Skip to main content
Archil stores your data in your cloud storage bucket, encrypted end-to-end, and never in a proprietary format. This page describes how we protect your data and what we’re prepared to sign.

Data ownership

Your data lives in your S3 bucket (or other data source) in its native format. Archil reads and writes to your bucket on your behalf — we do not copy your data into a separate storage system. If you stop using Archil, your data stays in your bucket, fully accessible through the S3 API. There is no lock-in and no export process.

Hosting

Archil runs on AWS infrastructure in the region you select for your disk. Data does not leave that region unless you explicitly configure cross-region replication. Data in Archil’s storage layer is replicated across multiple Availability Zones for 99.999% durability, and continuously synchronized to your data source (S3 provides 99.999999999% durability). Formal uptime SLAs are available on Enterprise plans.

Encryption

All data is encrypted at rest and in transit.
  • At rest — Data in Archil’s storage layer is encrypted with AES-256-GCM via AWS KMS. Data in your S3 data source inherits your bucket’s encryption settings, so your existing key management policies apply.
  • In transit — All client-to-service connections use TLS 1.3. Unencrypted connections are rejected.
Encryption keys are managed by Archil’s key management infrastructure and rotated on a regular schedule.

SOC 2

Archil undergoes annual SOC 2 Type II audits covering security, availability, and confidentiality. Audit reports are available through the Archil Trust Center. If you need a copy of our most recent report for your procurement or compliance review, contact us.

Data protection (GDPR & CCPA)

Archil is GDPR and CCPA compliant. We provide Data Processing Agreements (DPAs) to Enterprise plan customers. The DPA covers data residency, subprocessor obligations, and breach notification commitments. Data residency is respected by default — Archil does not move data across regions without explicit configuration. To request a DPA, contact us.

HIPAA

Archil supports workloads subject to HIPAA requirements. We sign Business Associate Agreements (BAAs) with Enterprise plan customers. To request a BAA, contact us.

Access control

Archil provides layered access control to match your environment:
  • AWS IAM roles — Clients authenticate with their existing IAM roles. No additional credentials needed for EC2, Lambda, or ECS. See Disk Users.
  • Scoped tokens — For non-AWS or cross-region access, tokens grant access to specific disks. Tokens are hashed before storage — Archil never stores tokens in plaintext.
  • API keys — The Control Plane API uses scoped API keys for managing disks, tokens, and users programmatically.
  • POSIX permissions — Standard file permissions (owner, group, other) are enforced on all mounted disks.

Security testing

Archil partners with Casco Security for monthly penetration testing across our infrastructure. We also run continuous static analysis on every code change.

Vulnerability disclosure

If you discover a security vulnerability in Archil, please report it to security@archil.com. We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days. We offer bounties for qualifying vulnerability reports — email us for details.

Private networking

For organizations requiring private connectivity (e.g., AWS PrivateLink), contact us to discuss options.