Security & Trust

Armcap ControlOps is built for teams that protect everyone else. Our security posture reflects the same rigor we help our customers achieve.

Data Protection

Tenant Isolation

Every customer operates in a logically isolated environment. No cross-tenant data access. Application-layer controls enforce strict boundary separation at every data path.

Encryption

In transit: TLS 1.2+ with HSTS enforced. At rest: AES-256 for all stored data including documents, outputs, and audit logs. Key management through cloud-native KMS with automatic rotation.

Data Retention

Configurable retention policies per workspace. Export and delete your data at any time. Upon account termination, all customer data is purged within 30 days.

Your data is never used to train AI models.

No training on customer data. Documents you upload, outputs we generate, and decisions you make are never used to train, fine-tune, or improve any AI model.

No cross-customer learning. Analysis performed for one customer does not inform or influence outputs for another customer.

Rubric-driven analysis. Our outputs are generated using structured rubrics and configurable logic—not opaque model behavior. You can inspect the rubric that produced any output.

Access Controls

Role-Based Access (RBAC)

Predefined roles: Admin, Analyst, Reviewer, Read-Only. Custom role definitions on Enterprise plans. Permissions scoped to module level.

Authentication

SSO integration (SAML 2.0, OIDC) on Growth and Enterprise. MFA enforced by default. Configurable session timeout policies.

Audit Logging

Every action logged: who, what, when, and what inputs/outputs were involved. Logs are immutable, exportable, and retained for your contract duration plus 12 months.

Infrastructure

Cloud Infrastructure

Hosted on SOC 2 Type II and ISO 27001 certified cloud infrastructure. Multi-AZ deployment. Automated backups with geographic redundancy.

Network Security

WAF on all public endpoints. DDoS mitigation at the edge. Internal network segmentation. No direct database access from public-facing services.

Application Security

Secure SDLC with security review gates. Dependency scanning. Regular third-party penetration testing. Responsible disclosure program.

Compliance

Framework	Status
SOC 2 Type II	In progress — targeting H2 2026
ISO 27001	Planned
GDPR	DPA available; EU data residency on Enterprise
CCPA	Compliant; DSR process documented

We eat our own cooking: Armcap ControlOps is used internally to manage our own control environment, evidence collection, and audit preparation.

Responsible AI

Human-in-the-loop by default

Every AI-generated output is presented for human review before it becomes a deliverable.

Rubric transparency

Scoring logic, risk thresholds, and classification criteria are visible and configurable.

No legal conclusions

Armcap produces governance workflow automation and structured analysis—not legal advice.

Audit trail for AI outputs

Every AI-assisted output includes metadata: model version, rubric applied, inputs provided, confidence signals.

Responsible Disclosure

If you discover a security vulnerability in Armcap ControlOps, we want to hear from you. We do not pursue legal action against researchers who act in good faith and follow responsible disclosure practices.

security@armcapcontrolops.com

Response SLA

Acknowledgment: 24 hrs. Triage: 72 hrs.

Scope

All production services and APIs.

Questions about our security posture?

We're happy to walk through our security architecture, provide SOC 2 readiness documentation, or discuss specific requirements.

Contact Security Team