Security Controls
The master list of security controls implemented in the platform. Each control maps to one or more compliance frameworks.
Identity & access
| Control |
Implementation |
Frameworks |
| Strong authentication |
Cognito + MFA enforcement for admins |
CE, ISO A.9.4, SOC2 CC6.1 |
| SSO federation |
SAML 2.0 with tenant IDPs (Entra ID) |
ISO A.9.2, SOC2 CC6.1 |
| RBAC |
7 roles enforced at API layer |
ISO A.9.2, SOC2 CC6.3 |
| Least privilege |
IAM users have only required permissions |
CE, ISO A.9.1, SOC2 CC6.3 |
| Password policy |
Cognito enforces complexity, length |
CE, ISO A.9.4 |
Data protection
| Control |
Implementation |
Frameworks |
| Encryption at rest |
RDS, S3, EBS encrypted via KMS |
CE, ISO A.10.1, SOC2 CC6.7 |
| Encryption in transit |
TLS 1.2+ enforced everywhere |
CE, ISO A.10.1, SOC2 CC6.7 |
| Tenant isolation |
Schema-per-tenant in PostgreSQL |
ISO A.13.2, SOC2 CC6.6 |
| Backup encryption |
RDS automated backups encrypted |
ISO A.12.3, SOC2 A1.2 |
Network security
| Control |
Implementation |
Frameworks |
| Network segmentation |
3-tier VPC (public/private/data) |
CE, ISO A.13.1, SOC2 CC6.6 |
| WAF |
CloudFront WAF, OWASP managed rules |
CE, ISO A.13.1, SOC2 CC6.6 |
| DDoS protection |
AWS Shield Standard |
ISO A.13.1, SOC2 CC9.1 |
| VPC Flow Logs |
Enabled, retained 90 days |
ISO A.12.4, SOC2 CC7.2 |
Monitoring & audit
| Control |
Implementation |
Frameworks |
| Application audit log |
Every write to entity tables logged |
ISO A.12.4, SOC2 CC7.2 |
| Infrastructure audit log |
CloudTrail enabled, 7-year retention |
ISO A.12.4, SOC2 CC7.2 |
| Anomaly detection |
CloudWatch alarms on key metrics |
ISO A.16.1, SOC2 CC7.2 |
| Centralised logging |
CloudWatch Logs + Sentry |
ISO A.12.4, SOC2 CC7.2 |
Software security
| Control |
Implementation |
Frameworks |
| Dependency scanning |
Dependabot + npm audit + pip-audit |
CE, ISO A.12.6, SOC2 CC7.1 |
| Image scanning |
ECR image scanning, Trivy in CI |
CE, ISO A.12.6, SOC2 CC7.1 |
| SAST |
Ruff, ESLint security plugins |
ISO A.14.2, SOC2 CC7.1 |
| Pen testing |
Annual external test |
ISO A.12.6, SOC2 CC4.1 |
Operations
| Control |
Implementation |
Frameworks |
| Change management |
All changes via PR with required review |
ISO A.12.1, SOC2 CC8.1 |
| Configuration management |
Terraform for all infrastructure |
ISO A.12.1, SOC2 CC8.1 |
| Patching |
Fargate managed updates, Dependabot |
CE, ISO A.12.6 |
| Incident response |
Documented IR plan, runbooks |
ISO A.16.1, SOC2 CC7.3 |
| Business continuity |
Multi-AZ RDS, automated backups |
ISO A.17.1, SOC2 A1.2 |
Privacy
| Control |
Implementation |
Frameworks |
| GDPR data export |
Tenant admin can export person's data |
GDPR Art. 15 |
| GDPR deletion |
Right to erasure tooling, anonymisation |
GDPR Art. 17 |
| Data residency |
UK and EU regions only |
GDPR Art. 44 |
| Data Processing Agreement |
Template, signed before activation |
GDPR Art. 28 |
| Retention policies |
Configurable per tenant |
GDPR Art. 5 |