Skip to content
INFORMATION SECURITY REQUIREMENTS

ARCHETYPEID INFORMATION SECURITY REQUIREMENTS (ISR)

  • Home
  • Legal
  • ARCHETYPEID INFORMATION SECURITY REQUIREMENTS
On This Page
Effective Date: April 9, 2026

Version: 26.1.0

These Information Security Requirements (the “Exhibit” or “ISR”) are incorporated by reference into the Software as a Service Agreement (MSA) or analogous master agreement (collectively, the “Agreement”) existing between the Customer and Sparky AI, Inc. d/b/a ArchetypeID (“ArchetypeID” or “Company”). This document outlines the technical and operational measures established for the safeguarding of Customer Property within the Services.

1. INFORMATION SECURITY PROGRAM

ArchetypeID is committed to maintaining a meticulously documented information security program designed in alignment with prevailing industry standards (such as SOC 2 and ISO 27001). Operational and technical controls surpassing prevalent industry benchmarks are diligently implemented by ArchetypeID to thwart unauthorized access, manipulation, utilization, and deletion of Customer Property. Annually, ArchetypeID’s Chief Information Security Officer (CISO) or designated security leadership reviews and approves the Company’s information security policies.

2. AI & COMPUTATIONAL ENGINE SECURITY (NEW)

Given the advanced nature of ArchetypeID’s behavioral simulation and generative AI platform, the following AI-specific data safeguards are strictly enforced:

  • Zero-Retention Inference Routing: All prompts, data, and Customer Property routed through third-party foundational models (e.g., Anthropic Claude, Google Vertex AI) are transmitted exclusively via enterprise-tier API endpoints configured for “Zero Data Retention.” Third-party providers are contractually and technically restricted from utilizing Customer Property to train, fine-tune, or improve their models.
  • Model Data Segregation: Customer Property processed by ArchetypeID’s proprietary Macro-Behavioral Swarm Engine or Virtual Twins is logically isolated. Customer Property belonging to one tenant cannot cross-contaminate or be exposed to another tenant’s simulation environment.
  • Prompt Injection Safeguards: ArchetypeID employs advanced input-validation and sanitization protocols designed to mitigate adversarial testing, prompt injection, and jailbreak attempts targeting the underlying computational engines.

3. TECHNICAL CONTROLS & CLOUD SECURITY

  • Encryption: To ensure data integrity, ArchetypeID encrypts Customer Property both while at rest and during transit. Data in transit is encrypted using TLS 1.2 or higher with AES-256 signatures (defaulting to TLS 1.3). Data at rest is encrypted at the storage level using AES-256.
  • Key Management: ArchetypeID employs a cryptographic key management scheme that involves regular rotation of encryption keys. Keys are logically separated from Customer Property.
  • Access Control: Access to Customer Property is strictly authorized based on the Principle of Least Privilege (PoLP). All access to production or administrative environments mandates the utilization of a unique user ID, complex passwords, and Multi-Factor Authentication (MFA).
  • Access Revocation: System access is promptly revoked within twenty-four (24) hours in the event of employee or contractor termination.
  • User Access Reviews: Semi-annual user access reviews are conducted to ensure the removal of inactive and unnecessary accounts.
  • Environment Segregation: Stringent logical and physical segregation is maintained between the production environment and the development/testing environments. Production data is never utilized in testing environments without explicit anonymization/de-identification.
  • Network Security: ArchetypeID utilizes serverless instances and a multi-tiered cloud network infrastructure. A Web Application Firewall (WAF) and Content Delivery Network (CDN) are deployed to mitigate DDoS attacks and guard against common web vulnerabilities (e.g., OWASP Top 10).

Logging and Monitoring: Centralized logging tools are employed to record activities, correlations, and changes in the production environment. Logs are scrutinized for anomalies and securely stored for a minimum of one year.

4. VULNERABILITY MANAGEMENT & SDLC

  • Vulnerability Scanning: Weekly automated vulnerability scans are conducted. Identified vulnerabilities are patched and remediated according to ArchetypeID’s risk-based vulnerability management policy.
  • Penetration Testing: ArchetypeID engages independent, reputable third parties to conduct annual network and application-level penetration tests. Executive summary reports are available to Enterprise Customers upon written request under NDA.
  • Secure SDLC: Secure code development practices are integral to our agile release cycle, including mandatory peer code reviews, dynamic application security testing (DAST), and dependency/open-source vulnerability scanning prior to pushing code to production.

5. OPERATIONAL & PERSONNEL CONTROLS

  • Personnel Security: All new hires undergo background screening (criminal and employment verification) prior to onboarding, as permitted by applicable law. Signing strict confidentiality and IP assignment agreements is mandatory.
  • Security Training: Security awareness training is mandatory upon hire and annually thereafter. The curriculum includes incident reporting, device security, phishing awareness, and AI data handling best practices.
  • Device Management: ArchetypeID personnel utilize centrally managed workstations configured with mandatory security controls, including full-disk encryption, password protection, remote-wipe capabilities, and inactivity lockouts.

6. THIRD-PARTY RISK & INCIDENT RESPONSE

  • Third-Party Risk Management: A robust vendor risk management program ensures that all Sub-processors maintain security standards equal to or greater than ArchetypeID’s.
  • Incident Response: ArchetypeID maintains a documented and annually tested Incident Response Plan. In the event of a confirmed Data Security Breach, ArchetypeID will notify affected Customers in accordance with the timelines specified in the Data Processing Agreement (DPA).
  • Business Continuity & Disaster Recovery (BCDR): A disaster recovery plan ensures timely recovery in the event of major disruptions. Daily backups of Customer Property are conducted and stored securely across multiple availability zones.

7. CUSTOMER AUDIT & TESTING RIGHTS

  • Due Diligence: Upon written request (no more than once annually), Customer may access documentation and standard security questionnaires demonstrating ArchetypeID’s compliance with these obligations.

Customer Penetration Testing: Customer may not conduct penetration testing or vulnerability scanning against ArchetypeID’s production environments without prior, explicit written consent from ArchetypeID’s CISO. Any approved testing must adhere to strict Rules of Engagement designed to prevent service disruption (DDoS testing is strictly prohibited) and results must be shared confidentially with ArchetypeID.

8. CUSTOMER SECURITY RESPONSIBILITIES

  • Access Management: Customer is solely responsible for managing its authorized users, enforcing strong password complexity, and maintaining the security of its API keys and credentials.
  • Acceptable Use: Customer is responsible for ensuring that all data uploads and platform interactions strictly adhere to ArchetypeID’s Acceptable Use Policy (AUP).

SOC 2 Type II Certified

GDPR Compliant

CCPA Compliant

ISO 27001 Foundation

Legal Documents

Privacy Policy

PDF • 2.4 MB

Terms of Service

PDF • 1.8 MB

DPA

PDF • 3.1 MB

Cookie Policy

PDF • 0.9 MB