Where your data lives, and how we handle it.

User authentication runs on AWS Cognito in GovCloud US-West (the federal region). The user pool identifier is public in every sign-in request — it’s not a secret — but the GovCloud boundary is the important detail: it’s the AWS region operated under FedRAMP High and ITAR/EAR controls, operated by US-person-only staff.

Application compute, database, and object storage are not yet in GovCloud; they run in AWS commercial (us-west-2) today. We’re explicit about that because some sites conflate “authenticates in GovCloud” with “fully in GovCloud”. ArmorOS does not hold the latter claim. Data-residency commitments for specific enterprise customers are handled on request.

FedRAMP status: ArmorOS is not FedRAMP-authorized. Cognito GovCloud, as a service, operates under FedRAMP High. The distinction matters for procurement — if your agency requires a FedRAMP-authorized product, ArmorOS is not a fit today. We welcome that conversation anyway.

• Passwords are stored and validated only by AWS Cognito. ArmorOS servers never see the plaintext password.
• Sessions use two HS256-signed HTTP-only cookies (armor_session and armor_refresh) with SameSite=Lax, Secure, Path=/. The session cookie expires within the access-token window (≤1 hour) and is silently refreshed via the refresh cookie when you make a real navigation.
• MFA is supported (TOTP via authenticator apps). Verified Industry tier requires MFA.
• Sign-out calls Cognito GlobalSignOut, which revokes every refresh token in the user’s pool.

• Account data: email, display handle, selected role hint, agency affiliation string. Email + Cognito sub (UUID) are the primary identifiers.
• Verification documentation (Verified Industry applicants only): uploaded to a dedicated S3 bucket that is private, default-encrypted, and access-logged. Review is manual by SME reviewers; documents are retained for one year post-decision and deleted on request.
• Community content: threads + posts are stored in Postgres, tied to your sub. Soft-delete preserves the audit trail; a removed post’s body is replaced with “[post removed by moderators]” but the row is retained.
• Contact-form submissions are stored with a rolling 90-day retention and routed to an internal inbox by category.
• Analytics: Google Analytics 4 + Plausible. GA4 runs under Consent Mode v2 — cookies are denied until you grant consent via the banner. Plausible is cookie-less. See the privacy policy for specifics.

Outbound email (verification codes, password resets, newsletter, operational alerts) is sent via AWS SES us-gov-west-1. SPF, DKIM, and DMARC are published on armor-os.com. Bounces and complaints are processed via SNS and drop the address into a suppression list so we can’t re-send to a known-bad recipient.

We set three functional cookies (armor_session, armor_refresh, armoros_cookie_consent) and two GA4 cookies (_ga, _ga_*) — the latter are denied by default until you grant consent. Full inventory and opt-out path is on the privacy page.