Security & Compliance

Posture summary

What's enforced today.

Identity

JWT verification (HS / RS / ES / PS) with JWKS rotation
Mandatory iss, aud, exp, nbf
Configurable clock-skew leeway
Admin role gate via require_admin

Authorisation

SAP BAPI_USER_GET_DETAIL walked, not stubbed
Per-object field-value enforcement with wildcards
Cross-cloud IAM (AWS / Azure / GCP) per system
Tenant isolation as a row policy

Data

Per-field classification × clearance × auth-object gate
PII regex defense for untagged fields
Drop / redact / hash / partial / aggregate strategies
Schema drift surfaces a hard failure, not silent leak

Audit

SHA-256 hash chain, HMAC-signed
Postgres-backed; row-locked append
Public chain-integrity probe + admin-gated walk
Helm CronJob template ships with the chart

Failure model

Redis down → trust system fails closed
Postgres (audit) down → 503, never silent
JWKS down → 401, never default-allow
PRODUCTION refuses to start with default secrets

Operational

OpenTelemetry from day one (OTLP HTTP)
Structured logs with trace_id
Helm chart with non-root, read-only rootfs
Secrets-loader pluggable to KMS / Vault

Compliance roadmap

Where we are on each control framework.

No marketing-speak. We list the explicit status of each track so your compliance team can weigh against their cadence.

Track	Status	Notes
SOC 2 Type I	In flight	Control mapping started against CC6 (logical access), CC7 (system operations), CC8 (change management). Auditor selection pending pilot revenue.
SOC 2 Type II	Roadmap	12-month observation window starts after Type I. Targeting late 2026.
ISO 27001	Roadmap	Aligned with SOC 2 Type I deliverables; adds Annex A control mapping.
External pen-test	Scheduled	Pre-pilot pen-test against a customer-shaped staging deploy. Findings published to design partners.
GDPR posture	Documented	Append-only audit conflicts with right-to-be-forgotten by definition. Reconciled by retention windows + data minimisation; documented in the deployment guide.
HIPAA	Not yet in scope	Possible after the SOC 2 milestone if a healthcare design partner emerges.

Cryptography & secrets

What's signing, hashing, and rotating.

JWT

HS256, RS256, ES256, or PS256. JWKS-driven public-key rotation cached process-wide. Configurable issuer, audience, and clock-skew leeway. Admin-claim resolution accepts list, comma-separated, and space-separated encodings (Okta, Azure AD, PingFederate).

Audit HMAC

HMAC-SHA256 over sha256(prev_hash || canonical_json(payload)). The HMAC key (AEGIS_AUDIT_HMAC_KEY) is required in PRODUCTION; missing or default-shaped values are a hard startup blocker.

Secrets resolution

core.secrets_loader is pluggable: env (default), AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault. Switching providers is an env-var change, not a code change.

Transport

HTTPS terminates at your reverse proxy (Hostinger, ALB, nginx, or your CDN). The gateway itself is a plain ASGI app — production deploys put it behind a TLS-terminating front door.

Responsible disclosure

If you find something, please tell us first.

Reporting

Email security@aegisai.store with a description of the issue, reproduction steps, and your timeline expectations. We acknowledge within two business days and aim to publish a fix within 30 days for high-severity issues.

For credit and coordinated disclosure, please give us 90 days from the acknowledgement date before going public. We do not currently run a paid bug-bounty programme; we will publicly credit you in the release notes if you'd like.

Security as the product, not an addendum.