Docs
Compliance posture
Crosswalk between PMH-SEC control ids and the operator-facing framework rows. Customer-bound attestations live under trust/compliance; this page is the appliance operator’s view.
SOC 2 Type II
| PMH-SEC | Control family | Evidence on the appliance |
|---|---|---|
| PMH-SEC-002 | CC6 Logical access | workspace_members RLS policies; role matrix in docs/members.md |
| PMH-SEC-005 | CC6 System operations | systemd units in infra/systemd (postmta-hosted-{api,web,smtp,policy-worker}.service) |
| PMH-SEC-006 | CC8 Change management | apps/web git SHA + restore-appliance-drill.sh artifact under artifacts/qa/latest/ |
| PMH-SEC-011 | CC7 Monitoring | k6 SLO in M32 (when k6 installed); /v1/ready health probe |
| PMH-SEC-012 | CC7 Audit logging | audit_events row policy + retention; docs/activity.md |
| PMH-SEC-013 | CC7 Incident response | this document; docs/incident-response.md |
HIPAA
| PMH-SEC | Reference | Note |
|---|---|---|
| PMH-SEC-018 | §164.312(a) Access control | role-aware API gating |
| PMH-SEC-019 | §164.312(b) Audit controls | audit_events row policy |
| PMH-SEC-020 | §164.312(e) Transmission security | SMTP_TLS_CERT/KEY enforced in production (docs/security-architecture.md) |
| BAA availability | §164.504(e) | we-operate customers: signed BAA on file; customer-VPC mode does not require a BAA — appliance + BAA stay with the customer’s trust boundaries |
NIST 800-53 (moderate baseline)
AC-2, AU-2, CM-2, IA-2, SI-2, SC-8 are covered by the PMH-SEC rows above. Physical/environmental controls (PE family) are out of scope — those belong to the customer’s VPC operator.
CIS Controls v8
| CIS v8 | Coverage |
|---|---|
| 3 (Data protection) | RLS + service_role-only access to DKIM secrets (PMH-SEC-023) |
| 4 (Secure configuration) | docs/hardening-checklist.md (env flags) |
| 6 (Access control management) | role matrix (PMH-SEC-002) |
| 8 (Audit log management) | audit_events + retention |
| 13 (Network monitoring) | /v1/ready + k6 + per-node health |
What we don’t claim (yet)
- SOC 2 Type II report — pending (see roadmap); we ship controls, not yet an attestation report.
- PCI DSS scope — no cardholder data is processed by the appliance.
- ISO 27001 — controls are aligned but no certified statement.
- FedRAMP — out of scope (no in-scope government workloads today).
Related
- docs/security-architecture.md
- trust/security — PMH-SEC table
- trust/compliance — operator-facing compliance copy
Last verified: Sat Jul 11 2026 17:00:00 GMT-0700 (Pacific Daylight Time). Cross-link maintained byscripts/check-docs-drift.sh (M54).