Unified Control Matrix

186 deduplicated controls mapped across 11 standards including ISO 27001:2022, ISO 27701, GDPR, COPPA, and CCPA

Unified Compliance Requirements Matrix

Version: 1.2 Created: 2025-11-08 Last Updated: 2026-04-13 Owner: ISMS Owner Classification: Public

Executive Summary

This matrix consolidates requirements from 11 major compliance standards into a unified control framework for the Provii privacy-preserving age verification platform. By identifying overlapping requirements across frameworks, we create a single evidence base that demonstrates compliance with multiple standards simultaneously.

Deduplication Results

Metric	Count
Total raw requirements across all standards	~380
Unique unified controls (deduplicated)	186
Deduplication efficiency	51% reduction
Standards covered	11
Control domains	10

Standards Covered

ISO 27001:2022 - 93 Annex A controls (baseline)
ISO 27701:2019 - 83 additional privacy controls
ISO 27566-1 (27566-1) - Age assurance framework
Privacy by Design - 7 foundational principles
UK Age Appropriate Design Code - 15 standards
COPPA Safe Harbor - Children’s privacy requirements
GDPR - Articles 5, 12-14, 25, 28, 30, 32-34
CCPA - California consumer privacy rights
NIST 800-63-3 - Digital identity assurance
CSA Cloud Controls Matrix v4 - Cloud security controls
Australian Privacy Act 1988 - 13 Australian Privacy Principles (APPs)

Control Domain Breakdown

Domain	Unified Controls	Coverage
Privacy Controls	38	21%
Security Controls	32	17%
Cryptographic Controls	12	6%
Age Verification Controls	18	10%
Data Lifecycle Controls	22	12%
Access & Identity Controls	18	10%
Development & Operations	25	13%
Business Continuity	8	4%
Vendor & Supply Chain	9	5%
Governance & Compliance	4	2%
TOTAL	186	100%

Priority Distribution

Priority	Count	Rationale
Critical	42	Required for certification/regulation compliance
High	68	Competitive advantage, strong market expectation
Medium	58	Good practice, risk mitigation
Low	17	Nice-to-have, aspirational

Privacy Controls (UC-001 to UC-038)
Security Controls (UC-039 to UC-070)
Cryptographic Controls (UC-071 to UC-082)
Age Verification Controls (UC-083 to UC-100)
Data Lifecycle Controls (UC-101 to UC-122)
Access & Identity Controls (UC-123 to UC-140)
Development & Operations Controls (UC-141 to UC-164, UC-186)
Business Continuity Controls (UC-165 to UC-172)
Vendor & Supply Chain Controls (UC-173 to UC-181)
Governance & Compliance Controls (UC-182 to UC-185)

Privacy Controls

UC-001: Data Minimization

Domain: Privacy Description: Collect and process only the minimum personal data necessary to fulfill the specified purpose. Avoid collecting data that is not strictly required.

Standards Coverage:

GDPR Article 5(1)(c). Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
ISO 27701:2019 Annex A 7.2.1. PII controllers should identify and document the purpose for which PII is processed
Privacy by Design Principle 2. Privacy as the default setting - minimal data collection
UK Children’s Code Standard 8. Collect and retain only the minimum amount of personal data needed
COPPA Safe Harbor. Assessment of data minimization practices required
CCPA. “Reasonable security procedures and practices” includes minimization
APP 3 (Australia): Collection must be reasonably necessary for entity’s functions
CSA CCM DSP-02. Data minimization practices

Implementation Type: Technical + Administrative Evidence Needed:

Data flow diagrams showing only essential data collection
Privacy impact assessment documenting necessity of each data element
System architecture demonstrating zero knowledge proof design
Code review showing no unnecessary PII captured in APIs
Privacy policy explaining minimal data practices

Priority: Critical Current Status: ✅ Implemented - Zero knowledge architecture is designed to minimise PII on servers (IP addresses retained for up to 90 days for abuse prevention; critical security event logs retained for up to 365 days)

UC-002: Purpose Limitation

Domain: Privacy Description: Collect personal data for specified, explicit, and legitimate purposes. Do not further process data in ways incompatible with those purposes.

Standards Coverage:

GDPR Article 5(1)(b). Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
ISO 27701:2019 Annex A 7.2.1. Determine and document purpose for PII processing
Privacy by Design Principle 3. Privacy embedded into design - purpose specification
UK Children’s Code Standard 5. Do not use children’s data in detrimental ways
APP 6 (Australia): Use or disclosure only for primary purpose or directly related secondary purpose
CSA CCM DSP-03. Purpose specification and limitation

Implementation Type: Administrative + Technical Evidence Needed:

Privacy policy with explicit purpose statements
Data processing records (GDPR Article 30)
System configuration preventing unauthorized secondary uses
Privacy impact assessment

Priority: Critical Current Status: ✅ Implemented - IP logs used ONLY for abuse prevention (90-day retention; critical security event logs retained for up to 365 days)

UC-003: Transparency and Notice

Domain: Privacy Description: Provide clear, accessible, age-appropriate information to users about what personal data is collected, how it’s used, who it’s shared with, and their rights.

Standards Coverage:

GDPR Articles 12, 13, 14. Transparent information, communication and modalities for exercise of rights
ISO 27701:2019 Annex A 7.3.1. Providing privacy notice to PII principals
Privacy by Design Principle 6. Visibility and transparency
UK Children’s Code Standard 4. Privacy information concise, prominent, in clear language suited to age
COPPA Safe Harbor. Assessment of parental notice requirements
CCPA. Right to know about personal information collection and use
APP 5 (Australia): Notification of collection required
NIST 800-63-3. Notice and consent requirements for identity proofing
CSA CCM DSP-04. Transparency and notice

Implementation Type: Administrative Evidence Needed:

Privacy policy published and easily accessible
Age-appropriate privacy notices for minors
Notice provided at point of collection
Records of privacy notice versions
User interface showing privacy information placement

Priority: Critical Current Status: 🔄 Partially Implemented - Privacy policy exists, needs age-appropriate version

Domain: Privacy Description: Obtain valid, informed, freely-given consent before processing personal data where consent is the legal basis. Provide easy withdrawal mechanisms.

Standards Coverage:

GDPR Article 7. Conditions for consent
ISO 27701:2019 Annex A 7.3.2. Obtaining and recording consent
Privacy by Design Principle 7. User-centric - respect for user privacy
UK Children’s Code Standard 13. Do not use nudge techniques to weaken privacy protections
COPPA Safe Harbor. Verifiable parental consent mechanisms
CCPA. Right to opt-out of sale of personal information
APP 3 (Australia): Consent required for sensitive information
CSA CCM DSP-05. Consent management

Implementation Type: Technical + Administrative Evidence Needed:

Consent management system implementation
Records of consent (date, time, scope)
User interface for consent and withdrawal
Age verification for parental consent (if processing children’s data)
Audit logs of consent changes

Priority: High Current Status: 🔄 Deferred. May develop consent UI component based on verifier integration needs

UC-005: User Rights Facilitation

Domain: Privacy Description: Implement mechanisms for users to exercise their privacy rights including access, rectification, erasure, portability, and objection.

Standards Coverage:

GDPR Articles 15-22. Data subject rights (access, rectification, erasure, restriction, portability, objection)
ISO 27701:2019 Annex A 7.3.4. Providing mechanism to modify or withdraw consent
ISO 27701:2019 Annex A 7.3.5. Providing mechanism for PII principals to access their PII
CCPA. Right to know, delete, opt-out
APP 12, 13 (Australia): Access and correction rights
UK Children’s Code Standard 15. Provide accessible tools to exercise data protection rights
CSA CCM DSP-06. Data subject rights management

Implementation Type: Technical + Administrative Evidence Needed:

Email-based rights request process (privacy@maelstrom.au)
Request handling procedures and SLAs
Identity verification for rights requests
Logs of rights requests and responses

Priority: Critical Current Status: ✅ Implemented. Email-based DSAR process via privacy@maelstrom.au; users hold credential data in wallet (inherent portability); automatic 90-day IP deletion (inherent erasure); critical security event logs retained for up to 365 days

UC-006: Privacy by Design and Default

Domain: Privacy Description: Integrate privacy into system design from the outset. Implement privacy-protective defaults requiring no user action.

Standards Coverage:

GDPR Article 25. Data protection by design and by default
ISO 27701:2019 Clause 5.2.1. Privacy by design and by default
Privacy by Design Principle 1. Proactive not reactive; preventative not remedial
Privacy by Design Principle 3. Privacy embedded into design
UK Children’s Code Standard 1. Best interests of child as primary consideration
UK Children’s Code Standard 7. Settings must be high privacy by default
ISO 27566-1. Privacy as core principle of age assurance
CSA CCM DSP-01. Privacy by design

Implementation Type: Technical + Administrative Evidence Needed:

Privacy design documentation and threat models
Default configuration settings (high privacy)
Privacy impact assessments for new features
Architecture reviews demonstrating privacy principles
Developer training on privacy-by-design

Priority: Critical Current Status: ✅ Implemented - Zero knowledge proofs are privacy by design

UC-007: Privacy Impact Assessment (PIA/DPIA)

Domain: Privacy Description: Conduct privacy impact assessments for high-risk processing activities, especially those involving children or new technologies.

Standards Coverage:

GDPR Article 35. Data Protection Impact Assessment (DPIA) required for high-risk processing
ISO 27701:2019 Annex A 7.2.4. Undertake privacy impact assessment
UK Children’s Code Standard 2. Undertake DPIA to assess risks to children’s rights and freedoms
ISO 27566-1. Risk assessment for age assurance systems
APP 1 (Australia): Privacy policy must address risk assessment

Implementation Type: Administrative Evidence Needed:

Completed DPIA document
Risk assessment methodology
Mitigation measures for identified risks
DPIA review and approval records
DPIA updates when processing changes

Priority: High Current Status: ✅ Implemented - See Data Protection Impact Assessment

UC-008: Privacy Governance and Accountability

Domain: Privacy Description: Establish clear privacy governance structure with assigned responsibilities, documented policies, and accountability mechanisms.

Standards Coverage:

GDPR Article 5(2). Controller accountability principle
ISO 27701:2019 Clause 5.2.2. Privacy roles and responsibilities
ISO 27701:2019 Annex A 7.2.2. Determining data controller and processor roles
Privacy by Design Principle 7. Respect for user privacy - accountability
APP 1 (Australia): Privacy policy must be clear and current
CSA CCM GRC-01. Governance program

Implementation Type: Administrative Evidence Needed:

Privacy policy and governance charter
Data Protection Officer (DPO) or privacy official appointment
Privacy committee or oversight structure
Privacy training for staff
Records of privacy reviews and audits

Priority: High Current Status: 🔄 Partially Implemented - Privacy Officer acts as privacy official, formal DPO not appointed

UC-009: Anonymity and Pseudonymity Support

Domain: Privacy Description: Enable users to interact with services anonymously or pseudonymously wherever practicable and lawful.

Standards Coverage:

ISO 27701:2019 Annex A 7.2.6. Limit processing of PII elements
Privacy by Design Principle 2. Privacy as the default - anonymity
APP 2 (Australia): Individuals should have option to interact anonymously or using pseudonym
ISO 27566-1. Unlinkability as privacy principle for age assurance

Implementation Type: Technical Evidence Needed:

System design supporting anonymous/pseudonymous use
Random identifier generation for verifications
Unlinkability mechanisms (e.g., nullifiers without user linking)
Privacy policy explaining anonymity options

Priority: High Current Status: ✅ Implemented - Random verification IDs, no cross-site tracking

UC-010: Cross-Border Data Transfer Safeguards

Domain: Privacy Description: Implement appropriate safeguards for international data transfers, including standard contractual clauses, adequacy decisions, or other lawful mechanisms.

Standards Coverage:

GDPR Chapter V (Articles 44-50). Transfers of personal data to third countries
ISO 27701:2019 Annex A 7.2.7. Cross-border transfers of PII
APP 8 (Australia): Cross-border disclosure requires recipient compliance with APPs
CCPA. No specific requirement but privacy policy must disclose international transfers
CSA CCM DSP-07. Cross-border data transfers

Implementation Type: Administrative + Technical Evidence Needed:

Data transfer impact assessments
Standard contractual clauses (if applicable)
List of countries where data is transferred
Cloudflare data centre locations and data residency
Privacy Shield / adequacy decision documentation (if applicable)

Priority: Medium Current Status: ✅ Implemented - Cloudflare global network, minimal data transferred

UC-011: Profiling and Automated Decision-Making Restrictions

Domain: Privacy Description: Restrict profiling and automated decision-making, especially for children. Provide human review options for significant automated decisions.

