Compliance
Framework crosswalk
Mappings help your compliance officer — they are not certifications. PostMTA Hosted is designed so customers can attest SOC 2, HIPAA BAA workflows, and regional privacy on their deployment.
| Framework | Requirement | PMH-SEC controls | Evidence |
|---|---|---|---|
| SOC 2 | CC6.1 Logical access controls | PMH-SEC-002,004,006 | RBAC tests, panel.matrix |
| SOC 2 | CC6.6 Encryption in transit | PMH-SEC-011,018 | STARTTLS gate, Caddy TLS |
| SOC 2 | CC7.2 Monitoring | PMH-SEC-012,013 | audit_events, Activity panel |
| HIPAA | §164.312(a) Access control | PMH-SEC-002,005,006 | JWT + MFA optional |
| HIPAA | §164.312(b) Audit controls | PMH-SEC-012,013 | Append-only audit export |
| HIPAA | §164.312(e) Transmission security | PMH-SEC-018,011 | TLS SMTP + HTTPS |
| NIST CSF | PR.AC Identity management | PMH-SEC-001–006 | controls.md |
| NIST CSF | DE.CM Continuous monitoring | PMH-SEC-012 | Queues/metrics panel |
| CIS v8 | 6.1 Access control process | PMH-SEC-004,005 | RLS + editor helper |
| CAN-SPAM | Sender identification & opt-out | Product policy | AUP + FBL ingest |
| PIPEDA | Accountability & consent | Legal + cookies | Privacy policy, cookie banner |
| CCPA/CPRA | Do Not Sell/Share | N/A B2B appliance | No ad-tech; GPC honored |