Arches

Governance & Compliance

Managed cloud

Arches-hosted, region of your choice

Single-tenant VPC

Your AWS / GCP / Azure account

On-prem / air-gapped

Signed images, zero callbacks

This workspaceUS · self-hosted (customer VPC)

Where it runsInside your own cloud (single-tenant, us-east-1)
Who operates itYour team · fully offline (air-gap) supported
AI model callsYour private endpoint — never a shared API
What leaves your networkNothing
Who holds the keysYou (your own KMS / HSM)
How updates landSigned releases, applied on your approval

Regulatory posture

SOC 2 Type II

Report current · covers the self-hosted control plane

Compliant

HIPAA

BAA in place · PHI redaction enforced at the tool layer

Compliant

CCPA / CPRA

Consumer request workflow wired to the audit trail

Compliant

FedRAMP Moderate

In process via GovCloud deployment

In review

Data boundary

0

Data sent outside (30d)

Verified at the network level

Single-tenant

Isolation

No shared compute or storage

Yours

Keys & models

Your keys, your model endpoint

Consumer requests (CPRA)SLA: 45 days

CR-0142

Deletion request

k****@gmail.com

Due in 31 daysIn progress
CR-0139

Access / know request

t****@outlook.com

Completed

Runs where your data lives

The full stack — runtime, traces, evals, and the audit trail — deploys inside your network. Model calls go to your private endpoint, telemetry is opt-in, and the air-gapped profile runs with no outbound connectivity at all. Your security team gets the same admin and audit surface either way.

Immutable audit trail

Routed 894 inbound leads

Arches agent · Policy: inbound-routing v3

1h ago

Approved spend-limit override ($9.2k)

D. Whitfield · Human-in-the-loop

4h ago

Blocked: contact export to unmanaged device

Arches agent · Guardrail enforced

6h ago

Deprovisioned 2 users (Okta)

SCIM sync · Joiner-mover-leaver

Yesterday

Exported audit pack (Q2)

R. Alvarez · Internal audit

Yesterday