Standards Coverage:

GDPR Article 22. Right not to be subject to automated decision-making
ISO 27701:2019 Annex A 7.3.8. Providing information regarding automated decision-making
UK Children’s Code Standard 12. Switch profiling off by default for children
CCPA. Right to opt-out of automated decision-making (CPRA amendment)
CSA CCM DSP-08. Automated decision-making

Implementation Type: Technical + Administrative Evidence Needed:

Documentation of automated decisions and their logic
Opt-out mechanisms for profiling
Human review procedures for significant decisions
Age-gating for profiling features
Privacy policy disclosure of automated processing

Priority: Medium Current Status: ✅ Implemented - No profiling performed (age threshold only)

UC-012: Children’s Privacy Protections

Domain: Privacy Description: Implement enhanced privacy protections for users under 18, including age verification, parental consent mechanisms, and restrictions on data collection and sharing.

Standards Coverage:

UK Children’s Code. All 15 standards apply
COPPA. Parental consent for children under 13
COPPA Safe Harbor. Assessment of children’s privacy practices
GDPR Article 8. Consent for children’s information society services (under 16)
ISO 27566-1. Age assurance for protecting minors
CCPA. Restrictions on sale of minors’ data (under 16)

Implementation Type: Technical + Administrative Evidence Needed:

Age verification mechanisms
Parental consent flows
Enhanced privacy defaults for children
Data minimization for minors
Children’s privacy policy (age-appropriate language)

Priority: Critical Current Status: ✅ Implemented - Age verification is core function; minimal data regardless of age

UC-013: Geolocation Privacy Controls

Domain: Privacy Description: Disable geolocation tracking by default, especially for children. Provide obvious indicators when location is being tracked.

Standards Coverage:

UK Children’s Code Standard 10. Geolocation off by default unless compelling reason
ISO 27701:2019 Annex A 7.2.8. Location privacy controls
Privacy by Design Principle 2. Privacy as default
COPPA Safe Harbor. Location data considered personal information

Implementation Type: Technical Evidence Needed:

Geolocation settings default to disabled
User interface indicators for location tracking
Session-based location reset (not persistent)
Privacy policy explaining location use

Priority: Medium Current Status: ✅ Implemented - No geolocation tracking performed

UC-014: Parental Controls and Transparency

Domain: Privacy Description: If providing parental controls, inform children when they are being monitored. Provide age-appropriate information about monitoring capabilities.

Standards Coverage:

UK Children’s Code Standard 11. Provide obvious sign to child when monitored by parent
COPPA. Parental access to children’s information
Privacy by Design Principle 6. Visibility and transparency

Implementation Type: Technical + Administrative Evidence Needed:

User interface showing monitoring indicators to children
Age-appropriate documentation about parental controls
Privacy policy explaining parental access rights

Priority: Low Current Status: ❌ Not Applicable - No parental monitoring features (users control own wallets)

UC-015: Nudge Technique Restrictions

Domain: Privacy Description: Do not use nudge techniques or dark patterns to encourage users (especially children) to provide unnecessary personal data or weaken privacy settings.

Standards Coverage:

UK Children’s Code Standard 13. Do not use nudge techniques to lead children to provide unnecessary data
Privacy by Design Principle 7. User-centric - empowering users
GDPR Article 7(4). Consent must be freely given, not influenced by detriment

Implementation Type: Technical + Administrative Evidence Needed:

User interface design reviews
A/B testing policies prohibiting privacy-reducing nudges
User experience audits
Privacy-protective design patterns

Priority: High Current Status: ✅ Implemented - Minimal UI, no manipulative patterns

Domain: Privacy Description: Prohibit or strictly limit sharing of personal data with third parties. Require compelling reasons for any data sharing, especially for children’s data.

Standards Coverage:

UK Children’s Code Standard 9. Do not disclose children’s data unless compelling reason
ISO 27701:2019 Annex A 7.3.10. Providing information about PII processing to PII principals regarding third parties
GDPR Article 5(1)(b). Purpose limitation restricts sharing
APP 6 (Australia): Disclosure restrictions
CCPA. Right to know about third-party disclosures and opt-out of sale

Implementation Type: Administrative + Technical Evidence Needed:

List of third parties receiving data
Data processing agreements with third parties
Purpose justification for each sharing relationship
Privacy policy disclosure of sharing practices
User opt-out mechanisms

Priority: Critical Current Status: ✅ Implemented - No PII shared (zero knowledge architecture)

UC-017: Retention Limitation

Domain: Privacy Description: Retain personal data only as long as necessary for the specified purpose. Define and enforce retention periods with automated deletion.

Standards Coverage:

GDPR Article 5(1)(e). Storage limitation - kept no longer than necessary
ISO 27701:2019 Annex A 7.3.1. PII retention controls
UK Children’s Code Standard 8. Retain only minimum amount of data
APP 11 (Australia): Take reasonable steps to destroy or de-identify information no longer needed
ISO 27001:2022 A.8.10. Information deletion
CSA CCM DSP-09. Data retention

Implementation Type: Technical + Administrative Evidence Needed:

Data retention policy with specific timeframes
Automated deletion procedures
Retention schedule by data type
Logs of data deletion activities
Exception handling for legal holds

Priority: Critical Current Status: ✅ Implemented - IP logs ~90 days; critical security events up to 365 days; ephemeral state auto-expires

UC-018: Privacy Policy and Standards Compliance

Domain: Privacy Description: Publish clear privacy policies and community standards. Uphold published commitments to ensure fair use of personal data.

Standards Coverage:

UK Children’s Code Standard 6. Uphold published terms, policies, and community standards
ISO 27701:2019 Annex A 7.3.1. Privacy notice requirements
APP 1 (Australia): Clear and current privacy policy required
CCPA. Privacy policy must disclose specific practices

Implementation Type: Administrative Evidence Needed:

Published privacy policy
Terms of service
Community standards (if applicable)
Policy version control
Policy review and update records

Priority: Critical Current Status: ✅ Implemented - Privacy policy published at maelstrom.au/trust

UC-019: Detrimental Use Prevention

Domain: Privacy Description: Do not use personal data in ways detrimental to wellbeing, or that violate industry codes, regulations, or government advice.

Standards Coverage:

UK Children’s Code Standard 5. Do not use children’s data in detrimental ways
GDPR Article 5(1)(a). Lawfulness, fairness, and transparency
ISO 27701:2019 Annex A 7.2.1. Lawful and fair processing

Implementation Type: Administrative Evidence Needed:

Ethical use policy
Data use review board
Prohibited uses documentation
Compliance with industry codes
Incident response for misuse

Priority: High Current Status: ✅ Implemented - Minimal data collection reduces the risk of detrimental use

UC-020: Best Interests of the Child

Domain: Privacy Description: Make the best interests of children a primary consideration when designing and developing services likely to be accessed by children.

Standards Coverage:

UK Children’s Code Standard 1. Best interests of child as primary consideration
UN Convention on Rights of the Child Article 3. Best interests principle
ISO 27566-1. Child protection as design consideration

Implementation Type: Administrative + Technical Evidence Needed:

Best interests assessment framework
Design review process considering child welfare
Age-appropriate design patterns
Child safety impact assessments

Priority: High Current Status: ✅ Implemented - Age verification designed to protect minors from age-restricted content

UC-021: Connected Toys and Devices Privacy

Domain: Privacy Description: For connected toys or devices, include effective tools to enable conformance with children’s privacy codes.

Standards Coverage:

UK Children’s Code Standard 14. Connected toys must include conformance tools
COPPA. Toys collecting personal information require parental consent

Implementation Type: Technical Evidence Needed:

Device security features
Parental control implementation
Privacy by design for IoT
Security update mechanisms

Priority: Low Current Status: ❌ Not Applicable - No hardware devices (software-only platform)

UC-022: Privacy Training and Awareness

Domain: Privacy Description: Provide privacy training to staff handling personal data. Raise awareness about privacy obligations and best practices.

Standards Coverage:

ISO 27701:2019 Clause 5.3.2. Privacy awareness and training
GDPR Article 39. Data Protection Officer training duties
APP 1 (Australia): APP entities should train staff
CSA CCM HRS-08. Security awareness and training

Implementation Type: Administrative Evidence Needed:

Privacy training program
Training completion records
Training content and materials
Annual refresher training
Specialized training for roles handling sensitive data

Priority: High Current Status: ✅ Implemented. ISMS Owner holds CISSP, Security+, PenTest+, SecurityX; privacy obligations covered in Security Awareness Programme

UC-023: Privacy-Enhancing Technologies

Domain: Privacy Description: Implement privacy-enhancing technologies such as encryption, anonymization, pseudonymization, and zero knowledge proofs.

Standards Coverage:

GDPR Article 25. Data protection by design - technical measures
ISO 27701:2019 Annex A 7.2.6. Limiting PII processing through technical measures
Privacy by Design Principle 3. Privacy embedded into design
ISO 27566-1. Privacy-preserving age verification technologies
NIST 800-63-3. Privacy-enhancing authentication mechanisms

Implementation Type: Technical Evidence Needed:

Cryptographic implementation documentation
Zero knowledge proof system architecture
Anonymization/pseudonymization techniques
End-to-end encryption where applicable
Third-party security audits of privacy technologies

Priority: Critical Current Status: ✅ Implemented - zk-SNARKs (Groth16) core technology

UC-024: Data Quality and Accuracy

Domain: Privacy Description: Ensure personal data is accurate, up-to-date, and complete. Provide mechanisms for users to correct inaccurate data.

Standards Coverage:

GDPR Article 5(1)(d). Accuracy principle
ISO 27701:2019 Annex A 7.3.6. Correcting or amending PII
APP 10 (Australia): Take reasonable steps to ensure data quality
APP 13 (Australia): Correction rights
CCPA. Right to correct inaccurate personal information

Implementation Type: Technical + Administrative Evidence Needed:

Data validation procedures
Data correction workflows
User interface for updating information
Data quality monitoring
Audit logs of corrections

Priority: Medium Current Status: ✅ Implemented - Date of birth entered by user, validated client-side

UC-025: Sensitive Data Protections

Domain: Privacy Description: Implement enhanced protections for sensitive personal data including biometrics, health data, racial/ethnic origin, religious beliefs, and children’s data.

Standards Coverage:

GDPR Article 9. Special categories of personal data
ISO 27701:2019 Annex A 7.2.5. Privacy obligations for special categories
APP 3 (Australia): Sensitive information requires consent and additional protections
CCPA. Sensitive personal information use limitation
COPPA. Children’s information treated as sensitive

Implementation Type: Technical + Administrative Evidence Needed:

Sensitive data classification
Enhanced security controls for sensitive data
Consent mechanisms for sensitive data
Access restrictions to sensitive data
Encryption at rest and in transit

Priority: High Current Status: ✅ Implemented - Date of birth transmitted once during issuance for server-side Pedersen commitment computation, then immediately discarded; never transmitted during verification

UC-026: Privacy Incident Response

Domain: Privacy Description: Establish procedures to detect, report, investigate, and respond to privacy incidents and data breaches.

Standards Coverage:

GDPR Articles 33-34. Data breach notification to authority and data subjects
ISO 27701:2019 Annex A 7.5.1. PII breach identification and response
APP 1 (Australia): Privacy policy must address breach response
CCPA. Breach notification requirements
CSA CCM SEF-04. Incident response

Implementation Type: Administrative Evidence Needed:

Privacy incident response plan
Breach notification procedures and templates
72-hour notification timeline for GDPR
Incident detection mechanisms
Post-incident review process

Priority: Critical Current Status: ✅ Implemented - Incident response plan includes privacy breaches

UC-027: Records of Processing Activities

Domain: Privacy Description: Maintain records of data processing activities including purposes, categories of data, recipients, retention periods, and security measures.

