> ## Documentation Index
> Fetch the complete documentation index at: https://developers.argosidentity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Communication & Security Overview

> An overview of ARGOS Identity's network communication architecture and data security policies. Covers four service categories (Liveform, Restful API, Webhook, Database) and common security principles.

## Purpose

This section is intended for information security and security review personnel at customer organizations. It documents ARGOS Identity's communication architecture and data security policies.

* Uses standard security terminology and industry-standard protocol names
* Does not include internal resource identifiers (server names, function names, domains, etc.)

## Target Audience

* Information security and security review personnel at customer organizations
* Personnel conducting data processing due diligence (data controller/processor relationships)
* Compliance / audit departments
* Backend development teams performing API integration
* Development teams building and operating Webhook receiving endpoints

## ARGOS Service Categories

ARGOS Identity offers four service categories. The communication architecture and security policies for each category are covered in the sub-pages below.

<CardGroup cols={2}>
  <Card title="Liveform" icon="window" href="/en/idcheck/network-security/liveform">
    End-to-end identity verification service including a UI. End User ↔ Liveform UI ↔ API Gateway ↔ Verification Processing Layer. Hybrid payload encryption (RSA-2048 + AES-256-GCM), API Gateway authentication, Cloudflare Turnstile, Private Token.
  </Card>

  <Card title="Restful API" icon="code" href="/en/idcheck/network-security/restful-api">
    Server-to-Server API with no UI. Standard REST (GET/POST/PATCH/DELETE), Custom Domain + ACM TLS termination, API Key validation, optional payload encryption (AES-256), Rate Limiting / Usage Plan.
  </Card>

  <Card title="Webhook" icon="bell" href="/en/idcheck/network-security/webhook">
    Asynchronous result notification from ARGOS to customers. Two-stage pipeline (convergence layer + dispatch layer), TLS 1.2+, optional body encryption (AES-256), retry (exponential backoff), dispatch audit log, IP allowlist recommended.
  </Card>

  <Card title="Database" icon="database" href="/en/idcheck/network-security/database">
    Internal data storage layer (AWS DynamoDB). SigV4 invocation, dual encryption (server-side + application-layer AES-256-GCM), VPC Gateway Endpoint, IAM isolation, PITR / CloudTrail.
  </Card>
</CardGroup>

## ARGOS Security Policy Summary

### Broadly Applied Policies

| Area                                          | Implementation                                                                                                        | Applied Categories                                                                                  |
| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
| Transport Layer                               | TLS 1.2 or higher (HTTPS enforced at all external entry points)                                                       | Liveform · Restful API · Webhook · Database                                                         |
| Internal Auth & Signing                       | AWS IAM Role + Signature Version 4 (SigV4)                                                                            | Liveform · Restful API · Webhook · Database                                                         |
| Key Management                                | AWS KMS (FIPS 140-2 Level 3 HSM-based)                                                                                | Liveform · Restful API · Database (Webhook is a dispatch channel with no storage)                   |
| Encryption at Rest                            | DynamoDB / S3 server-side + sensitive fields AES-256 + KMS Customer-managed Key                                       | Liveform · Restful API · Database (Webhook is an outbound channel)                                  |
| IAM Least Privilege                           | Each service execution role is granted only the minimum permissions required                                          | Database · Liveform (explicitly stated in source)                                                   |
| Environment Isolation                         | Live / Test separation (separate data, domains, and API Keys)                                                         | Database · Restful API · Webhook (explicitly stated in source)                                      |
| Integrity (Transport Channel)                 | TLS 1.2+ built-in integrity (AEAD / HMAC)                                                                             | Liveform · Restful API · Webhook · Database                                                         |
| Held Certifications                           | ISO/IEC 27001 (international standard for information security management systems)                                    | Liveform · Restful API · Webhook · Database                                                         |
| AWS Infrastructure Certifications (inherited) | SOC 1·2·3 / ISO 27001·27017·27018 / PCI-DSS Level 1 / HIPAA Eligible / FedRAMP Moderate                               | Liveform · Restful API · Webhook · Database (Database additionally: IRAP, MTCS, FIPS 140-2 Level 3) |
| Data Subject Rights                           | Procedures for handling access, rectification, erasure, and portability requests under applicable privacy laws / GDPR | Liveform · Restful API · Webhook · Database                                                         |

### Per-Category Specializations

| Category    | Payload Encryption                                                                                         | External Authentication                                                            | Additional Protection                                                      |
| ----------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| Liveform    | RSA-2048 + OAEP + SHA-256 key exchange + AES-256-GCM body (hybrid scheme)                                  | API Gateway API Key + IP allowlist (optional) + Private Token (JWT HMAC-SHA256)    | Cloudflare Turnstile (bot/automation blocking)                             |
| Restful API | AES-256 (when project option `Data Encryption` is enabled)                                                 | API Gateway API Key + IP allowlist (optional, Lambda Authorizer)                   | API Gateway Usage Plan Rate Limiting                                       |
| Webhook     | AES-256 (when project option `Data Encryption` is enabled; signaled by `X-Webhook-Encrypted: true` header) | Sender-side verification — TLS certificate / IP allowlist / encryption mode header | Retry (exponential backoff, up to 3 attempts) + DLQ / Manual Replay        |
| Database    | Application-layer AES-256-GCM (sensitive fields) + server-side AES-256 (automatically applied to all data) | AWS IAM Role + SigV4 (no direct external access)                                   | VPC Gateway Endpoint (forces backbone communication), MFA (console access) |
