AIOProductOSStatus

Security & Compliance

AIOProductOS maintains active readiness across 18 compliance frameworks. Every control below is tracked in our live registry and shown in real time. Controls are self-assessed; formal certification audits are scheduled per framework and per customer demand.

As of

GDPR — fully implemented

All 33 of 33 GDPR-mapped controls in our registry pass. Article 28 processor flow-down, Article 30 ROPA, Article 32 security, Article 33–34 breach notification, Article 44–46 international transfers (SCCs), and the full data-subject rights track (Articles 15–22).

/dpa · /privacy · /subprocessors · /cookies

18

frameworks

160

controls tracked

144

implemented

Certification targets

SOC 2 Type II85%

77/91 implemented

ISO 27001:202284%

72/86 implemented

GDPR100%

33/33 implemented

CCPA + US state100%

5/5 implemented

EU AI Act100%

11/11 implemented

WCAG 2.2 AA90%

9/10 implemented

Readiness packages

HIPAA100%

1/1 implemented

HITRUST CSF100%

1/1 implemented

FedRAMP Tailored100%

1/1 implemented

PCI DSS SAQ-A100%

1/1 implemented

ISO 27017100%

3/3 implemented

ISO 27018100%

3/3 implemented

ISO 27701100%

2/2 implemented

ISO 42001100%

5/5 implemented

CMMC L2100%

1/1 implemented

SOX (vendor)100%

1/1 implemented

EU NIS2100%

1/1 implemented

EU DORA100%

1/1 implemented

Control registry

A. Governance & policies

17/17
  • A.01Information Security PolicyImplemented
  • A.02Acceptable Use PolicyImplemented
  • A.03Access Control PolicyImplemented
  • A.04Data Classification PolicyImplemented
  • A.05Encryption PolicyImplemented
  • A.06Vulnerability Management PolicyImplemented
  • A.07Incident Response PlanImplemented
  • A.08Business Continuity & DR PlanImplemented
  • A.09Vendor Management PolicyImplemented
  • A.10Change Management PolicyImplemented
  • A.11Data Retention & Deletion PolicyImplemented
  • A.12HR / Personnel Security PolicyImplemented
  • A.13Code of ConductImplemented
  • A.14Risk Assessment 2026Implemented
  • A.15Article 30 Records of ProcessingImplemented
  • A.16DPIA — AI ProcessingImplemented
  • A.17AI Governance PolicyImplemented

B. Access control

11/15
  • B.1Multi-tenant RLS on all tablesImplemented
  • B.10MFA enforcement on staff accountsIn progress
  • B.11Quarterly access review toolImplemented
  • B.12Privileged access mgmt + key rotationIn progress
  • B.13Leaked-password protection toggleImplemented
  • B.14Password policy (min 12, complexity)Implemented
  • B.15Session timeout policy (idle 24h/max 30d)Implemented
  • B.2RBAC restrictive app.is_admin (0065)Implemented
  • B.3Service-role-only on sensitive RPCsImplemented
  • B.4Audit log table + console viewerImplemented
  • B.5Avatars listing lockedImplemented
  • B.6Function grants tightenedImplemented
  • B.7Function search_path pinnedImplemented
  • B.8SAML SSO (Business tier)In progress
  • B.9SCIM provisioningIn progress

C. Encryption

10/11
  • C.1TLS 1.2+ in transitImplemented
  • C.10HSTS preload submissionIn progress
  • C.11DB encryption-at-rest documentedImplemented
  • C.2AES-256 at restImplemented
  • C.3HTTP security headersImplemented
  • C.4Secrets in env vars not codeImplemented
  • C.5.env gitignoredImplemented
  • C.6EU+US region pinning byte-parityImplemented
  • C.7Key management documentedImplemented
  • C.8Secret rotation schedule (90d)Implemented
  • C.9Secret scanning in CI (gitleaks)Implemented

D. Vulnerability mgmt

11/13
  • D.1Supabase advisor checks (monthly)Implemented
  • D.10/.well-known/security.txtImplemented
  • D.11Responsible disclosure policyImplemented
  • D.12Patching SLA (crit<7d..low<180d)Implemented
  • D.13CVE response runbook + console trackerImplemented
  • D.2Rate limiter on ingest/AI/regionImplemented
  • D.3PostgREST 1000-row cap fixedImplemented
  • D.4Identity-stitch fast-path repairImplemented
  • D.5Webhook delivery atomic claimImplemented
  • D.6Annual third-party pentestIn progress
  • D.7Dependabot on all reposImplemented
  • D.8CodeQL SAST in CIIn progress
  • D.9DAST scan quarterly (ZAP)Implemented

E. Logging & monitoring

7/9
  • E.1Application audit logImplemented
  • E.2/api/health/deepImplemented
  • E.3Connector failure alertingImplemented
  • E.4Cron time-budgets + alertingImplemented
  • E.5Log aggregation documentedImplemented
  • E.6Failed-login monitoringImplemented
  • E.7Alert routing matrixImplemented
  • E.8Log retention >=12 monthsIn progress
  • E.9Anomaly detection on audit logIn progress

