Security
The page IT, security, and compliance reviewers ask for. Written as paragraphs, not bullets — buyers reading this trust clear prose more than visual flourish.
Archivez runs in AWS eu-central-1 (Frankfurt). Compute, document storage, and primary database are all in Frankfurt. There is no US fallthrough for any customer data.
AI inference uses AWS Bedrock cross-region inference profiles pinned to EU regions only — Frankfurt, Stockholm, Milan, Spain, Ireland, Paris — per AWS Bedrock's published routing. A request from a Frankfurt-hosted tenant may land in another EU region for capacity reasons; it will never land outside the EU.
Every row in every customer-data table carries a tenant_id column. Every retrieval applies WHERE tenant_id = $1 at the SQL layer before the vector search, before the AI call, before anything downstream. This is structural — a future code mistake or admin oversight cannot expose data across tenants because the isolation lives in every query, not in a policy somewhere.
The same boundary applies to AI prompt construction: retrieved chunks are framed as untrusted data, and the user query is never concatenated with content that could include another tenant's text.
Documents are stored in private S3 buckets with AWS server-side encryption (SSE-S3, AES-256). Database is encrypted at rest with AWS-managed keys.
Gmail OAuth tokens receive an additional KMS-wrapped envelope encryption layer on top of the at-rest encryption — a tenant-specific data encryption key, wrapped by a KMS customer master key, with the wrapped key stored alongside the encrypted token. Read access requires both KMS authorization and tenant-scoped database access.
TLS 1.2 or higher in transit, on every interface.
Archivez requests Google's gmail.readonly scope. This is Google's Restricted scope category — narrower than Sensitive — and grants read-only access to message bodies, headers, and metadata. It does not grant the ability to send, draft, modify, or delete messages.
Each user picks which senders are indexed; messages from non-monitored senders are never read. Tokens are revocable at any time from a user's Google account, which immediately stops new indexing.
AWS Bedrock contractually does not train its models on customer inference inputs. We do not train any model on customer data — embeddings, chat inputs, chat outputs, documents, or email content. There is no customer-data path into model training, ours or anyone else's.
Gmail integration runs in Google's Testing mode for invited pilot users. Testing mode allows up to 100 active accounts with the full gmail.readonly scope. This is the right phase for a pilot product — Production verification follows once the implementation is stable.
Production GA requires a CASA Tier 2 third-party security assessment recognized by Google. The assessment is a 4–12 week process; it is on our roadmap before public launch. CASA does not block invited pilots.
Every assistant response includes citations linked to the specific document or email passage the answer was grounded in. Two clicks open the source. Hallucinations are still possible — no RAG system eliminates them — but the verification path is one tap.
AWS Bedrock Guardrails are wired in monitoring mode on both the retrieval extractor and the chat endpoint, flagging prompt-injection and sensitive-content patterns without blocking.
Data controller: Open Kinetix d.o.o. (Kazimira Veljkovica 45, 34000 Kragujevac, Serbia). Privacy questions: privacy@archivez.io.
Standard subprocessor list: AWS (compute, storage, AI inference). Stripe (billing). Google (Gmail OAuth, IdP federation). DPA available on request.
archivez.io ships no analytics, no third-party tracking pixels, and no cookies. There is nothing for a cookie banner to disclose. This decision is structural — not a future option to revisit lightly.
The capabilities brief covers architecture, retrieval, multilingual handling, evaluation methodology, and pricing detail. Send a note and we'll share it.