Security at Arhivix | Encryption, EU data residency, GDPR
Trust & security

Enterprise-grade security for your business documents.

Defense in depth across infrastructure, encryption, access control, and operations, with strict internal controls over who can access customer data, when, and why.

AES-256 encryption

Every file is encrypted at rest with AES-256-GCM and in transit with TLS 1.3.

EU-only data residency

Documents never leave the European Union. Two AWS regions, two separate copies.

Strict internal access

No engineer has standing access to customer documents. Every internal access is authorized, time-bound, and logged.

Granular access control

Per-user, per-document permissions with full audit logs of every view, edit, and download.

01
Infrastructure

Built on AWS, kept in the EU.

Arhivix runs on Amazon Web Services, the same infrastructure trusted by banks, hospitals, and governments. Your documents are stored in the European Union, replicated across two independent regions, and isolated per tenant.

eu-west-1 (Dublin) eu-central-1 (Frankfurt) Auto-replicated on every change
Cloud provider
Amazon Web Services (AWS): SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1.
Data residency
All customer documents are stored exclusively in AWS regions located within the European Union. No data leaves the EU under normal operations.
Replication
Every object is automatically replicated to a second, geographically separate AWS region in the EU. A region-level outage does not interrupt access.
Durability
99.999999999% annual object durability on Amazon S3, the cloud-storage standard worldwide.
Service availability
99.9% target uptime for the Arhivix application, monitored 24/7 with automated failover.
Tenant isolation
Each customer's data is logically isolated. Authorization is enforced on every request, on every document, in every API call.
02
Enterprise option

Run Arhivix on top of your own S3.

For organizations with strict data sovereignty requirements or existing storage investments, Arhivix can connect directly to your own S3-compatible bucket. The data stays in your infrastructure, under your keys.

Your S3 bucket
AWS S3, MinIO, Wasabi, on-prem
S3 API
Arhivix application
Reads via authenticated requests
Your storage, your keys Bring any S3-compatible bucket. Documents never enter Arhivix-managed storage.
Encryption you control Your bucket, your encryption settings, your KMS or HSM. Arhivix holds no copy.
All features still work AI search, OCR, e-signatures, and automations run against your bucket as if it were ours.
Operational support Includes a dedicated solutions engineer for setup, encryption configuration, and ongoing operations.
Talk to enterprise sales

Available on the Enterprise plan.

03
Encryption

Your data is unreadable without your key.

Encryption is applied automatically. There is no setting to enable, no checkbox to forget. It is on by default, for every file, for every customer.

Browser & mobile
TLS 1.3
Arhivix API
AES-256-GCM
Encrypted storage
EU × 2
In transit

TLS 1.3 everywhere

All connections to Arhivix (web, mobile, and API) are protected with TLS 1.3. HTTP is rejected. Strict transport security (HSTS) is enforced with a long max-age.

At rest

AES-256-GCM

Every file uploaded to Arhivix is encrypted with AES-256 in Galois/Counter Mode before it is written to storage. Backups and replicas are encrypted with the same algorithm.

Key management

AWS-managed encryption

Encryption is applied automatically at the AWS S3 storage layer with AWS-managed keys. Authorization is enforced on every request, on every document, so a compromised account cannot reach data that does not belong to it.

04
Access control

You decide who sees what, down to the document.

Most breaches do not start with broken cryptography. They start with one person having access to one thing they shouldn't. Arhivix gives you the controls, and the evidence, to prevent that.

Role View Edit Download Share Delete
Admin Workspace owner
Editor Day-to-day team member
Viewer Read-only access
External Client / portal user Scoped Scoped

Defaults shown. Every right can be overridden per folder or per document.

  • Role-based and document-level permissions Assign roles across your organization or override permissions on a single folder or document. View, edit, download, and share are independent rights.
  • Full audit log of every action Every view, edit, download, share, and permission change is recorded with user, timestamp, and IP. Logs are immutable from the customer side.
  • Session management Sessions are signed, expire automatically, and can be revoked instantly. Suspicious sign-ins trigger re-authentication.
  • Authentication Passwords are stored using a modern memory-hard hashing algorithm (never in plaintext). Brute-force protection and rate limiting are enforced on every login endpoint.
05
Data lifecycle

Your data, on your terms, including the right to take it with you.

