Compliance & Certifications

Built for regulated industries.

PCI-DSS, ISO 27001, SOC 2, GDPR: ArcaX ships the controls, documentation, and audit trail you need — on premises, under your governance.

PCI-DSS ISO 27001 SOC 2 GDPR ANSSI
PCI-DSS

PCI-DSS

Append-only audit log — no source_audit_log DELETE ever. AES-256-GCM at rest. mTLS 1.3 in transit. OPA principle of least privilege. Addresses PCI-DSS Requirement 10 (audit logging) and Requirement 4 (transmission security) out of the box.

  • Req. 2: default deny via OPA fail-closed
  • Req. 4: mTLS 1.3, TLSv1.3 minimum
  • Req. 7: per-tool, per-tenant access control
  • Req. 10: immutable append-only audit log
ISO 27001

ISO 27001 Readiness

Access control via OPA + ephemeral certs (A.9). Cryptographic controls: Ed25519 + AES-256-GCM + HSM (A.10). Audit logging: immutable SHA-256 chain (A.12.4). Incident management: behavioral baseline, SIEM OTLP export, SOC dashboard (A.16). All controls testable via the test suite.

  • A.9: OPA + ephemeral certs (identity & access)
  • A.10: Ed25519, AES-256-GCM, HSM
  • A.12.4: SHA-256 audit chain logging
  • A.16: behavioral baseline + SIEM export
SOC 2 Type II

SOC 2 Type II Readiness

Security: Zero Trust, MITRE ATT&CK+ATLAS behavioral monitoring. Availability: Kubernetes HA with gVisor pod isolation. Confidentiality: encryption at rest and in transit. Processing Integrity: deterministic OPA pipeline + behavioral validation. Privacy: AI Shield PII redaction on all outputs.

  • Security: Zero Trust 5-layer
  • Availability: K8s HA + gVisor isolation
  • Confidentiality: E2E encryption
  • Processing Integrity: OPA + behavioral guard
  • Privacy: AI Shield PII redaction
GDPR

GDPR & Data Residency

100% on-premises — no data leaves your network. Your Kubernetes cluster, your storage, your keys. AI Shield PII redaction on every tool output. Audit log retains actor identity and timestamps for Data Subject Access Requests. PII never logged in plaintext.

  • 100% on-premises, zero cloud data transfer
  • PII redacted before any logging
  • Actor + timestamp for DSAR audit trail
  • Data minimisation via OPA tool scope
WORM

WORM Audit Chain

The immutable audit chain is append-only by design. Each record's SHA-256 hash links deterministically to its predecessor — any tampering is detectable by ChainVerifier. Compatible with WORM-capable object storage: S3 Object Lock, Azure Immutable Storage, NetApp SnapLock. Chain verification API available.

  • SHA-256 hash chain — tamper-evident
  • JSONL export compatible with WORM storage
  • ChainVerifier API for on-demand verification
  • OTLP SIEM export (Splunk, Sentinel, Elastic)
In Progress
ANSSI

ANSSI Qualification

ANSSI qualification dossier in progress. ArcaX targets qualification for deployment in Operator of Vital Importance (OIV) environments in France. Air-gap deployment supported. Self-contained PKI with offline root CA. Contact us for current compliance status and timeline.

  • Qualification dossier in preparation
  • Air-gap deployment supported
  • Offline root CA architecture
  • OIV environment compatibility

Key Controls — Built In, Not Bolted On

Control PCI-DSS ISO 27001 SOC 2 GDPR
Immutable audit log (SHA-256 chain) ✓ Req. 10 ✓ A.12.4
Encryption at rest (AES-256-GCM) ✓ Req. 3 ✓ A.10
Encryption in transit (mTLS 1.3) ✓ Req. 4 ✓ A.10
Access control & least privilege (OPA) ✓ Req. 7 ✓ A.9
PII redaction (AI Shield) ✓ Privacy
Incident detection (behavioral baseline) ✓ A.16 ✓ Security
HSM key management (PKCS#11) ✓ Req. 3 ✓ A.10
Data residency (100% on-premises)

Need a compliance dossier for your RSSI?

We provide compliance evidence packages including architecture diagrams, control mappings, and test reports on request.

View Security Architecture Contact Compliance Team