Standards Coverage:

GDPR Article 30. Records of processing activities (controller and processor)
ISO 27701:2019 Annex A 7.2.3. Determining and fulfilling data processing obligations
ISO 27701:2019 Annex B 8.2.3. Records of processing for processors
APP 1 (Australia): Privacy policy must document processing practices

Implementation Type: Administrative Evidence Needed:

Record of processing activities (ROPA) document
Data inventory and data flows
Purpose documentation for each processing activity
Retention periods documented
Regular ROPA updates

Priority: High Current Status: ✅ Implemented. ROPA Records

UC-028: Privacy Rights for Complaints and Redress

Domain: Privacy Description: Provide accessible mechanisms for users to file privacy complaints and obtain redress for privacy violations.

Standards Coverage:

UK Children’s Code Standard 15. Tools to report concerns
ISO 27701:2019 Annex A 7.3.9. Handling requests and complaints
GDPR Article 77. Right to lodge complaint with supervisory authority
APP 1 (Australia): Privacy policy must explain complaint mechanisms
COPPA Safe Harbor. Adequate means for resolving consumer complaints

Implementation Type: Administrative Evidence Needed:

Complaint submission mechanisms
Complaint handling procedures and SLAs
Privacy contact information (email, form)
Complaint tracking and resolution logs
Escalation procedures

Priority: High Current Status: 🔄 Partially Implemented - security@maelstrom.au for privacy concerns, formal privacy complaint process needed

UC-029: Direct Marketing Restrictions

Domain: Privacy Description: Restrict use of personal data for direct marketing. Provide opt-out mechanisms and respect do-not-contact preferences.

Standards Coverage:

GDPR Article 21. Right to object to processing including direct marketing
ISO 27701:2019 Annex A 7.3.7. Direct marketing opt-out
APP 7 (Australia): Direct marketing restrictions and opt-out
UK Children’s Code. Implicit in data minimization and purpose limitation

Implementation Type: Technical + Administrative Evidence Needed:

Marketing preference management
Opt-out mechanisms
Suppression list management
Third-party marketing restrictions
Privacy policy disclosing marketing practices

Priority: Low Current Status: ✅ Implemented - No direct marketing performed

UC-030: Privacy for Employment and HR

Domain: Privacy Description: Implement privacy protections for employee and contractor personal data including background checks, monitoring, and HR data management.

Standards Coverage:

GDPR Article 88. Processing employee data
ISO 27701:2019 Annex A 7.2.9. Privacy obligations for HR processing
APP 3 (Australia): Collection from employees must be reasonably necessary

Implementation Type: Administrative Evidence Needed:

Employee privacy notice
HR data retention policies
Employee monitoring disclosures
Background check consent forms
Employee access to their HR data

Priority: Medium Current Status: 🔄 Partially Implemented - Employment contracts include privacy terms, formal HR privacy notice needed

UC-031: Marketing to Children Restrictions

Domain: Privacy Description: Prohibit or strictly limit marketing and advertising targeted to children. Disable behavioural advertising for minors.

Standards Coverage:

UK Children’s Code Standard 5. Detrimental use includes exploitative marketing
UK Children’s Code Standard 12. Profiling off by default (used for ad targeting)
COPPA. Restrictions on marketing to children under 13
CCPA. Sale of minors’ data restricted (under 16 requires opt-in)

Implementation Type: Technical + Administrative Evidence Needed:

Age-gated marketing restrictions
Prohibition on behavioural advertising for minors
Privacy policy disclosure of advertising practices
Third-party advertiser contracts restricting child targeting

Priority: High Current Status: ✅ Implemented - No advertising or marketing performed

UC-032: Unlinkability and Selective Disclosure

Domain: Privacy Description: Prevent linking of user activities across different contexts. Enable users to disclose only the minimum information needed for each transaction.

Standards Coverage:

ISO 27701:2019 Annex A 7.2.6. Minimising linkability
Privacy by Design Principle 2. Privacy as default - unlinkability
ISO 27566-1. Unlinkability as core privacy principle
NIST 800-63-3. Federation protocols should minimise linkability

Implementation Type: Technical Evidence Needed:

Random identifier generation per transaction
Nullifier architecture preventing replay without linkability
Zero knowledge proof selective disclosure
No cross-site tracking mechanisms
Privacy architecture documentation

Priority: Critical Current Status: ✅ Implemented - Random verification IDs, unlinkable proofs, nullifiers

UC-033: Privacy-Preserving Analytics

Domain: Privacy Description: Implement analytics and monitoring in privacy-preserving ways. Aggregate data, minimise identifiable information in logs, and limit analytics retention.

Standards Coverage:

GDPR Article 5(1)(c). Data minimization applies to analytics
ISO 27701:2019 Annex A 7.2.6. Minimise PII in analytics
Privacy by Design Principle 2. Privacy as default
APP 3 (Australia): Collection must be reasonably necessary

Implementation Type: Technical Evidence Needed:

Anonymized/aggregated analytics implementation
IP address truncation or hashing
Analytics data retention limits
No tracking cookies or persistent identifiers
Privacy-preserving telemetry pipeline (Cloudflare Workers Logs shipped to Grafana Loki, hashed IPs only)

Priority: Medium Current Status: ✅ Implemented - Cloudflare Workers Logs in Grafana Loki (privacy-preserving), IP logs 90 days; critical security event logs retained for up to 365 days

UC-034: Processor Obligations and Contracts

Domain: Privacy Description: When acting as a data processor, comply with controller instructions, implement appropriate security, and assist with data subject rights and compliance obligations.

Standards Coverage:

GDPR Article 28. Processor obligations and contracts
ISO 27701:2019 Annex B. All processor controls
APP 8 (Australia): Entities disclosing overseas must ensure compliance
CCPA. Service provider contracts required

Implementation Type: Administrative Evidence Needed:

Data processing agreements (DPAs) with customers
Documentation of controller instructions
Sub-processor notifications and consents
Assistance procedures for data subject rights
Processor security certifications

Priority: Critical Current Status: ✅ Implemented. DPA templates created; pending external legal review (P-001)

UC-035: Third-Party Privacy Audits

Domain: Privacy Description: Undergo independent third-party privacy audits and certifications to demonstrate compliance and build trust.

Standards Coverage:

ISO 27701:2019. Certifiable standard
COPPA Safe Harbor. FTC-approved safe harbor program with independent assessments
SOC 2. Privacy Trust Service Criteria
Privacy by Design Principle 6. Transparency through independent verification

Implementation Type: Administrative Evidence Needed:

Third-party audit reports
Privacy certifications (ISO 27701, Privacy Shield, etc.)
Safe Harbor program membership
SOC 2 Type II report (Privacy)
Public attestations

Priority: High Current Status: 🔄 Deferred. Future consideration after ISO 27001 achieved; no timeline set

UC-036: Privacy Shield / Adequacy Mechanisms

Domain: Privacy Description: For US-EU data transfers, implement approved transfer mechanisms such as Standard Contractual Clauses, adequacy decisions, or certified frameworks.

Standards Coverage:

GDPR Chapter V. International data transfers
ISO 27701:2019 Annex A 7.2.7. Cross-border transfer safeguards

Implementation Type: Administrative Evidence Needed:

Standard Contractual Clauses (SCCs)
Transfer impact assessment (TIA)
Adequacy decision documentation
Binding corporate rules (if applicable)
Supplementary measures for non-adequate countries

Priority: Medium Current Status: ✅ Implemented. SCCs addendum drafted (Decision 2021/914, Module 2); pending legal review (P-001)

UC-037: Privacy Dispute Resolution

Domain: Privacy Description: Provide independent dispute resolution mechanisms for privacy complaints, especially for international frameworks like COPPA Safe Harbor.

Standards Coverage:

COPPA Safe Harbor. Independent dispute resolution required
Privacy Shield. Binding arbitration mechanisms (now invalidated)
APP 1 (Australia): Complaint handling procedures

Implementation Type: Administrative Evidence Needed:

Dispute resolution provider contracts
Escalation procedures to independent review
Arbitration mechanisms
Documentation of dispute outcomes

Priority: Medium Current Status: ❌ Not Applicable. B2B model with contractual dispute terms; no consumer-facing dispute resolution needed

UC-038: Privacy Performance Metrics

Domain: Privacy Description: Establish and track privacy performance metrics including consent rates, rights request response times, breach incidents, and user trust measures.

Standards Coverage:

ISO 27701:2019 Clause 6. Performance evaluation
Privacy by Design Principle 6. Visibility and transparency
COPPA Safe Harbor. Annual reporting of privacy metrics

Implementation Type: Administrative Evidence Needed:

Privacy KPIs dashboard
Consent acceptance/rejection rates
Data subject rights request SLA compliance
Privacy incident metrics
User satisfaction surveys

Priority: Medium Current Status: 🔄 Deferred. Privacy metrics tracked in quarterly management review; formal dashboard may be implemented as operational volume grows

Security Controls

UC-039: Information Security Policy

Domain: Security Description: Establish, document, approve, and communicate information security policies. Review and update regularly.

Standards Coverage:

ISO 27001:2022 A.5.1. Policies for information security
ISO 27701:2019. Extends to privacy policies
CSA CCM GRC-02. Information security policy
NIST 800-63-3. Security policy requirements
COPPA Safe Harbor. Security policies required

Implementation Type: Administrative Evidence Needed:

Information security policy document
Privacy policy
Topic-specific policies (access control, cryptography, etc.)
Management approval records
Publication and communication evidence

Priority: Critical Current Status: ✅ Implemented - ISO 27001 ISMS

UC-040: Security Roles and Responsibilities

Domain: Security Description: Define and assign information security roles and responsibilities across the organisation. Establish accountability.

Standards Coverage:

ISO 27001:2022 A.5.2. Information security roles and responsibilities
ISO 27701:2019. Privacy roles and responsibilities
CSA CCM GRC-03. Roles and responsibilities
NIST CSF. Governance function

Implementation Type: Administrative Evidence Needed:

Roles and responsibilities matrix
Job descriptions with security duties
RACI chart for security activities
Accountability documentation

Priority: High Current Status: ✅ Implemented - Roles and Responsibilities

UC-041: Risk Assessment and Treatment

Domain: Security Description: Regularly conduct information security risk assessments. Identify, analyse, evaluate, and treat risks. Document risk treatment decisions.

Standards Coverage:

ISO 27001:2022 Clause 6.1. Risk assessment and treatment
ISO 27701:2019 Clause 6. Privacy risk management
CSA CCM GRC-04. Risk management program
NIST CSF. Risk assessment function
UK Children’s Code Standard 2. DPIA for risks to children

Implementation Type: Administrative Evidence Needed:

Risk assessment methodology
Risk register
Risk treatment plan
Residual risk acceptance
Annual risk reviews

Priority: Critical Current Status: ✅ Implemented - Risk Methodology and Risk Register

UC-042: Access Control Policy and Management

Domain: Security Description: Implement access control policies based on least privilege and need-to-know. Manage access rights throughout lifecycle.

Standards Coverage:

ISO 27001:2022 A.5.9. Access control
ISO 27001:2022 A.8.3. Information access restriction
CSA CCM IAM-01. Access control policy
NIST 800-63-3. Access management
GDPR Article 32(1)(b). Ability to ensure confidentiality through access controls

Implementation Type: Technical + Administrative Evidence Needed:

Access control policy
Access rights matrix
Role-based access control (RBAC) implementation
Access provisioning and deprovisioning procedures
Access reviews and audit logs

Priority: Critical Current Status: ✅ Implemented - Access Control Policy

UC-043: Multi-Factor Authentication (MFA)

Domain: Security Description: Require multi-factor authentication for access to critical systems, especially administrative access and remote access.

Standards Coverage:

ISO 27001:2022 A.8.5. Secure authentication
NIST 800-63-3 AAL2/AAL3. Multi-factor authentication requirements
CSA CCM IAM-02. Multi-factor authentication
GDPR Article 32. Appropriate security measures

Implementation Type: Technical Evidence Needed:

MFA implementation (TOTP, hardware keys, biometrics)
MFA enforcement policies
User enrollment records
Backup authentication methods
MFA coverage metrics

Priority: Critical Current Status: ✅ Implemented - MFA required for GitHub, Cloudflare, email

UC-044: Encryption in Transit

Domain: Security Description: Encrypt all data in transit using strong cryptography (TLS 1.3 or equivalent). Prohibit unencrypted transmission of sensitive data.

