Argus
Join the waitlist
Trust

Security at Argus

How we handle the operational data you trust us with: encryption, isolation, privacy, and how to report a vulnerability.

Argus is built and operated by Ekarche. The security posture below applies across every Ekarche product.

Responsible disclosure

If you believe you’ve found a security vulnerability in Argus, please report it to hello@ekarche.com. We acknowledge reports within 2 business days and provide a substantive response within 7 business days.

Please don’t exploit the vulnerability beyond what’s necessary to demonstrate the issue, don’t access customer data that isn’t yours, and give us a reasonable window to remediate before public disclosure. We do not currently run a paid bug-bounty program, but we are happy to credit researchers publicly with their permission.

How we protect customer data

Encryption

  • In transit: all traffic is encrypted with modern TLS. HSTS is enforced in production.
  • At rest: customer incidents and operational data and extracted data are encrypted at rest. Sensitive secrets and credentials get an additional application-layer encryption key.
  • Webhooks: outbound webhooks are signed so your endpoint can verify they came from us and weren’t altered in flight.

Workspace isolation

  • Every request is scoped to the calling workspace. Cross-workspace access is prevented at the data layer.
  • API keys are workspace-scoped — a key from one workspace cannot read another workspace’s data.
  • Bring-your-own storage is available on Enterprise.

Authentication

  • Multi-factor authentication is available on every account and can be required for sensitive actions.
  • Single sign-on is available for Enterprise customers, with per-workspace identity-provider configuration.
  • Sessions are revocable; users can review and revoke active sessions from their profile.

Privacy

  • We do not train AI models on your incidents or operational data. Inference runs against approved providers under contractual zero-retention terms.
  • Data export and account deletion are self-service. See our privacy policy for details.

Subprocessors

Argus uses subprocessors in the categories below. Customers are notified at least 30 days in advance of any new subprocessor that processes their operational data.

CategoryPurpose
Cloud infrastructureCompute, managed database, and object storage that power the service.
AI inferenceAI severity classification, embeddings, and similar-incident search. Enterprise customers can route inference to dedicated or self-hosted environments.
Email deliveryTransactional emails — sign-in, alerts, billing receipts.
Payment processingBilling data only. Payment processors never receive customer incidents and operational data or extracted content.

The current named subprocessor register is available under DPA — email hello@ekarche.com to request it. Customer-initiated integrations (e.g. QuickBooks, Xero) are not subprocessors of Argus in the GDPR sense — the customer is the data exporter; we are the data sender on the customer’s behalf.

Security & compliance posture

We design and operate against widely-accepted security frameworks and care deeply about getting this right. We are not yet third-party audited; formal attestation is on our roadmap. In the meantime, we’re happy to walk customers through our controls and complete security questionnaires under NDA.

  • GDPR: data export and deletion are self-service. EU data residency is available on Enterprise plans.
  • HIPAA: not currently in scope. Reach out if your use case requires a BAA — we evaluate case by case.