Storing your data is a responsibility, not a hostage situation. You can export it any time, set how long it lives, and delete it permanently when you are done.

01

Upload

Encrypted client-side over TLS 1.3 the moment you hit save.

02

Active storage

Stored as AES-256-GCM ciphertext in the EU.

03

Replicated

Synced to a second EU region for region-level failover.

04

Retention

Kept for the period you configure (5, 10, 50 years).

05

Deletion

Removed from production immediately, purged from backups within 30 days.

06
Compliance

Built to fit how Europe regulates data.

Arhivix is designed for businesses that have to answer to regulators, auditors, and clients, not just users.

GDPR
GDPR
Ready by design
EU
EU only
Data never leaves
AES-256
AES-256
GCM at rest
AWS
AWS
SOC 1 / 2 / 3
ISO 27001
ISO 27001
Inherited via AWS
2026
2026 Law
Serbian e-archive ready

GDPR-ready by design

EU data residency, lawful processing basis documented, data subject rights (access, rectification, erasure, portability) supported in-product.

Data Processing Agreement

A standard GDPR-compliant DPA is available on request for all paid customers. Contact us and we will counter-sign within a few business days.

Inherited certifications

Our underlying infrastructure (AWS) is independently certified against SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1.

Serbian 2026 archiving law

Arhivix is built around the requirements of the new electronic archiving regulations: archive ledger, retention periods, qualified electronic signature, and e-shipping documents.

07
Operational security

Security is also how we run the company.

Strong tech only matters if the people and processes around it match. We treat operational security as a first-class concern, not a checklist.

  • Least privilege internally Engineering access to production is limited to a small group, time-bounded, logged, and reviewed. No engineer has standing access to customer documents.
  • Reviewed change management Every change to production code goes through code review and automated tests. Deployments are auditable and can be rolled back at any time.
  • 24/7 monitoring Application, infrastructure, and security telemetry are monitored continuously. On-call engineers are paged on anomalies.
  • Secrets management Credentials and keys are stored in AWS Secrets Manager / KMS, rotated regularly, and never committed to source control.
08 Responsible disclosure

Found a security issue? Tell us.

We treat security reports as a priority. If you believe you have found a vulnerability in Arhivix, please contact our security team directly (not through public channels) and give us a reasonable window to fix the issue before any public disclosure.

  • Include clear reproduction steps and the affected endpoint or component.
  • Do not access, modify, or delete data that does not belong to you.
  • We will acknowledge your report within 2 business days and keep you updated until resolution.
security@arhivix.com

PGP key available on request.

09
Common questions

What customers and IT teams ask us most.

Where exactly are my documents stored?
All customer documents are stored on Amazon Web Services (AWS) infrastructure inside the European Union. Each document is automatically replicated across two separate AWS regions in the EU. Your data does not leave the EU under normal operations.
Can Arhivix employees read my documents?
Not in day-to-day operations. No engineer has standing access to production customer documents. Our application processes files (for AI search, OCR, and summarization) using internal services, not human review. A narrow set of staff may be granted temporary, time-bound access for incident response or customer-requested support, only with explicit authorization, and every action is recorded in an audit trail.
Are you SOC 2 or ISO 27001 certified?
Our underlying infrastructure (AWS) is independently certified against SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1. Arhivix-specific certifications are on our roadmap. If you need a current compliance overview for your procurement process, contact security@arhivix.com.
Do you sign a Data Processing Agreement (DPA)?
Yes. We provide a standard GDPR-compliant DPA to all paid customers. Email security@arhivix.com or your account contact and we will send it for signature.
What happens to my data if I delete my account?
Active data is removed from production storage immediately. Encrypted backups are purged within 30 days, after which no copy of your documents remains in any Arhivix system. This satisfies the GDPR right to erasure.
Can I export my data and leave?
Yes, at any time. You can export your documents and their metadata in open, standard formats directly from the application. There is no proprietary lock-in and no exit fee.
Arhivix

Hören Sie auf, Zeit mit der Suche nach Dokumenten zu verschwenden.

Wechseln Sie zu einer intelligenteren Dokumentenverwaltung. Unverbindlich, ohne Kreditkarte. 14 Tage kostenlos.

Jetzt kostenlos starten Demo-Konto erhalten