Standards Coverage:

ISO 27001:2022 A.8.24. Use of cryptography
ISO 27001:2022 A.5.14. Information transfer
GDPR Article 32(1)(a). Pseudonymisation and encryption
NIST 800-63-3. Authenticated protected channels
CSA CCM EKM-02. Encryption in transit
CCPA. Encryption required for reasonable security

Implementation Type: Technical Evidence Needed:

TLS configuration (version, cipher suites)
TLS enforcement (HSTS headers)
Certificate management
No unencrypted protocols (HTTP, FTP, Telnet)
API security with HTTPS

Priority: Critical Current Status: ✅ Implemented - TLS 1.3 everywhere, HTTPS-only

UC-045: Encryption at Rest

Domain: Security Description: Encrypt sensitive data at rest including databases, backups, and endpoint devices. Use strong encryption algorithms.

Standards Coverage:

ISO 27001:2022 A.8.24. Use of cryptography
GDPR Article 32(1)(a). Encryption as security measure
NIST 800-63-3. Encrypted storage requirements
CSA CCM EKM-01. Encryption at rest
CCPA. Encryption for reasonable security

Implementation Type: Technical Evidence Needed:

Full disk encryption on endpoints (FileVault, BitLocker)
Database encryption (Cloudflare KV encryption)
Backup encryption
Encryption key management
Cryptographic standards documentation

Priority: Critical Current Status: ✅ Implemented - Full disk encryption required, Cloudflare KV encrypted

UC-046: Security Monitoring and Logging

Domain: Security Description: Implement security event logging, monitoring, and alerting. Protect logs from tampering and unauthorized access.

Standards Coverage:

ISO 27001:2022 A.8.8. Logging and monitoring
GDPR Article 32(1)(d). Process for testing, assessing, and evaluating security
CSA CCM LOG-01. Logging and monitoring
NIST CSF. Detect function
ISO 27701:2019 Annex A 7.4.7. Logging for privacy events

Implementation Type: Technical Evidence Needed:

Log management system (Cloudflare Workers Logs shipped to Grafana Loki, KV audit logs)
Security event definitions
Log retention policies
Log protection (immutability, access controls)
Alerting rules and incident escalation

Priority: Critical Current Status: ✅ Implemented - Cloudflare Workers Logs (Grafana Loki), KV audit logs

UC-047: Incident Response Plan

Domain: Security Description: Establish and maintain an incident response capability with defined procedures, roles, communication plans, and post-incident reviews.

Standards Coverage:

ISO 27001:2022 A.5.12. Information security incident management
GDPR Article 33. Breach notification within 72 hours
CSA CCM SEF-03. Incident response plan
NIST CSF. Respond function
CCPA. Breach notification requirements

Implementation Type: Administrative Evidence Needed:

Incident response plan document
Incident severity classification
Escalation procedures and contact lists
Incident tracking and reporting
Post-incident reviews and lessons learned

Priority: Critical Current Status: ✅ Implemented - Incident Response Plan

UC-048: Vulnerability Management

Domain: Security Description: Implement continuous vulnerability scanning, assessment, and remediation. Track and patch vulnerabilities according to risk-based prioritisation.

Standards Coverage:

ISO 27001:2022 A.8.8. Management of technical vulnerabilities
CSA CCM TVM-01. Vulnerability management
NIST CSF. Identify vulnerabilities function
GDPR Article 32. Regular testing and evaluation

Implementation Type: Technical + Administrative Evidence Needed:

Vulnerability scanning tools (cargo audit, npm audit, GitHub Security Alerts)
Vulnerability remediation SLAs
Patch management procedures
Vulnerability disclosure program
Penetration testing reports

Priority: Critical Current Status: ✅ Implemented - GitHub Security Alerts, cargo/npm audit in CI/CD

UC-049: Secure Software Development Lifecycle (SSDLC)

Domain: Security Description: Integrate security into all phases of software development including threat modeling, secure coding, security testing, and code review.

Standards Coverage:

ISO 27001:2022 A.8.5. Secure development
CSA CCM AIS-01. Secure development lifecycle
NIST CSF. Protect function
GDPR Article 25. Security by design

Implementation Type: Technical + Administrative Evidence Needed:

SSDLC policy and procedures
Threat modeling for new features
Secure coding standards
Code review requirements
Security testing in CI/CD

Priority: High Current Status: ✅ Implemented - Code review, CI/CD security testing, threat modeling

UC-050: Security Testing and Assessment

Domain: Security Description: Conduct regular security testing including static analysis, dynamic analysis, penetration testing, and security code review.

Standards Coverage:

ISO 27001:2022 A.8.29. Security testing in development and acceptance
CSA CCM AIS-02. Security testing
NIST CSF. Detect anomalies function
GDPR Article 32. Regular testing and evaluation

Implementation Type: Technical Evidence Needed:

Security testing tools (CodeQL, fuzzing, property testing)
Penetration testing schedule and reports
Security code review records
Automated security scanning in CI/CD
Remediation tracking

Priority: High Current Status: ✅ Implemented - CodeQL, fuzzing, property-based testing, mutation testing

UC-051: Change Management and Control

Domain: Security Description: Implement formal change management for systems, code, and infrastructure. Review changes for security impact before deployment.

Standards Coverage:

ISO 27001:2022 A.8.6. Change management
CSA CCM CCC-01. Change control
NIST CSF. Protect function
SOC 2. Change management control

Implementation Type: Administrative + Technical Evidence Needed:

Change management policy
Change approval workflows
Version control (Git)
Deployment procedures
Rollback capabilities

Priority: High Current Status: ✅ Implemented - Change Management, Git, CI/CD

UC-052: Business Continuity and Disaster Recovery

Domain: Security Description: Establish business continuity plans with defined RTOs and RPOs. Implement disaster recovery procedures and test regularly.

Standards Coverage:

ISO 27001:2022 A.5.13. Business continuity
CSA CCM BCR-01. Business continuity management
NIST CSF. Recover function

Implementation Type: Administrative + Technical Evidence Needed:

Business continuity plan (BCP)
Disaster recovery plan (DRP)
RTOs and RPOs defined
Backup and recovery procedures
BCP/DRP testing records

Priority: High Current Status: ✅ Implemented - Business Continuity Plan

UC-053: Asset Management and Inventory

Domain: Security Description: Maintain inventory of information assets including hardware, software, data, and cloud services. Classify and assign ownership.

Standards Coverage:

ISO 27001:2022 A.5.9. Inventory of information and other associated assets
CSA CCM GRC-05. Asset management
NIST CSF. Identify assets function

Implementation Type: Administrative Evidence Needed:

Asset register
Asset classification scheme
Asset ownership assignments
Regular asset reviews
Decommissioning procedures

Priority: High Current Status: ✅ Implemented - Asset Register

UC-054: Supplier and Third-Party Security

Domain: Security Description: Assess and manage security risks from suppliers, vendors, and third parties. Include security requirements in contracts.

Standards Coverage:

ISO 27001:2022 A.5.10. Supplier relationships
CSA CCM STA-01. Supply chain management
GDPR Article 28. Processor security requirements

Implementation Type: Administrative Evidence Needed:

Supplier security assessment procedures
Security requirements in vendor contracts
Critical supplier list (Cloudflare, GitHub)
Vendor security reviews
Sub-processor management

Priority: High Current Status: ✅ Implemented - Supplier Management

UC-055: Physical and Environmental Security

Domain: Security Description: Protect physical facilities, equipment, and infrastructure from physical threats, environmental hazards, and unauthorized access.

Standards Coverage:

ISO 27001:2022 A.7. Physical controls
CSA CCM DCS-01. Datacenter security
NIST CSF. Protect function

Implementation Type: Physical + Administrative Evidence Needed:

Datacenter security (managed by Cloudflare/GitHub)
Endpoint security (full disk encryption, screen locks)
Remote work security policies
Environmental controls (power, HVAC) - cloud provider responsibility

Priority: Medium Current Status: ✅ Implemented - Cloudflare/GitHub datacenter security, endpoint controls

UC-056: Network Security and Segmentation

Domain: Security Description: Implement network security controls including firewalls, network segmentation, intrusion detection, and DDoS protection.

Standards Coverage:

ISO 27001:2022 A.8.20. Networks security
ISO 27001:2022 A.8.22. Segregation of networks
CSA CCM IVS-01. Network security
NIST CSF. Protect function

Implementation Type: Technical Evidence Needed:

Network architecture diagrams
Firewall rules and policies
Network segmentation (production vs. development)
Intrusion detection/prevention systems
DDoS protection (Cloudflare)

Priority: High Current Status: ✅ Implemented - Cloudflare DDoS protection, WAF, environment segregation

UC-057: Endpoint Security

Domain: Security Description: Secure endpoint devices (workstations, laptops, mobile) with antivirus, full disk encryption, secure configuration, and patch management.

Standards Coverage:

ISO 27001:2022 A.8.1. User endpoint devices
CSA CCM UEM-01. Universal endpoint management
NIST CSF. Protect function

Implementation Type: Technical + Administrative Evidence Needed:

Endpoint security policy (acceptable use)
Full disk encryption enforcement
Antivirus/anti-malware (OS-level)
Patch management
Mobile device management (if applicable)

Priority: High Current Status: ✅ Implemented - Full disk encryption required, OS security features

UC-058: Secure Authentication and Password Management

Domain: Security Description: Implement strong authentication mechanisms with password complexity requirements, password managers, and secure credential storage.

Standards Coverage:

ISO 27001:2022 A.8.2. Secure authentication
NIST 800-63-3 AAL1/2/3. Authenticator assurance levels
CSA CCM IAM-03. Password management

Implementation Type: Technical + Administrative Evidence Needed:

Password policy (complexity, length, rotation)
Password manager enforcement (1Password, Bitwarden)
Secure credential storage (never in code/logs)
API authentication mechanisms (HMAC)

Priority: Critical Current Status: ✅ Implemented - Password managers required, MFA, HMAC API auth

UC-059: Privileged Access Management

Domain: Security Description: Restrict and monitor privileged access. Implement just-in-time elevation, privileged session monitoring, and regular reviews.

Standards Coverage:

ISO 27001:2022 A.8.2. Privileged access rights
CSA CCM IAM-04. Privileged access management
NIST CSF. Protect function

Implementation Type: Technical + Administrative Evidence Needed:

Privileged access policy
List of privileged accounts
Privileged access logs
Regular privileged access reviews
Separation of duties for privileged operations

Priority: Critical Current Status: ✅ Implemented - Limited admin access, audit logging

UC-060: Security Awareness and Training

Domain: Security Description: Provide security awareness training to all personnel covering phishing, social engineering, acceptable use, and incident reporting.

Standards Coverage:

ISO 27001:2022 A.6.3. Information security awareness
CSA CCM HRS-08. Security awareness training
NIST CSF. Protect function

Implementation Type: Administrative Evidence Needed:

Security awareness training program
Training completion records
Training content and materials
Annual refresher training

Priority: High Current Status: ✅ Implemented - Security Awareness Program

UC-061: Malware Protection

Domain: Security Description: Implement anti-malware protection on endpoints. Use application whitelisting, sandboxing, and behavioural analysis where feasible.

Standards Coverage:

ISO 27001:2022 A.8.7. Protection against malware
CSA CCM TVM-02. Malware protection
NIST CSF. Detect function

Implementation Type: Technical Evidence Needed:

Anti-malware software (OS-level: Windows Defender, macOS XProtect)
Malware scanning logs
Email filtering (for email-borne malware)
Download restrictions
Serverless architecture (no persistent malware)

Priority: High Current Status: ✅ Implemented - OS-level protection, serverless architecture

UC-062: Backup and Recovery

Domain: Security Description: Implement regular backups of critical data and systems. Test backup restoration procedures. Protect backups from ransomware.

Standards Coverage:

ISO 27001:2022 A.8.13. Information backup
CSA CCM BCR-02. Backup and recovery
NIST CSF. Recover function

Implementation Type: Technical + Administrative Evidence Needed:

Backup policy and schedule
Backup storage locations
Backup testing records
Immutable backups (ransomware protection)
Recovery procedures

Priority: Critical Current Status: ✅ IMPLEMENTED (January 2025) - provii-backup with automated hourly/daily/weekly backups

Implementation Evidence:

/trust/evidence/business-continuity/provii-backup-evidence.md
provii-backup/ (technical implementation)
Automated cron-triggered backups: hourly full, daily full, weekly complete
Coverage: 30 KV namespaces, 9 Durable Objects, 2 R2 buckets
Encryption: AES-256-GCM, Compression: 70-80% reduction
RPO: <1 hour, RTO: <4 hours (tested)
Cost: <$0.01/month
Closes GAP-H006

UC-063: Security of Development and Test Environments

Domain: Security Description: Separate and secure development, testing, and production environments. Prohibit use of production data in non-production environments.

