Security

How Archipelag.io protects your data and ensures secure compute operations.

Security is fundamental to Archipelag.io. We’ve designed our platform with security at every layer, ensuring both consumers and Islands can participate safely in our distributed compute network.

Security Architecture

Zero-Trust Model

We operate on a zero-trust security model where:

  • Consumers don’t trust Islands: All consumer data is encrypted and Islands never see plaintext content
  • Islands don’t trust Cargos: All Cargos run in isolated containers with strict resource limits
  • The coordinator is the authority: Cryptographically signed Cargos and authenticated communications

Encryption

  • In Transit: All communications use TLS 1.3 with modern cipher suites
  • At Rest: Sensitive data encrypted using AES-256-GCM
  • Cargo Data: End-to-end encryption for sensitive Cargo payloads
  • API Keys: Hashed using Argon2id before storage

Workload Isolation

Every Cargo on our network runs in complete isolation:

  • Container Sandboxing: Docker containers with seccomp profiles and AppArmor
  • Resource Limits: Strict CPU, memory, and network quotas
  • No Persistent Storage: Cargos cannot write to Island filesystems
  • Network Restrictions: Outbound-only connections, no Island network access
  • Signed Images: Only cryptographically signed container images can execute

Island Security

Agent Security

The Archipelag.io Island software is designed with security as a priority:

  • Written in Rust: Memory-safe language eliminates entire classes of vulnerabilities
  • Minimal Privileges: Runs with least-privilege access
  • Automatic Updates: Security patches delivered automatically
  • Open Source: Agent code is available for security review

Network Security

  • Outbound-Only: Islands never accept inbound connections
  • WireGuard VPN: Encrypted tunnels for all coordinator communication
  • No Port Forwarding: No router configuration or firewall changes required
  • IP Anonymization: Consumer IPs are not shared with Islands

Consumer Security

Account Protection

  • Strong Password Requirements: Minimum 12 characters with complexity requirements
  • OAuth Integration: Secure authentication via GitHub
  • Session Management: Automatic session expiration and secure token handling
  • API Key Scoping: Fine-grained permissions for API keys

Data Protection

  • Regional Processing: Data processed in your geographic region by default
  • No Data Retention: Cargo inputs and outputs not stored after completion
  • Audit Logging: Complete audit trail of account and API activity
  • Right to Deletion: Request complete data deletion at any time

Audit Logging

  • Hash-Chained Logs: Immutable audit trail with tamper detection via hash chaining
  • Trust Events: All approvals, rejections, and suspensions are logged with full context
  • Security Incidents: Automated incident recording with forensic detail
  • Chain Verification: Integrity of the audit log can be verified at any time

Rate Limiting & Abuse Prevention

  • API Rate Limiting: 100 requests per minute per API key
  • Authentication Rate Limiting: 5 requests per minute for magic link login
  • Input Validation: Message content capped at 32KB, job input at 256KB, max 128 messages per request
  • Body Size Limits: 1MB maximum request body

Infrastructure Security

Platform Security

  • EU Data Centers: Primary infrastructure hosted in EU data centers
  • DDoS Protection: Multi-layer DDoS mitigation
  • Web Application Firewall: Protection against common web attacks
  • Regular Penetration Testing: Third-party security assessments

Monitoring & Response

  • 24/7 Monitoring: Automated security monitoring and alerting
  • Incident Response: Documented procedures for security incidents
  • Vulnerability Management: Regular scanning and patching
  • Security Logging: Comprehensive logging for forensic analysis

Compliance

We maintain security practices aligned with:

  • GDPR: EU data protection requirements
  • SOC 2 Type II: (In progress) Security, availability, and confidentiality controls
  • ISO 27001: (Planned) Information security management

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities.

Reporting a Vulnerability

If you discover a security issue, please report it to:

Email: hey@archipelag.io

PGP Key: A security.txt file with our PGP key is planned and will be available at /.well-known/security.txt

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (optional, for follow-up)

Our Commitment

  • Acknowledgment: We’ll acknowledge receipt within 24 hours
  • Assessment: Initial assessment within 72 hours
  • Resolution: Critical issues addressed within 7 days
  • Credit: Public acknowledgment for responsible disclosures (if desired)
  • No Legal Action: We will not pursue legal action against good-faith researchers

Scope

In-scope systems include:

  • archipelag.io and all subdomains
  • api.archipelag.io
  • The Island software
  • Mobile applications

Out of scope:

  • Third-party services (Stripe, GitHub)
  • Social engineering attacks
  • Physical attacks
  • Denial of service testing

Security Best Practices

For Users

  1. Use Strong Passwords: Or sign in with GitHub for OAuth security
  2. Protect API Keys: Never commit keys to version control
  3. Monitor Usage: Review your account activity regularly
  4. Enable Notifications: Get alerts for account changes
  5. Report Suspicious Activity: Contact us if you notice anything unusual

For Islands

  1. Keep Systems Updated: Enable automatic updates for the Island software
  2. Secure Your Network: Use a firewall and secure your home network
  3. Monitor Resources: Watch for unusual CPU or network activity
  4. Dedicated Hardware: Consider using dedicated hardware for contributing compute
  5. Review Logs: Periodically review Island logs for anomalies

Security Updates

We publish security advisories for significant issues at:

  • Status Page: status.archipelag.io (coming soon)
  • Email Notifications: Security alerts sent to registered users
  • GitHub: Security advisories in our public repositories

Contact

For security questions or concerns:

Security is an ongoing process. We continuously improve our security posture and welcome feedback from our community.