Security & Compliance
AIOProductOS maintains active readiness across 18 compliance frameworks. Every control below is tracked in our live registry and shown in real time. Controls are self-assessed; formal certification audits are scheduled per framework and per customer demand.
GDPR — fully implemented
All 33 of 33 GDPR-mapped controls in our registry pass. Article 28 processor flow-down, Article 30 ROPA, Article 32 security, Article 33–34 breach notification, Article 44–46 international transfers (SCCs), and the full data-subject rights track (Articles 15–22).
/dpa · /privacy · /subprocessors · /cookies
18
160
144
Certification targets
SOC 2 Type II
ISO 27001:2022
GDPR
CCPA + US state
EU AI Act
WCAG 2.2 AA
Readiness packages
HIPAA
HITRUST CSF
FedRAMP Tailored
PCI DSS SAQ-A
ISO 27017
ISO 27018
ISO 27701
ISO 42001
CMMC L2
SOX (vendor)
EU NIS2
EU DORA
Control registry
A. Governance & policies
- Information Security PolicyImplemented
- Acceptable Use PolicyImplemented
- Access Control PolicyImplemented
- Data Classification PolicyImplemented
- Encryption PolicyImplemented
- Vulnerability Management PolicyImplemented
- Incident Response PlanImplemented
- Business Continuity & DR PlanImplemented
- Vendor Management PolicyImplemented
- Change Management PolicyImplemented
- Data Retention & Deletion PolicyImplemented
- HR / Personnel Security PolicyImplemented
- Code of ConductImplemented
- Risk Assessment 2026Implemented
- Article 30 Records of ProcessingImplemented
- DPIA — AI ProcessingImplemented
- AI Governance PolicyImplemented
B. Access control
- Multi-tenant RLS on all tablesImplemented
- MFA enforcement on staff accountsIn progress
- Quarterly access review toolImplemented
- Privileged access mgmt + key rotationIn progress
- Leaked-password protection toggleImplemented
- Password policy (min 12, complexity)Implemented
- Session timeout policy (idle 24h/max 30d)Implemented
- RBAC restrictive app.is_admin (0065)Implemented
- Service-role-only on sensitive RPCsImplemented
- Audit log table + console viewerImplemented
- Avatars listing lockedImplemented
- Function grants tightenedImplemented
- Function search_path pinnedImplemented
- SAML SSO (Business tier)In progress
- SCIM provisioningIn progress
C. Encryption
- TLS 1.2+ in transitImplemented
- HSTS preload submissionIn progress
- DB encryption-at-rest documentedImplemented
- AES-256 at restImplemented
- HTTP security headersImplemented
- Secrets in env vars not codeImplemented
- .env gitignoredImplemented
- EU+US region pinning byte-parityImplemented
- Key management documentedImplemented
- Secret rotation schedule (90d)Implemented
- Secret scanning in CI (gitleaks)Implemented
D. Vulnerability mgmt
- Supabase advisor checks (monthly)Implemented
- /.well-known/security.txtImplemented
- Responsible disclosure policyImplemented
- Patching SLA (crit<7d..low<180d)Implemented
- CVE response runbook + console trackerImplemented
- Rate limiter on ingest/AI/regionImplemented
- PostgREST 1000-row cap fixedImplemented
- Identity-stitch fast-path repairImplemented
- Webhook delivery atomic claimImplemented
- Annual third-party pentestIn progress
- Dependabot on all reposImplemented
- CodeQL SAST in CIIn progress
- DAST scan quarterly (ZAP)Implemented
E. Logging & monitoring
- Application audit logImplemented
- /api/health/deepImplemented
- Connector failure alertingImplemented
- Cron time-budgets + alertingImplemented
- Log aggregation documentedImplemented
- Failed-login monitoringImplemented
- Alert routing matrixImplemented
- Log retention >=12 monthsIn progress
- Anomaly detection on audit logIn progress
F. Backup & recovery
- Supabase PITR enabled both regionsIn progress
- Document RTO 4h / RPO 1hIn progress
- Quarterly DR drillIn progress
- Backup verification automationImplemented
- Cross-region failover runbookImplemented
- Full-org data export (Art 20)Implemented
G. Incident response
- Incident Response Plan documentImplemented
