01
Certifications and audits
SOC 2 Type II audit is in progress, with completion targeted for H1 2026. Questionnaires, letters of engagement, and scope documents are available to qualified customers under NDA.
Security overview
Armeta processes proprietary engineering drawings — P&IDs, plot plans, and related as-built documentation — for operators, EPCs, and engineering firms. That data is sensitive by nature: it describes the facility, the equipment, and often the safety envelope. Our security program is designed around that reality.
Every commitment on this page is verifiable. Customers and prospects evaluating Armeta can request current documentation, subprocessor lists, and architecture summaries from the security team under NDA.
02
Data protection
TLS 1.3 for all data in transit. AES-256 for all data at rest. Cryptographic material is managed by a dedicated key management service with rotation enforced on a fixed schedule.
03
Access controls
Single sign-on via SAML 2.0 and OIDC. Role-based access control aligned to customer directory groups. Full audit logs for authentication, authorization, and data access events, exportable to customer SIEM.
04
Data residency
US, EU, and customer-designated regions supported. Customer engineering data is stored in the region selected at onboarding and is not replicated across regions without explicit authorization.
05
Deployment options
Multi-tenant cloud, dedicated single-tenant cloud, and on-premise or customer-managed private cloud. Air-gapped deployments are supported for engagements that require them.
06
Incident response
24x7 on-call rotation. Documented severity classification, communication SLAs, and post-incident review process. Customer-impacting incidents are reported in line with the terms of the engagement.
Customer data handling
Specific customer data handling terms — including access, retention, deletion, and regional constraints — are defined in each customer's master services agreement and data processing addendum. The defaults documented here are the minimum; individual engagements can tighten them but not relax them.
For audit-facing customers, Armeta supports read-only auditor access to extraction outputs, traceability records, and provenance metadata as part of the engagement scope.
Security contact
For questionnaires, vulnerability reports, or a copy of the current security overview, write to security@armeta.ai. Responses within one business day.
FAQ
Do you use customer data to train models?
No. Customer engineering data is never used to train or fine-tune Armeta’s shared models. Engagement-specific models trained on a customer’s own data remain scoped to that engagement and are not exposed to other customers.
How is customer data segregated?
Logical segregation at every layer — storage, compute, and processing — keyed to the customer tenant. Single-tenant and on-premise deployments provide physical segregation in addition to logical controls.
What happens to customer data after an engagement ends?
Retention, deletion, and return-of-data are governed by the terms of the engagement. The default posture is that customer data is deleted on request and on contract termination, subject to documented legal-hold requirements.
Can we review Armeta’s security documentation?
Security questionnaires, architecture summaries, and subprocessor lists are available to qualified customers and prospects under NDA. Contact security@armeta.ai to request access.
How do we report a vulnerability?
Write to security@armeta.ai with as much detail as you can share. We acknowledge vulnerability reports within one business day and coordinate disclosure in good faith.