Skip to content

Control mapping (SOC 2 / HIPAA / GDPR)

Control Standard Implementation
Access control SOC2 CC6, HIPAA §164.312(a) RBAC, JWT, optional SSO/MFA
Encryption at rest SOC2 CC6, HIPAA §164.312(a)(2)(iv) age file encryption; optional PHI field encryption
Audit logging SOC2 CC7, HIPAA §164.312(b) Signed append-only audit log
Tenant isolation GDPR Art. 32 App-layer + optional PostgreSQL RLS
Session management SOC2 CC6 Redis session store, logout, revoke
Password policy SOC2 CC6 Min length, complexity, optional HIBP
Backup & recovery SOC2 A1 pg_dump, S3, restore API
Monitoring SOC2 CC7 Prometheus, OTEL, health probes
DSAR GDPR Art. 15–17 DSAR export/erase API
Vendor management SOC2 CC9 Subprocessors list

Evidence: CI test results, audit exports, access reviews (quarterly).