Security & Compliance¶
The platform targets three compliance frameworks: Cyber Essentials Plus, ISO 27001, and SOC 2 Type II. This section documents the controls, evidence, and audit materials.
In this section¶
- Security Controls — the master control list
- Threat Model — STRIDE analysis
- GDPR — data protection compliance
- Cyber Essentials — UK certification
- ISO 27001 Mapping — Annex A control mapping
- SOC 2 Mapping — Trust Services Criteria mapping
- Pen Test Reports — annual external testing
Compliance roadmap¶
| Framework | Target Date | Status |
|---|---|---|
| Cyber Essentials | Phase 3 (Week 38) | Planned |
| Cyber Essentials Plus | Month 10 | Planned |
| SOC 2 Type I | Month 12 | Planned |
| ISO 27001 | Month 18 | Planned |
| SOC 2 Type II | Month 24 | Planned |
Security culture¶
Security is not a phase — it's embedded in every PR, every deployment, every architectural decision.
- Everyone is responsible — security isn't a separate team
- Defence in depth — multiple layers, assume any one will fail
- Least privilege — every credential, role, and permission scoped narrowly
- Audit everything — if it touches data, it's logged
- Encrypt by default — in transit and at rest, no exceptions
Reporting a security issue¶
Internal: post in #security-private Slack channel.
External: security@platform.com (PGP key on the website).