Home / Security / CSA STAR Level 1
CSA STAR Level 1 · CAIQ-lite · self-assessment

CSA STAR Level 1 self-assessment.

A structured, control-by-control self-attestation mapping Orbifs’ real security controls to the Cloud Security Alliance’s Cloud Controls Matrix (CCM) domains. Every answer is honest — yes, partial, or planned. This is a Level 1 self-assessment, not a third-party audit or certification.

What CSA STAR Level 1 means — and what it doesn’t

The CSA STAR program has three levels. Level 1 is a self-assessment: the provider publicly answers the Cloud Security Alliance’s questionnaire about its own controls. It is not an audit. Level 2 adds independent third-party assessment; Level 3 adds continuous monitoring. This page is Level 1. We publish it because it is the most rigorous assurance artefact a vendor can honestly offer before a formal audit — and because answering it straight, including the gaps, is the point. This is an abbreviated (CAIQ-lite) mapping of the controls described on our Security & Trust whitepaper.

Answer key: Yes implemented & running Partial in place with a noted limitation Planned on the roadmap, not yet claimed
GRC · CCM domain

Governance, risk & compliance

QuestionAnswerOur response
Is the company subject to a comprehensive data-protection regime? Yes Archi Systems AS is established in Norway (EEA) and applies the GDPR. Customer data is processed under a Data Processing Agreement.
Do you hold a current third-party security certification (ISO 27001, SOC 2, etc.)? Planned No third-party certification is held today. ISO/IEC 27001 and SOC 2 are being pursued; this document is a Level 1 self-assessment, not an audit.
Do you publish a list of sub-processors and notify customers of changes? Yes A short, EU-based sub-processor list is published and customers are notified of changes (see /legal/subprocessors).
DSI · CCM domain

Data security & information lifecycle

QuestionAnswerOur response
Is customer data encrypted in transit? Yes All client–service connections use TLS, terminated at the edge (Caddy) with modern, auto-renewed certificates.
Is customer data encrypted at rest? Yes Object storage holding file content uses server-side encryption (SSE, AES-256). Off-region backups are encrypted at rest.
Do you support customer-managed encryption keys (BYOK)? Planned At-rest keys are currently managed by the storage provider. A customer-managed-key option and our key-custody model are being finalised.
Is data integrity protected and verifiable? Yes Content-addressed storage: every chunk is identified by its SHA-256 hash, enabling integrity verification on read and tamper detection. Content-defined chunking (FastCDC) keeps versions efficient.
Is stored data protected against unauthorised modification or deletion? Yes The production object bucket uses S3 versioning plus Object Lock (WORM); stored bytes cannot be overwritten or deleted before the lock expires.
Can customers export and securely delete their data? Yes Customers can export their data; on termination, project data is returned or deleted per the DPA, subject to legal retention.
IAM · CCM domain

Identity & access management

QuestionAnswerOur response
Is multi-factor authentication available for user sign-in? Yes MFA is available for user sign-in.
Are access controls based on least privilege and roles? Yes Accounts, administrator/editor/guest roles and per-project permissions follow a least-privilege model; guest/external access is granted and revoked per project.
Do you support SSO / SAML for centralised identity? Planned SSO / SAML for Business and above is being finalised. Optional "Sign in with Google/Microsoft" is available today (authentication only).
Is each tenant isolated from other tenants? Yes Isolation is enforced primarily in the application layer: every request carries an authenticated tenant context and every query is tenant-scoped. Postgres row-level security exists as defence-in-depth.
BCR · CCM domain

Business continuity & resilience

QuestionAnswerOur response
Are backups performed and stored separately from primary data? Yes Metadata is continuously backed up (pgBackRest, WAL / point-in-time recovery) to a separate off-region bucket in Paris, encrypted at rest.
Are backups and restores tested? Yes The backup pipeline is restore-drilled, and a restore test is run in every customer pilot.
Are backup failures detected and alerted? Yes A dead-man’s-switch monitor alerts the team if a backup is missed, so a silent backup failure cannot go unnoticed.
Are recovery-point and recovery-time objectives (RPO/RTO) published? Planned Continuous PITR keeps the effective recovery point to minutes; formally published RPO/RTO targets and a restore SLA are being finalised.
Is data replicated for durability? Yes Object storage is replicated by the provider for durability; metadata has continuous off-region backup.
IVS · CCM domain

Infrastructure & virtualization

QuestionAnswerOur response
Is the infrastructure located within the EU/EEA? Yes Metadata and object bytes in Paris (EU), backups off-region in Paris (EU). No customer project data is stored outside the EU.
Is the underlying provider a European cloud provider? Yes Infrastructure is operated by OVHcloud, a European cloud provider, named in the sub-processor list.
SEF · CCM domain

Security incident management

QuestionAnswerOur response
Do you maintain an incident-response plan? Yes An incident-response plan is maintained; customers are notified without undue delay after a personal-data breach affecting their data (see the DPA).
Do concurrent edits risk silent data loss? Yes No — conflict-copy safety preserves a conflict copy on concurrent edits, so neither edit is silently overwritten.
STA · CCM domain

Supply chain & accountability

QuestionAnswerOur response
Is support / transactional email handled by a third-party sub-processor? N/A No — Orbifs runs its own mail server in the EEA, so no third party handles support correspondence. This is recorded as "not applicable" because there is no email sub-processor.
Are payment details kept separate from project files? Yes Billing/payment is handled by an EU payment provider and processes account/billing data only — never project files.

Keeping this honest

This self-assessment is versioned and dated. As controls change — notably key management (BYOK), SSO/SAML, and published RPO/RTO — we will update the answers here rather than quietly changing the marketing copy. For the binding data-processing terms, see our DPA; for where data physically lives, see Data Residency & Sovereignty.

Procurement

Need this in your vendor pack?

We’ll provide this self-assessment, our DPA and sub-processor list, the Data Residency Statement, and answer your security questionnaire from a maintained answer bank.