A structured, control-by-control self-attestation mapping Orbifs’ real security controls to the Cloud Security Alliance’s Cloud Controls Matrix (CCM) domains. Every answer is honest — yes, partial, or planned. This is a Level 1 self-assessment, not a third-party audit or certification.
The CSA STAR program has three levels. Level 1 is a self-assessment: the provider publicly answers the Cloud Security Alliance’s questionnaire about its own controls. It is not an audit. Level 2 adds independent third-party assessment; Level 3 adds continuous monitoring. This page is Level 1. We publish it because it is the most rigorous assurance artefact a vendor can honestly offer before a formal audit — and because answering it straight, including the gaps, is the point. This is an abbreviated (CAIQ-lite) mapping of the controls described on our Security & Trust whitepaper.
| Question | Answer | Our response |
|---|---|---|
| Is the company subject to a comprehensive data-protection regime? | Yes | Archi Systems AS is established in Norway (EEA) and applies the GDPR. Customer data is processed under a Data Processing Agreement. |
| Do you hold a current third-party security certification (ISO 27001, SOC 2, etc.)? | Planned | No third-party certification is held today. ISO/IEC 27001 and SOC 2 are being pursued; this document is a Level 1 self-assessment, not an audit. |
| Do you publish a list of sub-processors and notify customers of changes? | Yes | A short, EU-based sub-processor list is published and customers are notified of changes (see /legal/subprocessors). |
| Question | Answer | Our response |
|---|---|---|
| Is customer data encrypted in transit? | Yes | All client–service connections use TLS, terminated at the edge (Caddy) with modern, auto-renewed certificates. |
| Is customer data encrypted at rest? | Yes | Object storage holding file content uses server-side encryption (SSE, AES-256). Off-region backups are encrypted at rest. |
| Do you support customer-managed encryption keys (BYOK)? | Planned | At-rest keys are currently managed by the storage provider. A customer-managed-key option and our key-custody model are being finalised. |
| Is data integrity protected and verifiable? | Yes | Content-addressed storage: every chunk is identified by its SHA-256 hash, enabling integrity verification on read and tamper detection. Content-defined chunking (FastCDC) keeps versions efficient. |
| Is stored data protected against unauthorised modification or deletion? | Yes | The production object bucket uses S3 versioning plus Object Lock (WORM); stored bytes cannot be overwritten or deleted before the lock expires. |
| Can customers export and securely delete their data? | Yes | Customers can export their data; on termination, project data is returned or deleted per the DPA, subject to legal retention. |
| Question | Answer | Our response |
|---|---|---|
| Is multi-factor authentication available for user sign-in? | Yes | MFA is available for user sign-in. |
| Are access controls based on least privilege and roles? | Yes | Accounts, administrator/editor/guest roles and per-project permissions follow a least-privilege model; guest/external access is granted and revoked per project. |
| Do you support SSO / SAML for centralised identity? | Planned | SSO / SAML for Business and above is being finalised. Optional "Sign in with Google/Microsoft" is available today (authentication only). |
| Is each tenant isolated from other tenants? | Yes | Isolation is enforced primarily in the application layer: every request carries an authenticated tenant context and every query is tenant-scoped. Postgres row-level security exists as defence-in-depth. |
| Question | Answer | Our response |
|---|---|---|
| Are backups performed and stored separately from primary data? | Yes | Metadata is continuously backed up (pgBackRest, WAL / point-in-time recovery) to a separate off-region bucket in Paris, encrypted at rest. |
| Are backups and restores tested? | Yes | The backup pipeline is restore-drilled, and a restore test is run in every customer pilot. |
| Are backup failures detected and alerted? | Yes | A dead-man’s-switch monitor alerts the team if a backup is missed, so a silent backup failure cannot go unnoticed. |
| Are recovery-point and recovery-time objectives (RPO/RTO) published? | Planned | Continuous PITR keeps the effective recovery point to minutes; formally published RPO/RTO targets and a restore SLA are being finalised. |
| Is data replicated for durability? | Yes | Object storage is replicated by the provider for durability; metadata has continuous off-region backup. |
| Question | Answer | Our response |
|---|---|---|
| Is the infrastructure located within the EU/EEA? | Yes | Metadata and object bytes in Paris (EU), backups off-region in Paris (EU). No customer project data is stored outside the EU. |
| Is the underlying provider a European cloud provider? | Yes | Infrastructure is operated by OVHcloud, a European cloud provider, named in the sub-processor list. |
| Question | Answer | Our response |
|---|---|---|
| Do you maintain an incident-response plan? | Yes | An incident-response plan is maintained; customers are notified without undue delay after a personal-data breach affecting their data (see the DPA). |
| Do concurrent edits risk silent data loss? | Yes | No — conflict-copy safety preserves a conflict copy on concurrent edits, so neither edit is silently overwritten. |
| Question | Answer | Our response |
|---|---|---|
| Is support / transactional email handled by a third-party sub-processor? | N/A | No — Orbifs runs its own mail server in the EEA, so no third party handles support correspondence. This is recorded as "not applicable" because there is no email sub-processor. |
| Are payment details kept separate from project files? | Yes | Billing/payment is handled by an EU payment provider and processes account/billing data only — never project files. |
This self-assessment is versioned and dated. As controls change — notably key management (BYOK), SSO/SAML, and published RPO/RTO — we will update the answers here rather than quietly changing the marketing copy. For the binding data-processing terms, see our DPA; for where data physically lives, see Data Residency & Sovereignty.
We’ll provide this self-assessment, our DPA and sub-processor list, the Data Residency Statement, and answer your security questionnaire from a maintained answer bank.