Data in transit
TLS 1.2+ on every connection, including service-to-service. Backend Cloud Run services accept traffic only from our load balancer, gated by Identity-Aware Proxy. No browser ever talks to the database.
Data at rest
Application data lives in managed Postgres with at-rest encryption and customer-managed Cloud SQL instance-level keys. Document blobs sit in Cloud Storage with the same posture. Every Scout adapter cache is wrapped in our own envelope encryption layer in addition.
Access & auth
SSO + per-user accounts only — no shared credentials. Admin and root roles are separated; root is required to assign root, change another user's password, or reset MFA. MFA is supported (TOTP); forced enrollment is configurable per agency. Failed-login lockout with operator-controlled thresholds.
DLP
Outbound LLM and third-party calls run through a deterministic DLP layer that tokenizes PII at the boundary. Tokens are signed with a server-only secret; the original values stay on our infrastructure. Fail-closed if the secret is unset or short.
Logging & audit
Authentication, role changes, password resets, MFA enrollments, and exports each emit structured audit lines. Logs are retained per the customer's retention policy (default 365 days) and are immutable while retained.
Compliance roadmap
We're building toward SOC 2 Type II and tracking ISO 42001 (AI management systems) for after that. We don't claim certifications we don't hold. When we're in audit, this page is where you'll see it first.
Disclosure
Found something? Email security@artihq.com. We acknowledge within one business day and triage on a public severity scale.