- Breach notification template (72h)Implemented
- Postmortem templateImplemented
- Tabletop exerciseImplemented
- On-call rotation documentedImplemented
- Incident dashboard in consoleImplemented
- Status page integrationImplemented
H. Vendor management
- Subprocessor registry in consoleImplemented
- Initial subprocessor listImplemented
- DPAs signed with each subprocessorImplemented
- Annual vendor review automationIn progress
- Public /subprocessors pageImplemented
- Vendor change notification (30d)Implemented
I. Change management
- Git-based change controlImplemented
- Branch protection on mainImplemented
- CI tests on every PRImplemented
- Change-management policy docImplemented
- Deployment audit logImplemented
- Emergency change procedureImplemented
J. HR / personnel
- Confidentiality agreements signedImplemented
- IP assignment signedImplemented
- Background check policyImplemented
- Onboarding checklistImplemented
- Offboarding checklistImplemented
- Annual security trainingIn progress
- Code of Conduct signedImplemented
K. Endpoint security
- Prod in cloud (inherited physical)Implemented
- Workstation encryption (FileVault)Implemented
- Screen lock policy (5 min)Implemented
- MDM deferred until >5 peopleIn progress
- Workstation password policyImplemented
L. GDPR + CCPA
- Full-org data export (Art 20)Implemented
- Self-serve account deletionImplemented
- Data retention schedule per typeImplemented
- Standard Contractual ClausesImplemented
- Privacy policy audit + augmentImplemented
- DSAR process + console queueImplemented
- Right-to-rectification (Art 16)Implemented
- US state privacy noticesImplemented
- Right-to-deletion org-level (Art 17)Implemented
- Region pinning EU/USImplemented
- Lawful basis (consent+contract)Implemented
- Article 30 records of processingImplemented
- DPIA for AI processingImplemented
- DPO contact / no-DPO statementImplemented
- CCPA Do-Not-Sell linkImplemented
- Cookie consent flow (opt-out)Implemented
M. EU AI Act
- AI inventory + risk classificationImplemented
- AI transparency badges (Art 50)Implemented
- AI chatbot disclosureImplemented
- Training-data documentationImplemented
- Art 22 opt-out automated decisionsImplemented
- AI Use & Limitations pageImplemented
- Model cards per AI featureImplemented
- AI decision audit logImplemented
N. WCAG 2.2 AA
- axe/Lighthouse audit key surfacesImplemented
- Accessibility statement pageImplemented
- Keyboard nav all surfacesImplemented
- Screen reader pass top 5Implemented
- Color contrast AA 4.5:1Implemented
- Form labels + ARIA auditIn progress
- Focus indicators visibleImplemented
- Skip-to-content linksImplemented
- Reduced motion respectedImplemented
- axe-core in CIImplemented
O. Public artifacts
- /trust pageImplemented
- /.well-known/gpc.jsonImplemented
- /security pageImplemented
- /privacy pageImplemented
- /cookies pageImplemented
- /subprocessors pageImplemented
- /dpa page (self-serve Art 28 DPA)Implemented
- security.txt publishedImplemented
- /ai-transparency pageImplemented
Q. Console surfaces
- Compliance DashboardImplemented
- Vendor registry surfaceImplemented
- Evidence collectorImplemented
Y. Extended frameworks
- HIPAA readiness package + BAAImplemented
- SOX vendor ITGC mappingImplemented
- EU NIS2 vendor questionnaireImplemented
- EU DORA vendor questionnaireImplemented
- HITRUST CSF control mappingImplemented
- FedRAMP Tailored / 800-53 LowImplemented
- PCI DSS SAQ-A (Paddle MoR)Implemented
- ISO 27017 cloud controls mappingImplemented
- ISO 27018 PII-in-cloud mappingImplemented
- ISO 27701 PIMS mappingImplemented
- ISO 42001 AIMS mappingImplemented
- CMMC L2 / 800-171 mappingImplemented
Resources
- Security contact + responsible disclosure: security.txt · security@aioproductos.com
- Policy library: docs/policies · framework packages: docs/compliance
- Need a framework attestation for procurement? Email security@aioproductos.com.