Security & Trust

Built with security and compliance at the core

Your architecture blueprints contain your most sensitive IP. We treat them that way. AES-256 at rest, TLS 1.3 in transit, isolated workspaces, and a strict no-training policy.

Data Security

AES-256 encryption for all data at rest

TLS 1.3 enforced for all data in transit

Workspace data is logically isolated per organization

LLM API keys stored encrypted — never logged in plaintext

Database backups encrypted and retained for 30 days

Compliance

SOC 2 Type II audit in progress

GDPR-compliant data handling and storage

Data Processing Agreement (DPA) available on request

Right to erasure — account deletion removes all data within 30 days

Data residency options: EU (Frankfurt) and US (Virginia)

Infrastructure

Hosted on Microsoft Azure (East US 2) with availability-zone redundancy

Regular third-party penetration tests

Automated secret + dependency scanning in the CI pipeline

99.9% uptime SLA — public status page at archiet.com/status

Credentials injected from encrypted CI/CD secrets at deploy — never hardcoded in source

Privacy & AI Keys

BYOK — your LLM API keys never touch our inference layer

We do not train on your blueprints or generated code

No blueprint data shared with third-party AI providers under your account

All blueprint data deleted within 30 days of account deletion

Session tokens use httpOnly cookies — never exposed to JavaScript

Responsible disclosure policy

We welcome reports from security researchers and will not pursue legal action for good-faith research conducted under this policy.

How to report

Send a description, impact, and reproduction steps through our contact form with the subject marked “Security”. Encrypted reports can be requested in your first message.

Our commitment

We acknowledge reports within 24 hours, keep you updated through triage and remediation, and credit reporters who wish to be named once a fix has shipped.

Safe harbour

Research that respects user privacy, avoids data destruction, and does not degrade availability for others is authorised under this policy.

Out of scope

Volumetric / denial-of-service testing, social engineering of staff or customers, physical attacks, and findings from automated scanners without a working proof of concept.

Have a security question?

We respond to all security inquiries within 24 hours, and operate the responsible disclosure policy above. For enterprise DPA requests or pen-test reports, contact the security team directly.

Start building on a secure foundation

free plan. No credit card required. Your data is yours — always.

Loading…