Standards Coverage:

ISO 27001:2022 A.8.31. Separation of development, test and production environments
ISO 27001:2022 A.8.33. Test information
CSA CCM AIS-03. Secure development environment

Implementation Type: Technical + Administrative Evidence Needed:

Environment separation (wrangler dev vs. production)
No production secrets in development
Synthetic test data generation
Environment access controls

Priority: High Current Status: ✅ Implemented - Separated environments, synthetic test data

UC-064: Capacity Management and Availability

Domain: Security Description: Monitor resource usage and capacity. Plan for future capacity needs. Implement redundancy and auto-scaling for availability.

Standards Coverage:

ISO 27001:2022 A.8.6. Capacity management
ISO 27001:2022 A.8.14. Redundancy of information processing facilities
CSA CCM BCR-03. Availability and capacity
NIST CSF. Protect function

Implementation Type: Technical Evidence Needed:

Capacity monitoring dashboards
Auto-scaling configuration (Cloudflare Workers)
Redundancy architecture (300+ PoPs)
Availability SLAs (99.9%+)
Capacity planning reviews

Priority: High Current Status: ✅ Implemented - Cloudflare auto-scaling, global distribution

UC-065: Clock Synchronization

Domain: Security Description: Synchronize system clocks to authoritative time sources (NTP) for accurate timestamps in logs, certificates, and cryptographic operations.

Standards Coverage:

ISO 27001:2022 A.8.17. Clock synchronisation
CSA CCM LOG-02. Time synchronization
NIST CSF. Detect function

Implementation Type: Technical Evidence Needed:

NTP configuration
Time synchronization logs
Accurate timestamps in audit logs

Priority: Medium Current Status: ✅ Implemented - Cloudflare/OS automatic NTP

UC-066: Secure Disposal and Sanitization

Domain: Security Description: Securely dispose of or sanitize storage media and equipment containing sensitive data before disposal or reuse.

Standards Coverage:

ISO 27001:2022 A.7.14. Secure disposal or re-use of equipment
ISO 27001:2022 A.8.10. Information deletion
CSA CCM DSP-10. Data disposal

Implementation Type: Technical + Administrative Evidence Needed:

Disposal procedures (cryptographic erasure, physical destruction)
Full disk encryption (makes disposal easier)
Disposal logs and certificates
Asset decommissioning process

Priority: Medium Current Status: ✅ Implemented - Data Retention, cryptographic erasure

UC-067: Information Leakage Prevention

Domain: Security Description: Prevent information leakage through logs, error messages, screen displays, network traffic, and other channels.

Standards Coverage:

ISO 27001:2022 A.8.12. Data leakage prevention
ISO 27001:2022 A.8.12. Data leakage prevention
CSA CCM DLP-01. Data loss prevention

Implementation Type: Technical Evidence Needed:

No secrets in logs or error messages
Screen lock policies
No PII in logs
TLS for all communications
Code scanning for secret leakage

Priority: High Current Status: ✅ Implemented - No secrets in logs/code, TLS everywhere

UC-068: Segregation of Duties

Domain: Security Description: Separate conflicting duties to reduce risk of unauthorized or fraudulent activity. Require multiple approvals for critical operations.

Standards Coverage:

ISO 27001:2022 A.5.3. Segregation of duties
CSA CCM IAM-05. Segregation of duties
SOC 2. Separation of duties control

Implementation Type: Administrative Evidence Needed:

Segregation of duties matrix
Code review requirements (no self-merge)
Multiple approvals for privileged operations
Compensating controls for small teams

Priority: Medium Current Status: 🔄 Partially Implemented - Code review enforced, small team limits full segregation

UC-069: Security Metrics and Reporting

Domain: Security Description: Define and track security metrics. Report security posture to management and stakeholders. Dashboard key security indicators.

Standards Coverage:

ISO 27001:2022 Clause 9. Performance evaluation
CSA CCM GRC-06. Security metrics
NIST CSF. Identify and measure

Implementation Type: Administrative Evidence Needed:

Security metrics dashboard
KPIs (vulnerability remediation time, incident response time, etc.)
Management security reports
Trend analysis

Priority: Medium Current Status: 🔄 Deferred. Security metrics tracked via GitHub and Cloudflare; formal dashboard may be consolidated as operational maturity grows

UC-070: Security Contact and Disclosure

Domain: Security Description: Publish security contact information (security@) and establish vulnerability disclosure program for researchers.

Standards Coverage:

ISO 27001:2022 A.5.5. Contact with authorities
ISO 27001:2022 A.6.8. Information security event reporting
CSA CCM SEF-05. Vulnerability disclosure

Implementation Type: Administrative Evidence Needed:

security@maelstrom.au published
Vulnerability disclosure policy
Security researcher coordination
Response SLAs for security reports

Priority: High Current Status: ✅ Implemented - security@maelstrom.au, responsible disclosure

Cryptographic Controls

UC-071: Cryptographic Policy and Standards

Domain: Cryptography Description: Establish cryptographic policy defining approved algorithms, key lengths, use cases, and prohibiting weak cryptography.

Standards Coverage:

ISO 27001:2022 A.8.24. Use of cryptography
ISO 27701:2019. Cryptography for privacy protection
NIST 800-63-3. Cryptographic requirements
CSA CCM EKM-03. Cryptographic standards

Implementation Type: Administrative + Technical Evidence Needed:

Cryptography policy document
Approved algorithm list (Groth16, RedJubjub, BLAKE2, SHA256, TLS 1.3)
Prohibited algorithms (MD5, SHA1, DES, RC4)
Cryptographic libraries and versions

Priority: Critical Current Status: ✅ Implemented - Cryptography Policy

UC-072: Cryptographic Key Management

Domain: Cryptography Description: Implement secure key lifecycle management including generation, distribution, storage, rotation, and destruction.

Standards Coverage:

ISO 27001:2022 A.8.24. Use of cryptography
NIST 800-63-3. Key management requirements
CSA CCM EKM-04. Key management lifecycle
GDPR Article 32. Encryption key protection

Implementation Type: Technical + Administrative Evidence Needed:

Key management policy
Key generation ceremonies
Secure key storage (Cloudflare KV secrets)
Key rotation procedures
Key destruction procedures

Priority: Critical Current Status: ✅ Implemented - Signing keys in Cloudflare KV, rotation procedures defined

UC-073: Zero knowledge Proof Implementation

Domain: Cryptography Description: Implement zero knowledge proof system (zk-SNARKs) securely with proper trusted setup, circuit design, and proof verification.

Standards Coverage:

ISO 27566-1. Privacy-preserving age verification technologies
Privacy by Design Principle 3. Privacy embedded into design
NIST. Emerging cryptography guidance
Academic Standards. ZKP security best practices

Implementation Type: Technical Evidence Needed:

zk-SNARK implementation documentation (Groth16, BLS12-381)
Circuit design and audit
Proof verification implementation

Priority: Critical Current Status: ✅ Implemented - provii-crypto using Groth16, circuit design documented

UC-074: Digital Signature Implementation

Domain: Cryptography Description: Implement digital signatures for authenticity and integrity. Use approved signature schemes with proper key protection.

Standards Coverage:

NIST 800-63-3. Digital signature requirements
ISO 27001:2022 A.8.24. Use of cryptography
CSA CCM EKM-05. Digital signatures

Implementation Type: Technical Evidence Needed:

Signature scheme documentation (RedJubjub)
Signing key protection
Signature verification implementation
Signature use cases (credential issuance, API authentication)

Priority: Critical Current Status: ✅ Implemented - RedJubjub signatures for credentials

UC-075: Cryptographic Hash Functions

Domain: Cryptography Description: Use cryptographically secure hash functions for integrity, commitments, and proofs. Prohibit weak hash functions.

Standards Coverage:

ISO 27001:2022 A.8.24. Use of cryptography
NIST. Hash function standards (FIPS 180-4, FIPS 202)
CSA CCM EKM-06. Cryptographic hash functions

Implementation Type: Technical Evidence Needed:

Hash function usage documentation (BLAKE2s, SHA256)
Prohibited hash functions (MD5, SHA1)
Hash function use cases (Pedersen commitments, nullifiers)

Priority: High Current Status: ✅ Implemented - BLAKE2s, SHA256 only

UC-076: Trusted Setup Security

Domain: Cryptography Description: For zk-SNARKs requiring trusted setup (Groth16), conduct secure multi-party computation ceremony with participants destruction of toxic waste.

Standards Coverage:

Academic ZKP Standards. Trusted setup best practices
ISO 27566-1. Security of age assurance cryptography
Privacy by Design. Transparency in cryptographic setup

Implementation Type: Technical + Administrative Evidence Needed:

Trusted setup ceremony documentation
Participant list and attestations
Toxic waste destruction confirmations
Public verification parameters
Ceremony transcript

Priority: Critical Current Status: ❌ Not Applicable. Using development parameters; formal multi-party trusted setup not planned

UC-077: Cryptographic Commitment Schemes

Domain: Cryptography Description: Implement secure commitment schemes (Pedersen commitments) for privacy-preserving proofs with hiding and binding properties.

Standards Coverage:

ISO 27566-1. Privacy-preserving technologies
Academic Standards. Commitment scheme security
Privacy by Design Principle 3. Privacy embedded into design

Implementation Type: Technical Evidence Needed:

Commitment scheme implementation (Pedersen on Jubjub curve)
Cryptographic parameters
Hiding and binding property verification
Use cases (age commitment in credentials)

Priority: Critical Current Status: ✅ Implemented - Pedersen commitments in provii-crypto

UC-078: Randomness Generation

Domain: Cryptography Description: Use cryptographically secure random number generators (CSPRNGs) for keys, nonces, challenges, and other cryptographic randomness.

Standards Coverage:

NIST 800-63-3. Randomness requirements
ISO 27001:2022 A.8.24. Use of cryptography
FIPS 140-2. Random number generation

Implementation Type: Technical Evidence Needed:

CSPRNG usage (OS-provided: /dev/urandom, CryptoAPI)
Randomness sources
Entropy pool management
No predictable randomness

Priority: Critical Current Status: ✅ Implemented - OS CSPRNGs, rand_chacha

UC-079: Nullifier Mechanism Security

Domain: Cryptography Description: Implement secure nullifier mechanism to prevent credential replay while maintaining unlinkability.

Standards Coverage:

ISO 27566-1. Replay prevention in age assurance
Privacy by Design Principle 2. Unlinkability
Academic Standards. Double-spending prevention

Implementation Type: Technical Evidence Needed:

Nullifier derivation implementation
Nullifier storage and checking
Unlinkability analysis
Replay prevention testing

Priority: Critical Current Status: ✅ Implemented - Nullifiers prevent replay without linking users

UC-080: Cryptographic Protocol Security

Domain: Cryptography Description: Design and implement cryptographic protocols securely with proper message ordering, replay protection, and challenge-response mechanisms.

Standards Coverage:

ISO 27566-1. Age verification protocol security
NIST 800-63-3. Authentication protocol requirements
Academic Standards. Protocol design best practices

Implementation Type: Technical Evidence Needed:

Protocol specification documents
Message flow diagrams
Security analysis (resistance to replay, MITM, etc.)
Challenge-response implementation
Protocol testing

Priority: Critical Current Status: ✅ Implemented - Challenge-response for verifications, nonce-based replay protection

UC-081: Post-Quantum Cryptography Preparedness

Domain: Cryptography Description: Monitor post-quantum cryptography developments. Plan migration path for quantum-resistant algorithms when standards mature.

Standards Coverage:

NIST. Post-quantum cryptography standardisation
ISO. Emerging post-quantum standards
CSA CCM. Quantum-safe cryptography

Implementation Type: Administrative Evidence Needed:

PQC roadmap and timeline
Cryptographic agility in design
Monitoring of NIST PQC standards
Migration plan for quantum threat

Priority: Low Current Status: 🔄 Monitoring. Tracking NIST PQC standards; cryptographic agility designed in; no implementation timeline

UC-082: Cryptographic Audit and Review

Domain: Cryptography Description: Undergo third-party cryptographic audits by qualified experts. Publicly disclose audit results and remediation.

