●Security & trust

Where we are. What we promise. What's still in flight.

We won't ship a security badge we haven't earned. This page is a working summary; procurement-grade evidence is available on request to active design partners.

01 · Access control

Tenant-scoped RBAC

Roles bind to account · tenant · flag. A support lead can read tenant truth without touching prod. An approver scoped to tenant B cannot approve tenant A.

02 · Change control

Two-engineer production approval

Production-impacting changes require a second reviewer. The approval flow itself writes audit rows. Solo deploys to prod are not a feature.

03 · Audit

Immutable, tenant-scoped audit rows

Append-only. Each row carries actor, timestamp, env, tenant, flag, before, after, and source metadata. Exportable to your SIEM.

04 · Compliance

SOC 2 Type 1 · in flight

Evidence collection is active. Honest horizon: target is end of pilot cohort. We will not display a SOC 2 badge before audit completion.

●Subprocessors

Where the data lives.

Subprocessor	Purpose	Region
Google Cloud · Firestore	Data plane and change log	multi-region (us, eu)
Google Cloud · Cloud Functions	Approval enforcement, audit writes	multi-region
Google Cloud · Firebase Auth	Authentication	global
Cloudflare	Marketing site, CDN	global edge

Last reviewed · 2026-05-04. Subprocessor changes are emailed to active customers 30 days in advance.

●Reporting a vulnerability

Email security@projectargus.cloud.

We acknowledge in writing within one business day. We don't have a bug bounty yet — we will credit researchers publicly with permission, and we don't pursue legal action against good-faith disclosure.