F. Backup & recovery

3/6
  • F.1Supabase PITR enabled both regionsIn progress
  • F.2Document RTO 4h / RPO 1hIn progress
  • F.3Quarterly DR drillIn progress
  • F.4Backup verification automationImplemented
  • F.5Cross-region failover runbookImplemented
  • F.6Full-org data export (Art 20)Implemented

G. Incident response

7/7
  • G.1Incident Response Plan documentImplemented
  • G.2Breach notification template (72h)Implemented
  • G.3Postmortem templateImplemented
  • G.4Tabletop exerciseImplemented
  • G.5On-call rotation documentedImplemented
  • G.6Incident dashboard in consoleImplemented
  • G.7Status page integrationImplemented

H. Vendor management

5/6
  • H.1Subprocessor registry in consoleImplemented
  • H.2Initial subprocessor listImplemented
  • H.3DPAs signed with each subprocessorImplemented
  • H.4Annual vendor review automationIn progress
  • H.5Public /subprocessors pageImplemented
  • H.6Vendor change notification (30d)Implemented

I. Change management

6/6
  • I.1Git-based change controlImplemented
  • I.2Branch protection on mainImplemented
  • I.3CI tests on every PRImplemented
  • I.4Change-management policy docImplemented
  • I.5Deployment audit logImplemented
  • I.6Emergency change procedureImplemented

J. HR / personnel

6/7
  • J.1Confidentiality agreements signedImplemented
  • J.2IP assignment signedImplemented
  • J.3Background check policyImplemented
  • J.4Onboarding checklistImplemented
  • J.5Offboarding checklistImplemented
  • J.6Annual security trainingIn progress
  • J.7Code of Conduct signedImplemented

K. Endpoint security

4/5
  • K.1Prod in cloud (inherited physical)Implemented
  • K.2Workstation encryption (FileVault)Implemented
  • K.3Screen lock policy (5 min)Implemented
  • K.4MDM deferred until >5 peopleIn progress
  • K.5Workstation password policyImplemented

L. GDPR + CCPA

16/16
  • L.1Full-org data export (Art 20)Implemented
  • L.10Self-serve account deletionImplemented
  • L.11Data retention schedule per typeImplemented
  • L.12Standard Contractual ClausesImplemented
  • L.13Privacy policy audit + augmentImplemented
  • L.14DSAR process + console queueImplemented
  • L.15Right-to-rectification (Art 16)Implemented
  • L.16US state privacy noticesImplemented
  • L.2Right-to-deletion org-level (Art 17)Implemented
  • L.3Region pinning EU/USImplemented
  • L.4Lawful basis (consent+contract)Implemented
  • L.5Article 30 records of processingImplemented
  • L.6DPIA for AI processingImplemented
  • L.7DPO contact / no-DPO statementImplemented
  • L.8CCPA Do-Not-Sell linkImplemented
  • L.9Cookie consent flow (opt-out)Implemented

M. EU AI Act

8/8
  • M.1AI inventory + risk classificationImplemented
  • M.2AI transparency badges (Art 50)Implemented
  • M.3AI chatbot disclosureImplemented
  • M.4Training-data documentationImplemented
  • M.5Art 22 opt-out automated decisionsImplemented
  • M.6AI Use & Limitations pageImplemented
  • M.7Model cards per AI featureImplemented
  • M.8AI decision audit logImplemented

N. WCAG 2.2 AA

9/10
  • N.1axe/Lighthouse audit key surfacesImplemented
  • N.10Accessibility statement pageImplemented
  • N.2Keyboard nav all surfacesImplemented
  • N.3Screen reader pass top 5Implemented
  • N.4Color contrast AA 4.5:1Implemented
  • N.5Form labels + ARIA auditIn progress
  • N.6Focus indicators visibleImplemented
  • N.7Skip-to-content linksImplemented
  • N.8Reduced motion respectedImplemented
  • N.9axe-core in CIImplemented

O. Public artifacts

9/9
  • O.1/trust pageImplemented
  • O.10/.well-known/gpc.jsonImplemented
  • O.2/security pageImplemented
  • O.3/privacy pageImplemented
  • O.4/cookies pageImplemented
  • O.5/subprocessors pageImplemented
  • O.6/dpa page (self-serve Art 28 DPA)Implemented
  • O.8security.txt publishedImplemented
  • O.9/ai-transparency pageImplemented

Q. Console surfaces

3/3
  • Q.1Compliance DashboardImplemented
  • Q.3Vendor registry surfaceImplemented
  • Q.7Evidence collectorImplemented

Y. Extended frameworks

12/12
  • Y.1HIPAA readiness package + BAAImplemented
  • Y.10SOX vendor ITGC mappingImplemented
  • Y.11EU NIS2 vendor questionnaireImplemented
  • Y.12EU DORA vendor questionnaireImplemented
  • Y.2HITRUST CSF control mappingImplemented
  • Y.3FedRAMP Tailored / 800-53 LowImplemented
  • Y.4PCI DSS SAQ-A (Paddle MoR)Implemented
  • Y.5ISO 27017 cloud controls mappingImplemented
  • Y.6ISO 27018 PII-in-cloud mappingImplemented
  • Y.7ISO 27701 PIMS mappingImplemented
  • Y.8ISO 42001 AIMS mappingImplemented
  • Y.9CMMC L2 / 800-171 mappingImplemented

Resources