Argus Vault

by ENTI

A multi-country digital records platform built for the people inside your organization — and the regulators outside it.

Play Demo

Learn More

ENTI · Especialistas Nacionales en Tecnología e Innovación · en-ti.com

Where do you keep your people's passports, contracts and IDs today?

ANSWER B

Shared drives and email attachments. Nobody is fully accountable.

ANSWER B

A legacy DMS bought a decade ago. Nobody fully trusts it anymore.

ANSWER C

A patchwork per country, per HR system, per audit cycle.

01 THE HOOK

If any of these is your answer, the next slide is for you.

Three quiet costs of fragmented people-records

02 THE COST OF DOING NOTHING

Not exotic risks — everyday operational drag, regulatory exposure and trust erosion.

OPERATIONAL DRAG

Time lost finding things

•HR and Legal spend hours per week chasing the latest version of a contract or ID across drives, mailboxes and tickets.

•Onboarding, audits and litigation requests all stall on the same bottleneck: search.

•The cost compounds with headcount and geography.

REGULATORY EXPOSURE

Multi-country compliance gap

•GDPR (EU), LGPD (BR), LFPDPPP (MX), Law 1581 (CO), HIPAA / CCPA (US) — each one has its own residency, retention and right-to-be-forgotten rules.

•A single shared drive cannot honor five regimes at once.

•Fines and audit findings are the obvious cost; deal velocity and brand trust are the silent ones.

TRUST EROSION

Who actually saw what?

•Without an immutable audit trail, you cannot answer the only question that matters during an incident.

•Insider misuse and accidental disclosure are the dominant data-loss vectors, not external attackers.

•Trust — from employees, regulators and customers — is built on provable accountability, not promises.

03 WHAT WE BUILT

One vault. Five jurisdictions. Zero ambiguity about who saw what.

Argus Vault is the digital records platform for the people inside your organization.

A purpose-built digital records system

Documents, images and personal information of employees, contractors, beneficiaries and customers — Ingested, classified, protected, served and disposed of under a single policy plane, with per-country data residency.

INGEST

Docs · Images

Forms · Scans

ARGUS
VAULT

SERVE

HR · Legal

Audit · Self-service

Audit trail · Retention · Disposal — applied at every stage

04 HOW IT WORKS

Every record follows the same four-stage lifecycle

Predictable, policy-driven, auditable — by design.

Bulk upload, drag & drop, API, watched mailbox or HR integration. OCR and de-duplication on the way in.

Ingest

Auto-tagging by document type, person, country and sensitivity. Policy is attached the moment a file lands.

Classify

Encryption at rest with KMS, RBAC + MFA on access, immutable audit log on every read. Search returns only what the user is entitled to see.

Protect & serve

Bulk upload, drag & drop, API, watched mailbox or HR integration. OCR and de-duplication on the way in.

Retain & Dispose

05 THE VAULT INSIDE

Defense in depth, not a single wall

Five concentric layers — every record passes through all of them, every time.

° Networking

Zero Trust mesh; mTLS between every service; no implicit trust inside the perimeter.

° Identity

Centralized IAM with phishing-resistant MFA; role-based and attribute-based access; just-in-time elevation.

° Data

Encryption at rest and in transit with FIPS-validated modules; per-tenant keys; cryptographic deletion.

° Audit

Immutable, WORM-protected log of every read, write and access decision; no admin can rewrite history.

One Policy Plane - applies at every stage — so retention, residency and access can be changed for an entire country with a single rule update.

06 SECURITY TECHNOLOGY STACK

Every security claim has a named technology behind it

No proprietary black boxes — proven open-source and FedRAMP-authorized AWS services.

IDENTITY · IAM

Keycloak

OAuth2 / OIDC / SAML, RBAC, FIDO2 / WebAuthn MFA, PIV/CAC support, federated SSO.

ZERO TRUST · NETWORK

Linkerd Service Mesh

Automatic mTLS between every pod, certificate rotation via trust anchor, L7 observability.

API GATEWAY

Apache APISIX

JWT validation, RBAC enforcement, rate limiting, request transformation at the edge.

CRYPTOGRAPHY · FIPS

AWS-LC FIPS + OpenSSL FIPS Provider

FIPS 140-2 / 140-3 validated modules; CMVP certificates; modules operate in declared FIPS mode.

KEY MANAGEMENT

AWS KMS · Systems Manager

HSMs validated FIPS 140-2 L2/L3 (GovCloud); SecureString for secrets; KMS-backed envelope encryption.

AUDIT · IMMUTABILITY

CloudTrail + S3 Object Lock (WORM)

Tamper-evident trail of every API call; bucket retention in Compliance Mode; 1 yr online + 2 yr offline.

07 COMPLIANCE READINESS

Compliance-ready for FedRAMP Moderate

Architecture aligned to NIST SP 800-53 Rev. 5 · deployable on AWS GovCloud · ATO path documented.

WHAT'S BUILT IN

Technical controls

•Centralized IAM with phishing-resistant MFA (Keycloak + FIDO2/WebAuthn).

•Zero Trust mesh with automatic mTLS (Linkerd).

•FIPS 140-2/140-3 validated cryptography (AWS-LC, OpenSSL FIPS).

•Immutable audit log (CloudTrail + S3 Object Lock WORM).

WHAT'S INHERITED

From AWS GovCloud

•Physical and environmental controls — fully inherited.

•Hypervisor and platform-layer hardening — inherited.

•KMS HSMs validated FIPS 140-2 Level 2/3.

•GuardDuty · Security Hub · Config · Inspector — FedRAMP-authorized.

WHAT'S NEXT

Path to ATO · 9–12 mo

•FIPS 199 categorization and Authorization Boundary.

•Full FedRAMP package (SSP, IRP, CP/DRP, POA&M).

•Independent assessment by an accredited 3PAO.

•Continuous Monitoring program operational.

TO BE PRECISE FedRAMP authorization (ATO) is granted to a specific deployment by an Authorizing Official — not to the product itself. Argus Vault provides the architecture and controls that make that authorization achievable.

ac3ee106-d8ac-4651-a4c1-bccf0225b9ca - Editado.png

08 MULTI-COUNTRY BY DESIGN

Designed for Cross-Border Data Residency

One platform Country-specific vaults Regulator-aligned by design

09 WHY ENTI

Built and operated by an established Mexican IT integrator

Argus Vault is a product of ENTI — not a reseller's wrapper.

+500

PROJECTS DELIVERED

OWN PRODUCT

Argus is ENTI's own platform — we control the roadmap, the SLAs and the price.

12

YEARS IN OPERATION

FULL-STACK PARTNER

Consulting, implementation, MSP and 24/7 NOC/SOC under one roof — no hand-off to third parties.

12

COMPANIES BACKED

REGULATED SECTORS

Hands-on experience with clients in regulated industries across México and LATAM.

10 WHAT'S DIFFERENT

How Argus Vault compares to the usual alternatives

Honest comparison — each option has its place; here is where it tends to break.

11 VS. PERMISSIONED BLOCKCHAIN

Records security needs a platform, not just a ledger

Honest comparison — including the three dimensions where blockchain genuinely wins.

Let's prove it on one of your real records.

THE ASK · NEXT STEP

1

martin-martz-C-CIUEr6Q0s-unsplash_edited

2

3

Half-day workshop

6-week PoC

Production rollout

Working session with your HR, Legal and Security leads to map one record type end-to-end.

One country, one population, one document type — measured against agreed success criteria.

Phased expansion country by country, with ENTI MSP operating the platform 24/7.