> ## Documentation Index > Fetch the complete documentation index at: https://docs.archil.com/llms.txt > Use this file to discover all available pages before exploring further. # Security & Compliance > How Archil protects your data, and what we commit to contractually Archil stores your data in **your** cloud storage bucket, encrypted end-to-end, and never in a proprietary format. This page describes how we protect your data and what we're prepared to sign. ## Data ownership Your data lives in your S3 bucket (or other [data source](/concepts/data-sources)) in its native format. Archil reads and writes to your bucket on your behalf — we do not copy your data into a separate storage system. If you stop using Archil, your data stays in your bucket, fully accessible through the S3 API. There is no lock-in and no export process. ## Hosting Archil runs on AWS infrastructure in the [region](/reference/regions) you select for your disk. Data does not leave that region unless you explicitly configure cross-region replication. Archil's storage layer is designed for **99.999% (five nines) durability**, achieved through replication across multiple Availability Zones and continuous synchronization to your data source (S3 provides 99.999999999% durability). Formal uptime SLAs are available on [Enterprise plans](/administration/billing). ## Encryption All data is encrypted at rest and in transit. * **At rest** — Data in Archil's storage layer is encrypted with AES-256-GCM via AWS KMS. Data in your S3 data source inherits your bucket's encryption settings, so your existing key management policies apply. * **In transit** — All client-to-service connections use TLS 1.3. Unencrypted connections are rejected. Encryption keys are managed by Archil's key management infrastructure and rotated on a regular schedule. ## SOC 2 Archil undergoes ongoing SOC 2 Type II audits covering security, availability, and confidentiality. Audit reports are available through the [Archil Trust Center](https://security.archil.com/). If you need a copy of our most recent report for your procurement or compliance review, [contact us](mailto:security@archil.com). ## Data protection (GDPR & CCPA) Archil is GDPR and CCPA compliant. We provide **Data Processing Agreements (DPAs)** to [Enterprise plan](/administration/billing) customers. The DPA covers data residency, [subprocessors](/legal/subprocessors), and breach notification commitments. Data residency is respected by default — Archil does not move data across regions without explicit configuration. To request a DPA, [contact us](mailto:security@archil.com). ## HIPAA Archil supports workloads subject to HIPAA requirements. We sign **Business Associate Agreements (BAAs)** with [Enterprise plan](/administration/billing) customers. To request a BAA, [contact us](mailto:security@archil.com). ## Access control Archil provides layered access control to match your environment: * **AWS IAM roles** — Clients authenticate with their existing IAM roles. No additional credentials needed for EC2, Lambda, or ECS. See [Disk Users](/concepts/disk-users). * **Disk tokens** — For non-AWS or cross-region access, a [disk token](/concepts/disk-users#disk-token-authorization) grants a client mount access to one specific disk. Disk tokens are hashed before storage — Archil never stores them in plaintext. * **API keys** — The [Control Plane API](/api-reference/introduction) uses account-scoped API keys for managing disks, disk tokens, and users programmatically. API keys are separate from disk tokens. * **POSIX permissions** — Standard file permissions (owner, group, other) are enforced on all mounted disks. ## Security testing Archil partners with [Casco Security](https://casco.com/) for monthly penetration testing across our infrastructure. We also run continuous static analysis on every code change. ## Vulnerability disclosure If you discover a security vulnerability in Archil, please report it to [security@archil.com](mailto:security@archil.com). We target acknowledgment within 24 hours. We offer bounties for qualifying vulnerability reports — email us for details. ## Private networking For organizations requiring private connectivity (e.g., AWS PrivateLink), [contact us](mailto:support@archil.com) to discuss options.