Trust & data handling
ArchGuard reviews Terraform infrastructure code against the AWS Well-Architected Framework and returns a structured PDF report. This page explains exactly what data we process, where we process it, how long we keep it, and what we do not have access to. It is written for procurement teams, CTOs evaluating a vendor, and AWS Partner Network reviewers.
Where your code is processed
EU customers (billing country in the European Economic Area) — AI inference runs in Amazon Bedrock in eu-central-1 (Frankfurt). US and rest-of-world customers — inference runs in us-east-1.
Uploaded Terraform files are stored in an S3 bucket in the same region as the inference call. Files are deleted immediately when the review job completes. We do not retain raw Terraform after job completion. We do not accept Terraform state files.
What we store
- ·Account email address
- ·Submission metadata: timestamp, file count, total size, pillar scores, finding IDs
- ·The generated PDF report, retained for the duration of the customer's plan
- ·Stripe payment and subscription records (processed and stored by Stripe)
We do not store raw Terraform files after the review job ends.
What we do not have
- ·AWS credentials of any kind
- ·Terraform state files (we do not accept them)
- ·Terraform plan output (not required for our analysis)
- ·Repository access (no GitHub, GitLab, or Bitbucket OAuth)
- ·Production read-only IAM roles
- ·Anything that could touch, read from, or modify your AWS infrastructure
Sub-processors
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| AWS (compute, storage, email) | Infrastructure and transactional services | EU (eu-central-1) / US (us-east-1) per customer | AWS DPA |
| Amazon Bedrock (Claude Sonnet 4.5) | AI inference for architectural review | EU / US per customer billing country | AWS DPA |
| Stripe | Payment processing | EU / US | Stripe DPA |
| Resend / Postmark | Transactional email | EU | Vendor DPA |
| Plausible Analytics | Privacy-respecting web analytics | EU (Frankfurt) | Plausible DPA |
Legal entity
ArchGuard.io is a product of Rost CAMP, a sole proprietorship registered with the Netherlands Chamber of Commerce (KVK). Governed by Dutch law.
Privacy enquiries: privacy@archguard.io · Legal and DPA requests: legal@archguard.io
Compliance posture
ArchGuard is not currently SOC 2 or ISO 27001 certified. We aim to begin SOC 2 Type I in Q4 2026. For procurement teams that require a signed DPA and Standard Contractual Clauses, contact legal@archguard.io and we will return signed documents within 2 business days.
We process personal data in line with GDPR requirements and will provide a Data Processing Agreement on request. We do not claim “GDPR compliant” as a certification — GDPR is an ongoing obligation, not a certification.
NIS2 and DORA
ArchGuard does not provide NIS2 or DORA compliance certification. Our review output may serve as evidence for NIS2 Article 21(2)(e) and (h) configuration management expectations, and for DORA Article 9 ICT change management. We do not claim that either regulation requires our use, and we do not represent that using ArchGuard alone satisfies either regulation.