We secure security teams. Here's how we secure ours.
The bar for this category is high, and our documentation should clear it. Here's how we handle your data, who can touch it, and what you can review under NDA.
Audits & Attestations
We commission third-party audits every year and hold our own operation to the same control standards we deliver to customers. In this category, that isn't a differentiator. It's the minimum.
SOC 2 Type II
Security, Availability, and Confidentiality. Twelve-month observation window. Audited annually by an independent CPA firm.
Available under NDA
HIPAA Security Rule
Administrative, physical, and technical safeguards mapped. Standing BAA template available for healthcare customers.
Mapping: 45 CFR §164
CMMC Level 2
Working toward CMMC Level 2 (NIST SP 800-171 Rev 2). Certification requires a third-party (C3PAO) assessment, which we are actively working toward.
C3PAO assessment: planned
ISO/IEC 27001:2022
Targeted for a future assessment cycle. Annex A controls are being mapped as part of our certification roadmap.
Status: roadmap
Where your data lives and who can touch it.
U.S.-based hosting.
The ArmorPoint agent transmits customer telemetry directly to our U.S. infrastructure in Phoenix. Primary tenant infrastructure operates in U.S. regions.
TLS 1.3 in transit.
Traffic to and within the platform is encrypted in transit with TLS 1.3.
U.S.-based. Background-checked.
All Tier 1, Tier 2, and incident-response analysts are U.S.-based personnel operating on U.S. soil; ArmorPoint does not offshore its SOC or incident-response work. Access to customer environments requires MFA and is logged and monitored.
Policy-driven. Customer-controlled.
Telemetry retention defaults to 12 months (extendable per contract). Evidence and audit artifacts retain per regulatory requirement. On termination, customer data export and certified deletion are handled per your executed agreement.
The discipline behind the platform.
Vulnerability management
Continuous vulnerability scanning across our environment. Independent third-party penetration testing conducted annually. Risk-based remediation per our vulnerability management policy.
Patch & configuration management
Infrastructure managed as code. Defined patch and configuration management process. Remediation applied with your approval.
Incident response (our own)
24/7 incident-response coverage. Documented incident-response playbooks. Same-business-day notification target for confirmed incidents affecting customer data; specific terms per your executed agreement.
Business continuity & DR
Failover and tabletop exercises are conducted regularly to validate business continuity and disaster recovery.
Personnel security
Background checks at hire. Mandatory annual security-awareness training. Role-based access reviews conducted periodically.
Documents your security team can request.
Review documents are available to qualified prospects and customers under a mutual NDA. Request them through your partner contact or your ArmorPoint account team. Typical turnaround is 2 business days.
SOC 2 Type II Report
Most-recent issued SOC 2 Type II report covering Security, Availability, and Confidentiality. Includes management response.
BAA template (HIPAA)
Standing Business Associate Agreement template, ready for execution.
Security questionnaire (CAIQ-style)
We complete security questionnaires (SIG, VSA, and CAIQ-style) on request.
Bring your procurement-team checklist.
We'll bring our governance lead to the demo if it helps. The fastest way through a security review is to get your questions and the people who can answer them in the same room.
Information current as of 6/30/2026; subject to change. The controlling terms are those in your executed agreement.