Trust & Security at AIARCO
How AIARCO protects customer data and what evidence we publish.
Trust & Security
AIARCO operates a public-facing trust posture so customers, prospects, and partners can independently verify how we protect data.
At a glance
| Area | Status |
|---|---|
| SOC 2 Type II | Audit-ready (program in place; observation window opens upon engagement of auditor of record). |
| GDPR | Compliant. EU mirror in eu-west-1 available on request. |
| HIPAA | BAA on request for Teams Scale customers. |
| ISO 27001 | Roadmap (post SOC 2). |
| Data residency | US (default), EU (eu-west-1, opt-in). |
| Encryption | AES-256 at rest (KMS), TLS 1.2+ in transit, HSTS preload submitted. |
| MFA | Enforced for all customer admins on Teams Scale. |
| SSO (SAML / OIDC) | Available on Teams Scale. |
| Backups | RDS multi-AZ + 7-day PITR; cross-region replication. |
| Status page | https://status.aiarva.com |
Sub-processors
A current list of sub-processors that may process customer Personal Data is published at /legal/subprocessors.
We notify customers of any new sub-processor with 30 days' advance notice via in-product banner and email to the workspace billing contact.
Reporting a vulnerability
Email security@aiarco.com. Our policy and disclosure timeline are
in SECURITY.md.
Public PGP key:
https://aiarva.com/.well-known/pgp-key.txt.
Documents available on request
The following are available to customers and prospects (with NDA
where appropriate). Contact trust@aiarco.com.
- SOC 2 Type II report (when issued)
- Independent penetration test summary (when commissioned)
- Data Processing Addendum (DPA)
- Business Associate Agreement (BAA)
- ISO/IEC 27001 SoA — when applicable
- AICPA TSC control matrix
- Risk register summary
- Disaster-recovery test reports
- Vendor management programme overview
Customer-facing security features
| Feature | Tier |
|---|---|
| Workspace MFA enforcement | Free and above |
| SAML SSO | Teams Scale |
| SCIM provisioning | Teams Scale |
| Audit log export (JSON) | Teams Pro and above |
| Customer-managed encryption keys (BYOK) | Teams Scale |
| Custom data-retention windows | Teams Pro and above |
| EU data residency | Teams Scale |
| IP allowlist | Teams Scale |
Continuous compliance
We use Vanta to continuously monitor controls (planned). Our internal
control set, evidence inventory, and policies are in
compliance/ in the master repo
and reviewed at least annually.
Operational metrics
Public uptime + incident history: https://status.aiarva.com
Contact
| Topic | |
|---|---|
| Vulnerability report | security@aiarco.com |
| Privacy / DSAR | privacy@aiarco.com |
| Compliance docs | trust@aiarco.com |
| Press / general | hello@aiarco.com |