HomeUse Cases ApplicationsMethodology AboutContact
Security & Trust

Trust & Security —
evidence, not
declarations.

VIGIL handles sensitive site intelligence. This page shows exactly how it is protected — the architecture, the controls, the certifications in progress, and the documents you can request.

Data hosted: Germany (EU) AI processing: fully in-house VAPT: annual · CERT-In empanelled ISO 27001: in progress
Architecture & Controls
Infrastructure

Where your data lives

All VIGIL platform data is hosted on dedicated infrastructure operated by Hetzner Online GmbH, Germany (EU). No shared hosting. No public cloud platforms.

  • Encryption at rest: AES-256
  • Encryption in transit: TLS 1.3 minimum
  • TLS 1.0 / 1.1: disabled
  • Backups: daily encrypted, geographically separated within EU
  • RPO: 24 hours · RTO: 4 hours
AI Processing

Zero third-party AI

VIGIL's intelligence processing engine is built and operated entirely in-house. No client data is ever transmitted to OpenAI, Google, Anthropic, Microsoft, or any external AI provider.

  • All scoring and analysis runs on ARRC Global's own infrastructure
  • No API calls to external AI services
  • Client data never leaves the EU hosting environment for processing
  • Contractually confirmable in the DPA
Access Controls

Who can access what

  • MFA: mandatory on all internal and privileged accounts
  • RBAC: role-based access enforced server-side on every request
  • Cross-client isolation: enforced at the data access layer
  • Privileged access: named individuals only, full session logging
  • Dormant accounts: auto-suspended after 60 days inactivity
  • Access review: quarterly for all internal accounts
Security Testing

How we test

  • VAPT: independent penetration testing annually — CERT-In empanelled firm
  • SAST: static analysis on every code commit
  • Dependency scanning: daily automated against production
  • OWASP ASVS: Level 2 baseline alignment
  • Backup testing: quarterly restore verification
  • VAPT executive summary available to enterprise clients under NDA
Certifications & Compliance
Active
GDPR Aligned
EU data hosting. DPA template available. 72-hour breach notification commitment.
Active
India DPDP Act
Data Fiduciary compliance. Consent handling, deletion requests, breach process.
Active
Responsible Disclosure
Published policy. security.txt at /.well-known/. 5-day acknowledgement SLA.
In Progress
ISO 27001
Gap assessment complete. Implementation underway. Certification target: 2026.
In Progress
CSA STAR Level 1
Self-assessment in preparation. Free public registry listing.
Roadmap · Phase 2
ISO 27701
Privacy information management. Extension to ISO 27001.
Roadmap · Phase 3
SOC 2 Type II
US and Gulf enterprise clients. 12-month observation window.
Roadmap · Phase 3
ISO 27017
Cloud security controls. Extension to ISO 27001.
Roadmap · Phase 4
Formal Bug Bounty
Financial rewards for verified vulnerability reports. After mature triage processes established.
Governance Documents
Privacy Policy Terms of Use Data Processing Agreement AI Governance Policy Responsible Disclosure Data Retention Policy Secure Development Policy Incident Response Plan Backup & Recovery Policy Access Management Policy ESG Commitment Contact for Vulnerability Disclosure