Trust & Compliance
Sovereign by design. Audited by default.
Workloads run in your isolated tenant under scoped execution roles. Every API call lands in the control-plane audit log. Last updated May 2026.
SOC 2 Type II
in progress
Encryption
Envelope + TLS 1.2+
Audit
Append-only
RPO / RTO
≤24h / ≤4h
SOC 2 readiness
ASC is in active SOC 2 Type I readiness with audit window targeted Q3 2026. Type II observation period begins immediately after. Infrastructure controls below are technically enforced today.
Controls
| ID | Control | Status | Notes |
|---|---|---|---|
| AC-1 | Tenant isolation | Enforced | DB row-level by tenant_id; access policies scoped per tenant prefix. |
| AC-2 | Bearer-token auth | Enforced | JWT (15min) + API keys (rotatable). |
| AU-1 | Audit trail | Enforced | Billing meter rows immutable; control-plane audit log append-only. |
| CP-1 | Backups | Enforced | Automated daily, 7-day retention, point-in-time recovery. |
| SC-1 | Encryption at rest | Enforced | All persisted data envelope-encrypted; per-tenant data keys. |
| SC-2 | Encryption in transit | Enforced | TLS 1.2+ everywhere; HTTP redirects to HTTPS; in-transit encryption on all storage volumes. |
| SI-1 | Vulnerability scans | In progress | Dependabot enabled; SBOM generation in roadmap. |
| IR-1 | Incident response | Documented | On-call rotation + status page (planned). |
Sub-processors
- Hyperscaler cloud providerCompute, storage, networking — us-east, eu-central, ap-southeast (selectable)
- StripeBilling & payments — US/EU dual
- GitHub (Microsoft)Source control & CI — US
- Anycast DNS providerDNS for asc.aiarco.com — Global anycast
Data residency
Default region is us-east. EU customers can pin tenants to eu-central; cross-region movement requires explicit opt-in. Customer data is never replicated to non-customer regions.
Trust pack
Penetration test summaries, SOC 2 progress, and questionnaire responses available under NDA.
trust@asc.aiarco.com