Standards Coverage:

Privacy by Design Principle 6. Transparency through independent verification
ISO 27566-1. Cryptographic assurance
Academic Standards. Peer review of cryptography

Implementation Type: Administrative Evidence Needed:

Cryptographic audit reports
Auditor qualifications
Public disclosure of audit findings
Remediation of identified issues
Regular re-audits

Priority: High Current Status: 🔄 Deferred. Will pursue when commercially viable (estimated $50k-$150k)

Age Verification Controls

UC-083: Age Threshold Proof Without Date of Birth Disclosure

Domain: Age Verification Description: Prove user meets age threshold (age >= 18, 21, etc.) without revealing actual date of birth or age.

Standards Coverage:

ISO 27566-1. Age verification without PII disclosure
Privacy by Design Principle 2. Data minimization
UK Children’s Code. Minimal data collection
GDPR Article 5(1)(c). Data minimization

Implementation Type: Technical Evidence Needed:

Zero knowledge proof implementation for age thresholds
Proof verification showing only threshold result
No DOB stored on servers
Client-side proof generation

Priority: Critical Current Status: ✅ Implemented - zk-SNARK proves age >= threshold, DOB never transmitted during verification

UC-084: Age Assurance Accuracy and Reliability

Domain: Age Verification Description: Implement age verification with sufficient accuracy and reliability appropriate to risk of harm. Document accuracy metrics.

Standards Coverage:

ISO 27566-1. Effectiveness of age assurance
UK Children’s Code Standard 3. Age-appropriate application with risk-based approach
COPPA. Verifiable parental consent mechanisms

Implementation Type: Technical + Administrative Evidence Needed:

Accuracy metrics (false positive/negative rates)
Reliability testing results
Risk-based accuracy requirements by use case
Issuer trust model and verification

Priority: Critical Current Status: ✅ Implemented - Issuer-based model (banks, government, in-person verification)

UC-085: Trusted Issuer Network

Domain: Age Verification Description: Establish and maintain network of trusted credential issuers with verified identity proofing capabilities.

Standards Coverage:

ISO 27566-1. Trust framework for age assurance
NIST 800-63-3 IAL2/IAL3. Identity proofing requirements
UK Children’s Code. Reliable age verification

Implementation Type: Administrative + Technical Evidence Needed:

Issuer onboarding criteria
Issuer trust framework
Issuer verification key registry (JWKS)
Issuer security assessments
Issuer audit requirements

Priority: Critical Current Status: 🔄 Partially Implemented - Initial issuer partnerships, formal trust framework in development

UC-086: Credential Issuance Security

Domain: Age Verification Description: Secure credential issuance process with strong identity proofing, fraud prevention, and secure credential delivery.

Standards Coverage:

ISO 27566-1. Credential issuance security
NIST 800-63-3 IAL2. Identity evidence collection and verification
W3C Verifiable Credentials. Credential issuance best practices

Implementation Type: Technical Evidence Needed:

Identity proofing procedures (issuer-side)
Fraud detection mechanisms
Encrypted credential delivery
Credential format and structure
Revocation mechanisms

Priority: Critical Current Status: ✅ Implemented - Issuer service with encrypted credentials

UC-087: Credential Revocation and Lifecycle

Domain: Age Verification Description: Implement credential lifecycle management including expiration, renewal, and revocation. Publish revocation lists.

Standards Coverage:

ISO 27566-1. Credential lifecycle management
W3C Verifiable Credentials. Revocation methods
NIST 800-63-3. Authenticator lifecycle

Implementation Type: Technical Evidence Needed:

Credential expiration logic (validity periods)
Revocation list publication
Renewal procedures
User notification of expiration
Privacy-preserving revocation checks

Priority: High Current Status: ⚠️ Partial - Credentials have expiration dates; key revocation via Active→Deprecated→Disabled status transitions in KV (no CRL/revocation list)

UC-088: Replay Prevention (Nullifiers)

Domain: Age Verification Description: Prevent reuse of proofs across different verifications while maintaining user unlinkability.

Standards Coverage:

ISO 27566-1. Replay prevention in age verification
Privacy by Design Principle 2. Unlinkability
Academic Standards. Double-spending prevention in anonymous credentials

Implementation Type: Technical Evidence Needed:

Nullifier implementation
Nullifier database and checking
Unlinkability analysis
Replay attack testing

Priority: Critical Current Status: ✅ Implemented - Nullifiers prevent replay without user linking

UC-089: Age-Appropriate Design

Domain: Age Verification Description: Design services with age-appropriate defaults, content, features, and privacy settings for different age groups.

Standards Coverage:

UK Children’s Code Standard 3. Age-appropriate application
ISO 27566-1. Age-specific protections
COPPA. Child-directed service requirements

Implementation Type: Technical + Administrative Evidence Needed:

Age-group segmentation (under 13, 13-15, 16-17, 18+)
Age-appropriate privacy defaults
Content filtering by age
Feature restrictions by age
Age-appropriate UI/UX

Priority: High Current Status: ✅ Implemented - Age thresholds enforced, websites choose appropriate threshold

Domain: Age Verification Description: For children under 13 (COPPA) or 16 (GDPR), obtain verifiable parental consent before processing personal data.

Standards Coverage:

COPPA. Parental consent for children under 13
GDPR Article 8. Parental consent for children under 16 (or member state age)
UK Children’s Code. Parental involvement where appropriate
COPPA Safe Harbor. Parental consent mechanisms

Implementation Type: Technical + Administrative Evidence Needed:

Parental consent flow implementation
Parent identity verification
Consent record keeping
Consent withdrawal mechanisms
Age-gating for services requiring parental consent

Priority: High Current Status: ✅ Implemented. Parental consent inherent in in-person issuance process (parent present with officer); no digital consent flow required

UC-091: Age Re-verification and Challenge Mechanisms

Domain: Age Verification Description: Implement risk-based re-verification when user behaviour suggests age misrepresentation. Support challenge mechanisms.

Standards Coverage:

ISO 27566-1. Ongoing age assurance
UK Children’s Code Standard 3. Effective age verification
COPPA. Age screening mechanisms

Implementation Type: Technical Evidence Needed:

Re-verification triggers (behavioural signals)
Challenge issuance and response
User notification of re-verification
Privacy-preserving challenge mechanisms

Priority: Medium Current Status: ❌ Not Applicable. Credentials valid until revoked; no behavioural re-verification planned

UC-092: Age Verification Audit Logging

Domain: Age Verification Description: Log age verification events (without PII) for compliance, fraud detection, and analytics.

Standards Coverage:

ISO 27566-1. Age verification logging and auditing
GDPR Article 30. Records of processing
ISO 27001:2022 A.8.15. Logging

Implementation Type: Technical Evidence Needed:

Verification attempt logs (timestamp, threshold, result, issuer)
No PII in logs (pseudonymous identifiers)
Fraud pattern detection
Compliance reporting
Log retention and protection

Priority: High Current Status: ✅ Implemented - Verification logs in KV, no PII

UC-093: Age Verification Transparency

Domain: Age Verification Description: Transparently communicate age verification mechanisms, data processing, and user rights to users and parents.

Standards Coverage:

ISO 27566-1. Transparency of age assurance
UK Children’s Code Standard 4. Transparency for children
GDPR Articles 12-14. Transparency requirements
COPPA. Parental notice requirements

Implementation Type: Administrative Evidence Needed:

Age verification explanation in privacy policy
Age-appropriate transparency notices
Disclosure of verification methods
User education materials
Parent information pages

Priority: High Current Status: 🔄 Partially Implemented - Documentation exists, age-appropriate version needed

UC-094: Age Verification Accessibility

Domain: Age Verification Description: Ensure age verification methods are accessible to users with disabilities and diverse populations.

Standards Coverage:

ISO 27566-1. Accessibility of age assurance
WCAG 2.1. Web accessibility guidelines
UN Convention on Rights of Persons with Disabilities. Digital accessibility

Implementation Type: Technical Evidence Needed:

Accessibility testing (WCAG AA compliance)
Multiple verification methods (document, biometric, vouching)
Screen reader compatibility
Alternative text and descriptions
Keyboard navigation

Priority: Medium Current Status: 🔄 Partially Implemented - Multiple verification methods, WCAG audit needed

UC-095: Age Verification Interoperability

Domain: Age Verification Description: Support interoperable age verification standards enabling credentials to work across multiple services and platforms.

Standards Coverage:

ISO 27566-1. Interoperability of age assurance systems
W3C Verifiable Credentials. Standard data model
OpenID for Verifiable Credentials. Credential exchange protocol
euCONSENT. European age verification interoperability

Implementation Type: Technical Evidence Needed:

Standards compliance (W3C VC, OpenID)
Credential portability across services
Interoperability testing
Open source implementation
Published API specifications

Priority: High Current Status: ✅ Implemented - W3C VC compatible, open source

UC-096: Age Estimation vs. Age Verification

Domain: Age Verification Description: Distinguish between age estimation (approximate age) and age verification (cryptographically proven age threshold). Use appropriate method for risk level.

Standards Coverage:

ISO 27566-1. Defines age verification, age estimation, age inference
UK Online Safety Act. Risk-based age assurance
ISO 27566-1. Match assurance level to risk

Implementation Type: Administrative + Technical Evidence Needed:

Age assurance method classification
Risk assessment for age assurance requirements
Documentation of verification vs. estimation
Appropriate method selection by use case

Priority: Medium Current Status: ✅ Implemented - Cryptographic age verification (highest assurance)

UC-097: Age Verification Privacy Impact Assessment

Domain: Age Verification Description: Conduct privacy impact assessment specifically for age verification mechanisms, especially when processing children’s data.

Standards Coverage:

ISO 27566-1. Privacy risk assessment for age assurance
UK Children’s Code Standard 2. DPIA for children’s services
GDPR Article 35. DPIA for high-risk processing

Implementation Type: Administrative Evidence Needed:

Age verification DPIA document
Privacy risks identified and mitigated
Alternatives analysis
Necessity and proportionality assessment
Regular DPIA reviews

Priority: High Current Status: ✅ Implemented - See Data Protection Impact Assessment (covers age verification processing)

UC-098: Age Verification User Experience

Domain: Age Verification Description: Design age verification with minimal friction, clear instructions, and respectful user experience. Avoid stigmatization.

Standards Coverage:

ISO 27566-1. Usability of age assurance
UK Children’s Code Standard 4. Clear and accessible information
Privacy by Design Principle 4. Positive-sum, not zero-sum

Implementation Type: Technical Evidence Needed:

User experience testing
Verification completion rates
User feedback and satisfaction
Time to verify metrics
Error messaging and support

Priority: Medium Current Status: ✅ Implemented - Wallet-based UX, one-tap verification

UC-099: Age Verification Fraud Detection

Domain: Age Verification Description: Implement fraud detection mechanisms to identify and prevent age verification circumvention, fake credentials, and abuse.

Standards Coverage:

ISO 27566-1. Security of age assurance against attacks
COPPA. Fraud prevention in age screening
NIST 800-63-3. Fraud detection in identity proofing

Implementation Type: Technical + Administrative Evidence Needed:

Fraud detection algorithms
Anomaly detection (unusual patterns)
Credential validation and cryptographic checks
Issuer reputation monitoring
Fraud incident response

Priority: High Current Status: ✅ Implemented - Cryptographic proof validation, nullifier checking

UC-100: Age Verification Data Minimization

Domain: Age Verification Description: Minimise data collected and retained for age verification. Use privacy-preserving techniques to avoid unnecessary personal data exposure.

Standards Coverage:

ISO 27566-1. Data minimization in age assurance
GDPR Article 5(1)(c). Data minimization
Privacy by Design Principle 2. Privacy as default
UK Children’s Code Standard 8. Data minimization

Implementation Type: Technical Evidence Needed:

Zero knowledge proof architecture
No DOB stored on servers
Minimal credential data elements
Privacy policy documenting minimization
Data flow diagrams

Priority: Critical Current Status: ✅ Implemented - Zero knowledge architecture, no PII on servers

Data Lifecycle Controls

UC-101: Data Collection Limitation

Domain: Data Lifecycle Description: Collect personal data only when necessary, with user awareness and consent. Provide opt-in mechanisms where appropriate.

