ArtinLeap Trust & Security Center

ArtinLeap is committed to the highest standards of security, privacy, and transparency. As an Agentic AI platform, we recognize our responsibility in handling sensitive data across the Google, Microsoft, Atlassian, Slack, Notion and other ecosystems. Our security posture is continuously audited and monitored by TAC Security and Aikido Security.

I. Compliance & Validation Roadmap

We maintain a transparent view of our compliance status, categorized by verified achievements and active workstreams.

1.1 Achieved Certifications

• Google CASA (Tier 2 Approved): The Orkestrators application has successfully passed the Cloud Application Security Assessment (CASA) conducted by TAC Security. Our verified Cyber Score is 9.7 / 10.
• Standardized Endpoint Protection: Industry-leading antivirus and antimalware protection via Bitdefender is deployed on all company-issued workstations to prevent lateral movement and credential theft.

1.2 Active Workstreams (In Progress)

• EU AI Act Readiness (High Priority): We are currently implementing the governance framework required for High-Risk AI systems under the AIA (Art. 9, 10, and 11). This includes a formal Risk Management System and technical documentation for traceability.
• GDPR Compliance: Currently 97% compliant, audited by Aikido Security. We strictly adhere to Article 2.1 (Principles of Processing) and Article 4.9 (Security of Processing).
• HIPAA Readiness: Currently 91% compliant. We have implemented the majority of Administrative, Technical, and Physical safeguards required for handling Protected Health Information (PHI).
• SOC 2 Type I Readiness: Internal controls are finalized and being monitored, currently at 89% completion. Type II Attestation is scheduled for Q1 2026.

1.3 Future Roadmap

• ISO 27001 Certification: Formal gap analysis and certification scheduled for Q3 2026.

1.4 Requesting Reports

• Formal compliance reports (SOC 2, HIPAA, or CASA reports) are available for enterprise customers under NDA. Please direct requests to: info@artinleap.com

II. Data Security & Cryptographic Standards

2.1 Data Residency & Infrastructure

• Compute Location: Our application utilizes a highly secure distributed cloud platform with compute resources located in France, Europe.
• Storage Location: All customer-persistent data is stored in Germany, Europe.
• Physical Security: We operate a 100% cloud-native architecture and do not maintain physical servers or on-premise data centers.
• Network Access Enforcement: Comprehensive network segmentation and firewall rules are constantly being enforced to restrict database access to authorized services only, preventing unauthorized remote access.

2.2 Encryption Protocols

• In Transit: All data moving between users, agents, and integrated services is encrypted using TLS 1.3 only.
• At Rest: Databases are configured with KMS-managed AES-256 encryption. We maintain a continuous update cycle for all cryptographic libraries to prevent "downgrade" attacks.

III. AI Governance & Software Supply Chain

3.1 AI Data Privacy & "No-Training" Guarantee

• Training Policy: We guarantee that customer data, documents, and integrated service content are NOT used to train or improve our agents without explicit user consent.
• API-First Security: We utilize Enterprise-grade API endpoints for all LLM interactions. Under these contractual agreements, providers (OpenAI, Anthropic, etc.) are prohibited from using data for model training.

3.2 Dynamic Model Orchestration

Orkestrators employs a provider-agnostic strategy to deliver the best reasoning capabilities:

• Model Provider Agnosticism: We integrate the latest models from top-tier providers including OpenAI (GPT), Anthropic (Claude), Google (Gemini), Amazon (Nova), xAI (Grok), Mistral, and NVIDIA (Llama/Nemotron).
• Dynamic Selection Logic: Tasks are routed between "Ultra/Pro" tiers (for complex reasoning) and "Flash/Lite" tiers (for speed and efficiency).
• Secure Gateway: We use OpenRouter as our secure management gateway. This allows us to integrate new models immediately without compromising security.

3.3 Software Supply Chain (DevSecOps)

• Vulnerability Detection: We use Snyk for continuous Software Composition Analysis (SCA). Every dependency and third-party library is scanned for vulnerabilities before reaching production.
• Unified Risk Monitoring: Aikido Security provides a unified dashboard for monitoring risks across our code, cloud infrastructure, and secrets.

IV. Identity, Access, and Perimeter Control

We implement a "Zero Trust" inspired architecture to ensure that only authorized personnel and processes can interact with sensitive data.

