← Internal hub
internal · security

Security & compliance posture

Current state of certifications, audits, dependency-audit, security controls. Sourced from CLAUDE.md security rules + actual deploys. Update quarterly.
Reading note. This page is the truth source for due-diligence questionnaires. Don't claim certifications we don't have. SOC2 Type I + Type II are different — only Type II carries weight.
SOC2 Type II
~30%
controls drafted
GDPR
Compliant
DPA template + DPO retainer
Pentest
Not yet
Scheduled Q3 2026
Dependency audit
Weekly
pip-audit + npm audit

Certifications & audits

ItemStatusProgressNotes
SOC2 Type II In progress
Controls drafted in Vanta. Type I audit Q3 2026, Type II report ~Q1 2027.
ISO 27001 Not started
EU prospects prefer this over SOC2. Decide Q4 2026 whether to add or skip.
Annual penetration test Scheduled
Vendor: TBD (Securify / Computest / Outpost24 in scope). ~€15k/yr.
HIPAA BAA-readiness Partial
HIPAA audit-pack template implemented. BAA contract template draft. Encryption at rest ✓.
GDPR Article 32 Compliant
DPA template ready. DPO retainer engaged. Art. 17 erasure flow + Art. 20 portability built-in.
Cyber insurance Quotes received
€5M coverage target. Quote contingent on SOC2 Type I completion.

Security controls (CLAUDE.md durable invariants)

ControlStateWhere
audit_event immutableEnforcedPostgres trigger (migration 0139)
Chain-hash on auditEnforcedSHA256 prev + canonical row. Verify via /audit/verify-chain
Signed audit exportEnforcedHMAC-SHA256 NDJSON via /audit/export
Vault encryptionEnforcedAES-256-GCM. Key on separate disk (security rule #4).
JWT secret rotationManualQuarterly via AWS Secrets Manager. Automate Q3.
MFA + password policyPer-tenanttenant_password_policy + TOTP MFA challenge flow
SSRF guard on tunnel modeEnforcedAgent refuses any URL not starting with allowed_base_url
GDPR Art. 17 erasureEnforcedPseudonymisation; preserves audit_event per Art. 17(3)(b)
Hard-delete tenantGatedOFFBOARDING-status + typed-confirm. FK-cycle auto-break.
Production guards on secretsEnforcedIGA_VAULT_MASTER_KEY required if APP_ENV=production
PyJWT (no python-jose)MigratedCVE chain in python-jose; PyJWT 2.x. Don't reintroduce.

Dependency audit

Workflow .github/workflows/dependency-audit.yml runs:

  • pip-audit --strict on backend (PR + push + weekly Monday 06:00 UTC)
  • npm audit --omit=dev --audit-level=high on frontend
  • Accepted-risk CVEs in backend/.audit-ignore with explicit justification
  • Local: ./scripts/audit_deps.sh

Current accepted risks: 0 (as of last weekly run). Recheck .audit-ignore for stale exemptions.

Infrastructure security

LayerControlState
NetworkVPC private subnets for RDSEnforced
NetworkSecurity groups: EC2 → RDS port 5432 onlyEnforced
StorageRDS encryption at rest (KMS)Enforced
StorageS3 SSE encryption defaultEnforced
StorageS3 bucket policies: block public accessEnforced
AuthEC2 IAM role (no long-lived keys)Enforced
AuthSecrets Manager for DB pw + vault keyEnforced
EdgeTLS 1.2+ enforced on ALBEnforced
EdgeWildcard cert via Let's Encrypt DNS-01Enforced
EdgeWAF on ALB (managed rules)Pending
ObservabilityCloudWatch alarms on RDS connectionsPartial
ObservabilityGuardDuty enabledNot enabled
BackupRDS automated snapshots (7d)Enforced
BackupDaily S3 pgdump for Business+ tiersEnforced
BackupMonthly tested restore drillWorkflow scheduled

Open security risks

  1. Single-region eu-west-1 for staging + prod. Region outage = full downtime. Mitigation: cross-region snapshot copy nightly to eu-central-1 (covers data-loss only, not RTO).
  2. No WAF in production yet — manual rules pending. Risk: known-pattern attack surfaces. Mitigation timeline Q3.
  3. No GuardDuty — VPC flow log anomaly detection not active. Cost $1/GB analyzed; low at current scale.
  4. JWT secret rotation manual — quarterly cadence depends on team discipline. Automate via Lambda + CloudWatch Events.
  5. EC2 instance not in TF state for staging — per CLAUDE.md infra/terraform/STAGING_DRIFT.md. Manual config drift risk.
  6. Tier-3 agent: customer-side key compromise = full credential exposure. Mitigation: agent vault encryption + UC1 external key sources.

Incident-history (since 2026-05)

DateSeverityTitleResolution
2026-05-30P2Wizard 500 — missing enum migrationMigration 0165 added 2 enum values. Auto-deploy fix < 5 min.

Post-mortems land in docs/postmortems/ after every P1/P2.