Product  /  Security & Governance

Audit-ready security, designed for the regulated enterprise.

Art2link runs the workloads regulated industries depend on — clinical data in HL7, financial transactions in X12, customer PII in CRM pipelines. The platform’s security posture is built for the people who answer to auditors, not just engineers.

SOC 2 Type II — In Progress HIPAA-ready controls Microsoft Entra ID TLS 1.3 / KMS-backed
ID

Identity

SSO via Entra ID, Okta, or any OIDC provider. MFA enforced, conditional access policies, no shared credentials anywhere.

AC

Access

Granular RBAC at the pipeline level. Service identities backed by managed identity or workload identity federation.

EN

Encryption

TLS 1.3 everywhere in transit. AES-256 at rest, KMS-backed keys, customer-managed keys (CMK) supported.

AU

Audit

Immutable audit log of every config change, deployment, and message-level action. Streamable to your SIEM.

Trust matrix.

Every security control in Art2link, cross-referenced to the frameworks your auditors care about. Hand this to compliance on day one.

Implemented In progress N/A
Control SOC 2 HIPAA ISO 27001 GDPR HITRUST
Identity (Entra ID, OAuth, MFA) Yes Yes Yes Yes Yes
Role-based access control (RBAC) Yes Yes Yes Yes Yes
Encryption at rest (KMS-backed) Yes Yes Yes Yes Yes
Encryption in transit (TLS 1.3) Yes Yes Yes Yes Yes
Audit logging (immutable) Yes Yes Yes Yes Yes
Data residency controls Yes Yes Yes Yes In Progress
Vulnerability management Yes Yes Yes Yes Yes
Business continuity / DR In Progress Yes Yes Yes In Progress
Penetration testing (annual) Yes Yes Yes N/A Yes
Secure SDLC Yes Yes Yes N/A Yes
Sub-processor management Yes Yes Yes Yes Yes
Incident response (24h SLA) Yes Yes Yes Yes Yes
BAA available N/A Yes N/A N/A Yes
Data subject access / DPA N/A N/A Yes Yes N/A
Data residency

Your data stays where you tell it to.

Pin every pipeline to a specific cloud region. Cross-region replication is opt-in, never default, with audit trail.

  • 14 regions across Azure, AWS, and GCP
  • EU-resident, US-resident, sovereign-cloud options
  • Bring-your-own-cloud deployment available
Vulnerability management

Continuously scanned, regularly tested.

Static analysis, dependency scanning, and container CVE checks run on every build. Annual third-party penetration test.

  • Public coordinated-disclosure program
  • Critical CVEs patched within 7 days
  • Pen-test summary available under NDA
Sub-processors

Transparent supply chain.

Public sub-processor list with notification on changes. DPA available for any customer who needs one.

  • Hyperscale cloud providers (Azure, AWS, GCP)
  • Email & observability vendors documented
  • No undisclosed third parties touch customer data
Incident response

24-hour breach SLA, written.

If we discover a confirmed incident affecting your data, you hear from us within 24 hours, in writing, with what we know and what we’re doing.

  • On-call rotation, follow-the-sun coverage
  • Tabletop exercises run quarterly
  • Post-incident write-ups shared with customers

Need the full audit package?

SOC 2 progress report, HIPAA-readiness pack, sub-processor list, and DPA template. Available under NDA — we’ll send everything inside one business day.

Request the audit pack  →