecosystem.

- **Data Residency**
In addition, our Privacy Policy incorporates the EU Commission's latest Standard Contractual Clauses (SCCs) for transfers to third countries.

- **Zero-Knowledge API**
Our internal nodes process data in volatile memory (RAM), ensuring that unencrypted PII never touches a permanent disk.

- **Officer Vetting**
Every Archonite Compliance Officer undergoes monthly background checks and operates in a high-security biometric environment.

## Application Logic

Secure coding practices and rigorous testing methodologies.

- **SDLC**
Every line of code undergoes static analysis and peer review before merging. We strictly adhere to OWASP Top 10 mitigation strategies.

- **Token Management**
API keys are cryptographically hashed using AES-256 at rest before storage. We never display full secrets after initial generation.

- **Sanitized Logs**
Our logging pipeline automatically detects and redacts PII (Personally Identifiable Information) to ensure logs remain compliant.

- **Rate Limiting**
Intelligent rate limiting per IP and API token prevents brute-force attacks and resource exhaustion.

## Security Research Program

Security is a community effort. If you believe you have found a vulnerability in Archonite's infrastructure, we encourage you to report it. We offer competitive bounties for valid, high-severity findings.

**Safe Harbor**

Any research conducted under this policy is considered "authorized" conduct. Archonite will not initiate legal action against researchers who:

- Conduct research without harming Archonite or its users.
- Adhere to the laws of their applicable jurisdiction.
- Do not access, modify, or use data belonging to others.
- Give us reasonable time to remediate before public disclosure.

## Scope of Research

Security is a community effort. If you believe you have found a vulnerability in Archonite's infrastructure, we encourage you to report it. We offer competitive bounties for valid, high-severity findings.

| Asset                     | Type                         |
|---------------------------|------------------------------|
| *.archonite.xyz           | Core Web Platform            |
| api.archonite.xyz         | Internal REST API            |
| Archonite Signed Payload  | Proprietary Encryption (ASP) |
| Archonite SDK             | Mobile/Web Client Libraries  |
* Third-party services (e.g., Vercel) are out of scope. Please report vulnerabilities for those assets directly to the respective providers.

## Prohibited Activities

Security and penetration testing program prohibits activities that can cause disqualifications on the aforementioned rewards.

- **No Social Engineering**
Attacking Archonite employees, contractors, or customers via phishing or physical access.

- **No Resource Exhaustion**
DoS/DDoS attacks or any activity that degrades performance for our users.

- **No Exfiltration**
Downloading or retaining any PII/Sensitive data beyond what is needed to prove a PoC.

- **No Destructive Testing**
Attempts to delete or permanently alter data in our production or development environments.