ASC — Compliance & trust
Last updated: May 2026. Live status page coming with E.4 public launch.
SOC 2 readiness
ASC is in active SOC 2 Type I readiness preparation with audit window targeted Q3 2026. Type II observation period begins immediately after. Infrastructure controls below are technically enforced today; policy documentation lives in /compliance in the parent monorepo (AIARCO MASTER/compliance).
Controls
| ID | Control | Status | Notes |
|---|---|---|---|
| AC-1 | Tenant isolation | Enforced | DB row-level by tenant_id; IAM policies scoped per tenant prefix. |
| AC-2 | Bearer-token auth | Enforced | JWT (15min) + API keys (rotatable). |
| AU-1 | Audit trail | Enforced | BillingMeter rows immutable; CloudTrail org-wide. |
| CP-1 | Backups (RDS) | Enforced | Automated daily, 7-day retention, point-in-time recovery. |
| SC-1 | Encryption at rest | Enforced | S3 SSE-AES256, RDS KMS, EFS KMS, Secrets Manager KMS. |
| SC-2 | Encryption in transit | Enforced | TLS 1.2+ everywhere; ALB redirects 80→443; EFS in-transit encryption ENABLED. |
| SI-1 | Vulnerability scans | In progress | Dependabot enabled; SBOM generation pending E.4 launch. |
| IR-1 | Incident response | Documented | On-call rotation + status page (status.asc.aiarco.com — pending). |
Sub-processors
- Amazon Web Services (AWS)Compute, storage, networking — us-east-1, eu-central-1 (selectable)
- StripeBilling & payments — US/EU dual
- GitHub (Microsoft)Source control & CI — US
- CloudflareDNS for asc.aiarco.com — Global anycast
Data residency
Default region is us-east-1. EU customers can pin tenants to eu-central-1 at provisioning time; cross-region data movement requires explicit opt-in. Customer data is never replicated to non-customer regions.