Documentation Index
Fetch the complete documentation index at: https://developers.argosidentity.com/llms.txt
Use this file to discover all available pages before exploring further.
Purpose
This section is intended for information security and security review personnel at customer organizations. It documents ARGOS Identity’s communication architecture and data security policies.- Uses standard security terminology and industry-standard protocol names
- Does not include internal resource identifiers (server names, function names, domains, etc.)
Target Audience
- Information security and security review personnel at customer organizations
- Personnel conducting data processing due diligence (data controller/processor relationships)
- Compliance / audit departments
- Backend development teams performing API integration
- Development teams building and operating Webhook receiving endpoints
ARGOS Service Categories
ARGOS Identity offers four service categories. The communication architecture and security policies for each category are covered in the sub-pages below.Liveform
End-to-end identity verification service including a UI. End User ↔ Liveform UI ↔ API Gateway ↔ Verification Processing Layer. Hybrid payload encryption (RSA-2048 + AES-256-GCM), API Gateway authentication, Cloudflare Turnstile, Private Token.
Restful API
Server-to-Server API with no UI. Standard REST (GET/POST/PATCH/DELETE), Custom Domain + ACM TLS termination, API Key validation, optional payload encryption (AES-256), Rate Limiting / Usage Plan.
Webhook
Asynchronous result notification from ARGOS to customers. Two-stage pipeline (convergence layer + dispatch layer), TLS 1.2+, optional body encryption (AES-256), retry (exponential backoff), dispatch audit log, IP allowlist recommended.
Database
Internal data storage layer (AWS DynamoDB). SigV4 invocation, dual encryption (server-side + application-layer AES-256-GCM), VPC Gateway Endpoint, IAM isolation, PITR / CloudTrail.
ARGOS Security Policy Summary
Broadly Applied Policies
| Area | Implementation | Applied Categories |
|---|---|---|
| Transport Layer | TLS 1.2 or higher (HTTPS enforced at all external entry points) | Liveform · Restful API · Webhook · Database |
| Internal Auth & Signing | AWS IAM Role + Signature Version 4 (SigV4) | Liveform · Restful API · Webhook · Database |
| Key Management | AWS KMS (FIPS 140-2 Level 3 HSM-based) | Liveform · Restful API · Database (Webhook is a dispatch channel with no storage) |
| Encryption at Rest | DynamoDB / S3 server-side + sensitive fields AES-256 + KMS Customer-managed Key | Liveform · Restful API · Database (Webhook is an outbound channel) |
| IAM Least Privilege | Each service execution role is granted only the minimum permissions required | Database · Liveform (explicitly stated in source) |
| Environment Isolation | Live / Test separation (separate data, domains, and API Keys) | Database · Restful API · Webhook (explicitly stated in source) |
| Integrity (Transport Channel) | TLS 1.2+ built-in integrity (AEAD / HMAC) | Liveform · Restful API · Webhook · Database |
| Held Certifications | ISO/IEC 27001 (international standard for information security management systems) | Liveform · Restful API · Webhook · Database |
| AWS Infrastructure Certifications (inherited) | SOC 1·2·3 / ISO 27001·27017·27018 / PCI-DSS Level 1 / HIPAA Eligible / FedRAMP Moderate | Liveform · Restful API · Webhook · Database (Database additionally: IRAP, MTCS, FIPS 140-2 Level 3) |
| Data Subject Rights | Procedures for handling access, rectification, erasure, and portability requests under applicable privacy laws / GDPR | Liveform · Restful API · Webhook · Database |
Per-Category Specializations
| Category | Payload Encryption | External Authentication | Additional Protection |
|---|---|---|---|
| Liveform | RSA-2048 + OAEP + SHA-256 key exchange + AES-256-GCM body (hybrid scheme) | API Gateway API Key + IP allowlist (optional) + Private Token (JWT HMAC-SHA256) | Cloudflare Turnstile (bot/automation blocking) |
| Restful API | AES-256 (when project option Data Encryption is enabled) | API Gateway API Key + IP allowlist (optional, Lambda Authorizer) | API Gateway Usage Plan Rate Limiting |
| Webhook | AES-256 (when project option Data Encryption is enabled; signaled by X-Webhook-Encrypted: true header) | Sender-side verification — TLS certificate / IP allowlist / encryption mode header | Retry (exponential backoff, up to 3 attempts) + DLQ / Manual Replay |
| Database | Application-layer AES-256-GCM (sensitive fields) + server-side AES-256 (automatically applied to all data) | AWS IAM Role + SigV4 (no direct external access) | VPC Gateway Endpoint (forces backbone communication), MFA (console access) |