Standards Coverage:

GDPR Article 5(1)(c). Data minimization
ISO 27701:2019 Annex A 7.2.1. Lawful and fair collection
APP 3 (Australia): Collection must be reasonably necessary
CCPA. Collection must be disclosed in privacy policy

Implementation Type: Administrative + Technical Evidence Needed:

Data collection inventory
Necessity justification for each data element
Opt-in mechanisms for optional data
Privacy policy disclosure

Priority: Critical Current Status: ✅ Implemented - Only IP addresses collected (90 days; critical security event logs retained for up to 365 days)

UC-102: Data Retention Policies

Domain: Data Lifecycle Description: Define retention periods for each data category based on legal, business, and privacy requirements. Enforce through automated deletion.

Standards Coverage:

GDPR Article 5(1)(e). Storage limitation
ISO 27701:2019 Annex A 7.3.1. Retention and disposal
APP 11 (Australia): Destroy or de-identify when no longer needed
ISO 27001:2022 A.8.10. Information deletion

Implementation Type: Administrative + Technical Evidence Needed:

Data retention schedule by data type
Automated deletion scripts
Retention enforcement monitoring
Legal hold procedures
Retention policy documentation

Priority: Critical Current Status: ✅ Implemented - Data Retention Policy

UC-103: Automated Data Deletion

Domain: Data Lifecycle Description: Implement automated processes to delete data when retention periods expire. Verify deletion completeness.

Standards Coverage:

GDPR Article 17. Right to erasure
ISO 27001:2022 A.8.10. Information deletion
APP 11 (Australia): Destruction requirements
CCPA. Data deletion upon request

Implementation Type: Technical Evidence Needed:

Automated deletion scripts (cron jobs, scheduled workers)
Deletion logs and audit trails
Verification of deletion completeness
Backup deletion procedures

Priority: High Current Status: ✅ Implemented - Automated log rotation, ephemeral state expiration

UC-104: Data Anonymization and Pseudonymization

Domain: Data Lifecycle Description: Anonymize or pseudonymize personal data where possible to reduce privacy risks while enabling analytics and processing.

Standards Coverage:

GDPR Article 25. Pseudonymisation as privacy measure
ISO 27701:2019 Annex A 7.2.6. Minimising PII through pseudonymisation
Privacy by Design Principle 2. Privacy as default

Implementation Type: Technical Evidence Needed:

Anonymization/pseudonymization techniques
Identifier replacement (random IDs instead of user IDs)
Re-identification risk assessment
Analytics on anonymized data

Priority: High Current Status: ✅ Implemented - Random verification IDs, no user tracking

UC-105: Data Portability

Domain: Data Lifecycle Description: Provide data portability allowing users to export their data in structured, commonly-used, machine-readable format.

Standards Coverage:

GDPR Article 20. Right to data portability
ISO 27701:2019 Annex A 7.3.5. Providing access and portability
CCPA. Right to know and obtain copy of personal information

Implementation Type: Technical Evidence Needed:

Data export functionality
Structured data format (JSON, CSV, etc.)
Export includes all user data
Machine-readable format
User authentication for exports

Priority: High Current Status: ✅ Implemented. Users hold credential data in wallet app; no server-side personal data requiring export

UC-106: Data Integrity and Validation

Domain: Data Lifecycle Description: Ensure data integrity through validation, checksums, and integrity monitoring. Detect unauthorized modifications.

Standards Coverage:

ISO 27001:2022 A.8.15. Logging
GDPR Article 5(1)(f). Integrity and confidentiality
APP 10 (Australia): Data quality requirements
CSA CCM DSP-11. Data integrity

Implementation Type: Technical Evidence Needed:

Input validation
Data integrity checks (cryptographic hashes, signatures)
Immutable audit logs
Integrity monitoring and alerting

Priority: High Current Status: ✅ Implemented - Cryptographic signatures, append-only logs

UC-107: Data Classification and Labeling

Domain: Data Lifecycle Description: Classify data according to sensitivity and apply appropriate handling, access, and retention controls.

Standards Coverage:

ISO 27001:2022 A.5.8. Information classification
CSA CCM DSP-12. Data classification
GDPR. Implicit through special categories (Article 9)

Implementation Type: Administrative Evidence Needed:

Data classification scheme (Public, Internal, Confidential, Restricted)
Classification labels on documents and systems
Handling procedures by classification
Training on classification

Priority: High Current Status: ✅ Implemented - Classification scheme in ISMS

UC-108: Data Discovery and Inventory

Domain: Data Lifecycle Description: Maintain inventory of personal data including location, type, sensitivity, purpose, and access.

Standards Coverage:

GDPR Article 30. Records of processing activities
ISO 27701:2019. Data inventory requirements
APP 1 (Australia): Understanding data flows

Implementation Type: Administrative Evidence Needed:

Data inventory document
Data flow diagrams
Data location map (which systems hold what data)
Data type catalog
Regular inventory updates

Priority: High Current Status: ✅ Implemented. Data flows documented in Architecture docs and ROPA; minimal personal data processing

UC-109: Ephemeral Data Handling

Domain: Data Lifecycle Description: Use ephemeral data (short-lived, auto-expiring) for temporary operations like challenges, nonces, and session tokens.

Standards Coverage:

GDPR Article 5(1)(e). Storage limitation
Privacy by Design Principle 5. End-to-end lifecycle protection
ISO 27566-1. Minimal data retention in age verification

Implementation Type: Technical Evidence Needed:

Ephemeral data types (challenges, nonces, tokens)
Auto-expiration mechanisms (TTL in KV)
No persistent storage of temporary data
Immediate deletion after use

Priority: High Current Status: ✅ Implemented - Challenges auto-expire, nonces single-use

UC-110: Data Transfer Security

Domain: Data Lifecycle Description: Secure data transfers between systems, organisations, and jurisdictions using encryption and integrity protection.

Standards Coverage:

ISO 27001:2022 A.8.10. Information transfer
GDPR Article 32. Security of processing including transfer
CSA CCM DSP-07. Cross-border transfers

Implementation Type: Technical Evidence Needed:

TLS 1.3 for all transfers
Encrypted backups
Secure API authentication (HMAC)
Transfer logs
Data processing agreements

Priority: Critical Current Status: ✅ Implemented - TLS 1.3, encrypted transfers

UC-111: Data Access Logging

Domain: Data Lifecycle Description: Log all access to personal data including who accessed, when, what data, and purpose. Protect logs from tampering.

Standards Coverage:

ISO 27001:2022 A.8.15. Logging
GDPR Article 30. Records of processing
ISO 27701:2019 Annex B 8.4.7. Logging PII access
APP 1 (Australia): Accountability through logging

Implementation Type: Technical Evidence Needed:

Access logs (KV access, API calls)
Log retention (1 year minimum for GDPR)
Log protection (append-only, access-controlled)
Log review procedures
Anomaly detection

Priority: High Current Status: ✅ Implemented - KV audit logs, Cloudflare Workers Logs (Grafana Loki)

UC-112: Data Breach Detection

Domain: Data Lifecycle Description: Implement mechanisms to detect unauthorized access, exfiltration, or modification of personal data.

Standards Coverage:

GDPR Article 33. Breach notification (must detect within 72 hours)
ISO 27001:2022 A.5.12. Incident management
CCPA. Breach detection and notification
CSA CCM SEF-01. Security incident detection

Implementation Type: Technical Evidence Needed:

Intrusion detection systems
Anomaly detection in access logs
Data exfiltration monitoring
Alerting on suspicious activity
Security information and event management (SIEM)

Priority: Critical Current Status: 🔄 Partially Implemented. Cloudflare security monitoring; formal SIEM may be evaluated as operational scale increases

UC-113: Data Subject Access Request (DSAR) Handling

Domain: Data Lifecycle Description: Provide process for users to request access to their personal data. Respond within regulatory timelines (30 days GDPR, 45 days CCPA).

Standards Coverage:

GDPR Article 15. Right of access by data subject
ISO 27701:2019 Annex A 7.3.5. Providing access to PII
CCPA. Right to know
APP 12 (Australia): Access rights

Implementation Type: Administrative + Technical Evidence Needed:

DSAR request form or API
Identity verification for requests
Request tracking system
Response templates
SLA compliance metrics (30-day response)

Priority: High Current Status: ✅ Implemented. DSARs handled via security@maelstrom.au; manual process appropriate for current scale

UC-114: Data Rectification Process

Domain: Data Lifecycle Description: Enable users to correct inaccurate or incomplete personal data. Update downstream systems promptly.

Standards Coverage:

GDPR Article 16. Right to rectification
ISO 27701:2019 Annex A 7.3.6. Correcting PII
CCPA. Right to correct inaccurate information
APP 13 (Australia): Correction rights

Implementation Type: Technical + Administrative Evidence Needed:

Data correction interface or API
Verification of correction requests
Update propagation to all systems
Correction logs
Notification to third parties (if data was disclosed)

Priority: Medium Current Status: ✅ Implemented - Users control wallet data, can update credentials

UC-115: Data Erasure (Right to Be Forgotten)

Domain: Data Lifecycle Description: Provide mechanism for users to request deletion of their personal data. Verify complete erasure across all systems.

Standards Coverage:

GDPR Article 17. Right to erasure (right to be forgotten)
ISO 27701:2019 Annex A 7.3.5. Erasure capabilities
CCPA. Right to delete
APP 12 (Australia): Access and deletion

Implementation Type: Technical + Administrative Evidence Needed:

Data deletion request process
Complete deletion across all systems (production, backups, logs)
Deletion verification and confirmation to user
Exceptions handling (legal obligations)
Deletion logs

Priority: High Current Status: ✅ Implemented. Minimal server-side PII (commitments only); erasure requests handled via email

UC-116: Data Restriction and Objection

Domain: Data Lifecycle Description: Allow users to restrict processing of their data or object to specific uses (e.g., direct marketing, profiling).

Standards Coverage:

GDPR Article 18. Right to restriction of processing
GDPR Article 21. Right to object
ISO 27701:2019 Annex A 7.3.7. Objection to processing
APP 7 (Australia): Direct marketing opt-out

Implementation Type: Technical + Administrative Evidence Needed:

Processing restriction flags in systems
Objection handling procedures
Marketing suppression lists
Preference management interface
Restriction logs

Priority: Medium Current Status: ❌ Not Applicable. No direct marketing, profiling, or consent-dependent processing

UC-117: Data Accuracy Monitoring

Domain: Data Lifecycle Description: Regularly review and update personal data for accuracy. Implement validation at collection and update points.

Standards Coverage:

GDPR Article 5(1)(d). Accuracy principle
APP 10 (Australia): Data quality
ISO 27701:2019. Ensuring PII accuracy

Implementation Type: Technical + Administrative Evidence Needed:

Input validation rules
Data quality monitoring
Periodic data quality audits
User notification of stale data
Update prompts

Priority: Medium Current Status: ✅ Implemented - Date of birth validated at entry, credential expiration prompts update

UC-118: Data De-identification

Domain: Data Lifecycle Description: De-identify personal data for analytics, research, or long-term retention while mitigating re-identification risks.

Standards Coverage:

GDPR. De-identified data no longer personal data
APP 11 (Australia): De-identification alternative to deletion
Privacy by Design Principle 2. Minimise identifiable information

Implementation Type: Technical Evidence Needed:

De-identification techniques (aggregation, generalization, perturbation)
Re-identification risk assessment
De-identified data governance

Priority: Medium Current Status: ✅ Implemented - Aggregated analytics, no individual tracking

UC-119: Data Lineage and Provenance

Domain: Data Lifecycle Description: Track data lineage showing origin, transformations, and movements of personal data through systems.

Standards Coverage:

GDPR Article 30. Records of processing activities
ISO 27701:2019. Data flow documentation
CSA CCM DSP-13. Data lineage

Implementation Type: Administrative Evidence Needed:

Data flow diagrams
System integration documentation
Processing activity records
Data transformation logs
Third-party data sharing documentation

Priority: Medium Current Status: ✅ Implemented. Data flows documented in Architecture docs and data-lifecycle-evidence

Domain: Data Lifecycle Description: Enable users to withdraw consent as easily as it was given. Stop processing and delete data when consent is withdrawn.

Standards Coverage:

GDPR Article 7(3). Right to withdraw consent
ISO 27701:2019 Annex A 7.3.4. Consent withdrawal
APP 3 (Australia): Consent can be withdrawn
CCPA. Opt-out mechanisms

Implementation Type: Technical + Administrative Evidence Needed:

Consent withdrawal interface (same ease as granting)
Processing cessation upon withdrawal
Data deletion (if consent was sole legal basis)
Withdrawal logs
Notification to third parties

Priority: High Current Status: ❌ Not Applicable. Processing based on legitimate interest and contractual necessity, not consent; users can stop using the service at any time

UC-121: Data Residency and Localization

Domain: Data Lifecycle Description: Store and process data in specific geographic locations to comply with data residency requirements and localization laws.