4.1 Access Control & Authorization

• The Authorization Principle: The Orkestrators agent always accesses user data by strictly following the authorization process and access permissions defined by the integrated services (Google, Microsoft, Atlassian, Slack).
• Scope Minimization (Least Privilege): We are currently 96% compliant on Logical Access controls. We request only the minimum OAuth scopes required for the specific task the user has authorized.
• Just-in-Time (JIT) Access: We implement JIT Access for our production environments. No employee has standing administrative access; privileges are granted only when needed for specific, logged maintenance tasks.

4.2 Authentication & Workstation Security

• User Authentication: Managed via Auth0, enforcing secure salted password hashing and Multi-Factor Authentication (MFA) for all users.
• Privileged Accounts: Internal administrative accounts are secured via Hardware-Backed MFA (FIDO2/Yubikey).
• SDLC Isolation: We strictly enforce environment separation. Development, testing, and production environments are isolated (SOC 2 CC6.1) to prevent "configuration drift" and ensure that live customer data is never used in testing.

V. Detailed Integration Scopes (OAuth)

To provide full transparency to IT Administrators, we disclose the standard scopes requested for our primary integrations. These permissions allow the agent to read, create, and modify content as directed by the user.

‍Data Integrity Policy: Our agent supports Read, Create, and Modify operations. We strictly enforce a No Hard Delete policy; any deletion task is handled as a "soft delete" (e.g., moving to "Trash" or "Archived" status) within the source service to ensure data recoverability.

5.1 Google Integration (Drive, Calendar, Gmail)

• Read Access: drive, calendar.readonly, gmail.readonly
• Write & Modify: calendar.events, gmail.send, gmail.modify, gmail.compose
• Configuration: gmail.settings.basic
• Purpose: Enables the agent to manage schedules, draft/send communications, and organize files within the Google Workspace.

5.2 Microsoft Integration (Outlook, Calendar, OneDrive/SharePoint)

• Email & Folder Management: Mail.ReadWrite, Mail.Send, MailboxFolder.ReadWrite, MailboxSettings.ReadWrite
• Calendar Operations: Calendars.ReadWrite, MailboxSettings.Read
• File & Site Orchestration: Files.ReadWrite.All, Sites.Create.All, Sites.Read.All (Covers both OneDrive and SharePoint environments).
• Purpose: Allows the agent to act as a full productivity assistant within the Microsoft 365 ecosystem.

5.3 Atlassian Integration (Jira & Confluence)

• Jira Project Management: read:jira-work, write:jira-work, manage:jira-project, manage:jira-configuration, read:epic:jira-software
• Confluence Knowledge Management: write:confluence-content, read:confluence-content.summary, search:confluence, write:confluence-file, manage:confluence-configuration
• Identity & Offline Access: read:me, offline_access
• Purpose: Enables the agent to automate ticket workflows, manage project configurations, and maintain Confluence documentation.

5.4 Slack Integration

• Conversation Context: channels:history, groups:history, im:history, mpim:history
• User & Search: users:read, search:read, channels:read
• Messaging & Interaction: chat:write, im:write, mpim:write
• Purpose: Facilitates deep context retrieval from Slack conversations and allows the agent to interact with team members or private groups.

VI. Incident Response & Reporting

We maintain a rigorous incident response plan designed to minimize impact and ensure rapid communication.6.1 Reporting Channels (Order of Priority)

1. Primary Channel (Support Tickets): For the fastest resolution and tracking, all users should Open a Support Ticket in our Service Management System.
2. Security & Compliance Inquiries: For formal security reviews, vulnerability reports, or compliance questions, contact: info@artinleap.com
3. Secondary Support: General technical help can be directed to: support@artinleap.com

6.2 Commitments

• Accelerated Breach Notification: In the event of a confirmed data breach, ArtinLeap commits to notifying affected customers and relevant regulatory authorities within 24 hours.
• 24/7 Security Contact: A dedicated security responder is available through our service desk portal for critical, active incidents.
• Vulnerability Disclosure Policy (VDP): We maintain a public VDP to encourage the responsible reporting of security flaws by the research community.

VII. Legal & Governance Framework

• Key Sub-processors: We maintain a legally compliant list of sub-processors, including our Cloud Compute/Storage Provider (located in the EU), Auth0 (Identity), OpenRouter (Model Routing), and Snyk (Security Scanning).
• Governing Law: Services for EU/International users are governed by French Law. Services for USA users are governed by Delaware Law.
• Corporate Presence: ArtinLeap is a French SAS headquartered in Valbonne (Sophia Antipolis). To better serve our North American partners, we maintain a dedicated US business office in Mountain View, California.
• Documentation Access: Access our full User Guide Documentation and technical manuals via our portal.
• Policies: Privacy Policy | Terms & Conditions