Standards Coverage:

GDPR. Data residency considerations for adequacy
ISO 27701:2019 Annex A 7.2.7. Cross-border transfers
Country-specific laws. Russia, China, etc. data localization

Implementation Type: Technical + Administrative Evidence Needed:

Data residency policies
Cloudflare datacenter selection
Data location documentation
Customer choice of data regions
Compliance with localization laws

Priority: Low Current Status: ✅ Implemented - Cloudflare global network, customer can choose regions

UC-122: Data Backup and Recovery Testing

Domain: Data Lifecycle Description: Regularly test data backup and recovery procedures to ensure data can be restored within defined recovery objectives.

Standards Coverage:

ISO 27001:2022 A.8.13. Information backup
ISO 27001:2022 A.5.13. Business continuity
CSA CCM BCR-02. Backup testing

Implementation Type: Technical + Administrative Evidence Needed:

Backup testing schedule (quarterly minimum)
Recovery testing results
RPO/RTO achievement verification
Test documentation and lessons learned
Backup restoration procedures

Priority: High Current Status: 📋 Planned - Quarterly backup restoration testing

Access & Identity Controls

UC-123: Identity Proofing and Verification

Domain: Access & Identity Description: Verify user identities with level of assurance appropriate to risk (IAL1, IAL2, IAL3). Collect and validate identity evidence.

Standards Coverage:

NIST 800-63-3 IAL1/2/3. Identity assurance levels
ISO 27566-1. Identity verification for credential issuance
GDPR. Verification for data subject rights requests
CCPA. Verification for consumer rights requests

Implementation Type: Technical + Administrative Evidence Needed:

Identity proofing procedures (issuer-side)
Identity evidence types (government ID, biometrics, vouching)
Identity verification records
Fraud detection in identity proofing
Risk-based IAL selection

Priority: Critical Current Status: ✅ Implemented - Issuer identity proofing (IAL2/3)

UC-124: Authenticator Management

Domain: Access & Identity Description: Manage authenticators (passwords, tokens, biometrics) according to assurance level requirements. Support multiple authenticator types.

Standards Coverage:

NIST 800-63-3 AAL1/2/3. Authenticator assurance levels
ISO 27001:2022 A.8.5. Secure authentication
CSA CCM IAM-06. Authenticator management

Implementation Type: Technical Evidence Needed:

Supported authenticator types
Authenticator lifecycle management
Binding of authenticators to accounts
Authenticator strength by AAL level
Lost/compromised authenticator procedures

Priority: High Current Status: ✅ Implemented - Password managers, MFA for admin access

UC-125: Session Management

Domain: Access & Identity Description: Securely manage user sessions with timeouts, re-authentication for sensitive operations, and session termination.

Standards Coverage:

ISO 27001:2022 A.8.5. Secure authentication
NIST 800-63-3. Session management requirements
OWASP ASVS. Session management controls

Implementation Type: Technical Evidence Needed:

Session timeout configuration (15 minutes idle)
Re-authentication for privilege elevation
Secure session token generation
Session termination on logout
Concurrent session limits

Priority: High Current Status: ✅ Implemented - Screen locks, session management in APIs

UC-126: Federation and Single Sign-On (SSO)

Domain: Access & Identity Description: Support federated authentication and SSO using standard protocols (OAuth 2.0, OpenID Connect, SAML).

Standards Coverage:

NIST 800-63-3 FAL1/2/3. Federation assurance levels
OpenID Connect. Authentication protocol
SAML 2.0. Federation protocol
CSA CCM IAM-07. Federation

Implementation Type: Technical Evidence Needed:

SSO protocol implementation (OpenID Connect)
Federation trust agreements
Assertion protection (signatures, encryption)
Attribute release policies
Single logout support

Priority: Medium Current Status: 🔄 Deferred. May implement OpenID Connect based on customer requirements

UC-127: Biometric Authentication

Domain: Access & Identity Description: Implement biometric authentication with liveness detection, secure storage, and privacy protections (templates, not raw biometrics).

Standards Coverage:

NIST 800-63-3 AAL3. Biometric authenticators
ISO/IEC 24745. Biometric information protection
GDPR Article 9. Biometric data as special category
ISO 27566-1. Biometric age estimation

Implementation Type: Technical Evidence Needed:

Biometric modality (fingerprint, face, iris)
Liveness detection implementation
Template storage (not raw biometrics)
On-device biometric processing (where possible)
Biometric privacy impact assessment

Priority: Low Current Status: ❌ Not Applicable. No biometric authentication in issuance; wallet uses device biometrics (passkeys/FaceID) managed by OS

UC-128: Access Reviews and Recertification

Domain: Access & Identity Description: Regularly review user access rights and recertify appropriateness. Remove unnecessary access.

Standards Coverage:

ISO 27001:2022 A.5.18. Access rights
SOC 2. User access reviews
CSA CCM IAM-08. Access reviews

Implementation Type: Administrative Evidence Needed:

Access review schedule (quarterly)
Access review reports
Access revocation records
Role-based access reviews
Privileged access reviews

Priority: High Current Status: ✅ Implemented - Quarterly access reviews in ISMS

UC-129: Just-In-Time (JIT) Access

Domain: Access & Identity Description: Implement just-in-time privileged access with time-limited elevation, approval workflows, and automatic de-elevation.

Standards Coverage:

ISO 27001:2022 A.8.2. Privileged access rights
CSA CCM IAM-09. Privileged access controls
Zero Trust. Least privilege and JIT access

Implementation Type: Technical Evidence Needed:

JIT access request workflow
Time-limited privilege elevation
Approval and audit logs
Automatic privilege revocation
Break-glass procedures for emergencies

Priority: Medium Current Status: 🔄 Deferred. Sole operator; JIT access will be implemented when team grows

UC-130: Identity Lifecycle Management

Domain: Access & Identity Description: Manage complete identity lifecycle from provisioning through updates to deprovisioning. Automate where possible.

Standards Coverage:

ISO 27001:2022 A.5.9. Access control lifecycle
CSA CCM IAM-10. Identity lifecycle
NIST CSF. Identify and protect

Implementation Type: Administrative + Technical Evidence Needed:

Onboarding procedures (identity creation)
Role change procedures
Offboarding procedures (access revocation)
Automated provisioning/deprovisioning (where applicable)
Lifecycle audit trails

Priority: High Current Status: ✅ Implemented - Onboarding/offboarding procedures

UC-131: Credential Binding and Verification

Domain: Access & Identity Description: Securely bind credentials to users. Verify credential authenticity and integrity before relying on them.

Standards Coverage:

NIST 800-63-3. Credential binding and verification
W3C Verifiable Credentials. Credential verification
ISO 27566-1. Age credential verification

Implementation Type: Technical Evidence Needed:

Cryptographic binding of credentials to users
Signature verification (RedJubjub)
Issuer verification key registry (JWKS)
Credential revocation checking
Proof of possession

Priority: Critical Current Status: ✅ Implemented - Cryptographic credential binding and verification

UC-132: Account Recovery and Reset

Domain: Access & Identity Description: Provide secure account recovery mechanisms resistant to social engineering and account takeover.

Standards Coverage:

NIST 800-63-3. Account recovery guidance
ISO 27001:2022. Password reset procedures
OWASP ASVS. Account recovery controls

Implementation Type: Technical + Administrative Evidence Needed:

Account recovery procedures
Multi-factor recovery verification
Recovery contact verification (email, phone)
Account lockout after failed attempts
Recovery audit logs

Priority: High Current Status: 🔄 Partially Implemented - Standard password reset, enhanced recovery needed

UC-133: Zero Trust Architecture

Domain: Access & Identity Description: Implement zero trust principles: never trust, always verify. Require continuous authentication and authorisation.

Standards Coverage:

NIST SP 800-207. Zero Trust Architecture
CSA. Zero trust cloud security
ISO 27001:2022. Implicit through access controls

Implementation Type: Technical + Administrative Evidence Needed:

Micro-segmentation (environment separation)
Per-request authentication and authorisation
No implicit trust based on network location
Continuous monitoring and verification
Zero trust architecture documentation

Priority: Medium Current Status: ✅ Implemented - API authentication per request, no network trust

UC-134: Service Account Management

Domain: Access & Identity Description: Secure service accounts and API credentials with rotation, minimal permissions, and monitoring.

Standards Coverage:

ISO 27001:2022 A.8.2. Secure authentication
CSA CCM IAM-11. Service account management
NIST CSF. Protect function

Implementation Type: Technical + Administrative Evidence Needed:

Service account inventory
API token scoping (minimal permissions)
Credential rotation schedule
Service account activity monitoring
No hardcoded credentials

Priority: High Current Status: ✅ Implemented - Scoped API tokens, no hardcoded credentials

UC-135: Authorisation Policy Management

Domain: Access & Identity Description: Implement centralized authorisation policy management with role-based or attribute-based access control (RBAC/ABAC).

Standards Coverage:

ISO 27001:2022 A.8.3. Information access restriction
CSA CCM IAM-12. Authorisation management
NIST. RBAC/ABAC guidance

Implementation Type: Technical Evidence Needed:

Authorisation policy definitions
RBAC roles and permissions
ABAC attributes and rules
Policy enforcement points
Authorisation audit logs

Priority: High Current Status: ✅ Implemented - RBAC for GitHub/Cloudflare, API access control

UC-136: Anomaly Detection for Access

Domain: Access & Identity Description: Detect anomalous access patterns (unusual location, time, volume) and trigger alerts or additional verification.

Standards Coverage:

NIST 800-63-3. Risk-based authentication
CSA CCM IAM-13. Anomaly detection
GDPR Article 32. Security monitoring

Implementation Type: Technical Evidence Needed:

Behavioural analytics for access patterns
Geographic/time-based anomaly detection
Risk scoring for access attempts
Automated alerts and response
Adaptive authentication

Priority: Medium Current Status: 🔄 Deferred. May implement alongside SIEM evaluation as operational scale increases

UC-137: API Security and Authentication

Domain: Access & Identity Description: Secure APIs with strong authentication (API keys, HMAC, OAuth), rate limiting, and input validation.

Standards Coverage:

OWASP API Security Top 10. API security best practices
ISO 27001:2022 A.8.5. Secure authentication
CSA CCM AIS-04. API security

Implementation Type: Technical Evidence Needed:

API authentication mechanism (HMAC-SHA256)
API key management and rotation
Rate limiting (per-client, per-endpoint)
Input validation and sanitization
API security testing

Priority: Critical Current Status: ✅ Implemented - HMAC authentication, rate limiting

UC-138: Directory Services Security

Domain: Access & Identity Description: Secure directory services (LDAP, Active Directory) used for identity and access management.

Standards Coverage:

ISO 27001:2022 A.8.2. Secure authentication
CSA CCM IAM-14. Directory services
NIST. Directory services security

Implementation Type: Technical Evidence Needed:

Directory service hardening
Encrypted connections (LDAPS)
Directory access controls
Directory replication security
Directory monitoring

Priority: Low Current Status: ❌ Not Applicable - No enterprise directory services

UC-139: Identity Governance and Administration (IGA)

Domain: Access & Identity Description: Implement identity governance including access request workflows, approval processes, and compliance reporting.

Standards Coverage:

ISO 27001:2022 A.5.9. Access control
SOC 2. Access provisioning controls
CSA CCM IAM-15. Identity governance

Implementation Type: Administrative + Technical Evidence Needed:

Access request and approval workflows
Segregation of duties enforcement
Access certification campaigns
Compliance reporting (who has access to what)
IGA tool or process

Priority: Medium Current Status: 🔄 Deferred. Sole operator; formal IGA process will be implemented when team grows

UC-140: Credential Theft Prevention

Domain: Access & Identity Description: Prevent credential theft through phishing-resistant authentication, security awareness, and credential monitoring.

Standards Coverage:

NIST 800-63-3 AAL3. Phishing-resistant authenticators
ISO 27001:2022 A.6.3. Security awareness
CSA CCM IAM-16. Credential protection

Implementation Type: Technical + Administrative Evidence Needed:

Phishing-resistant authentication (FIDO2, WebAuthn)
Security awareness training
Credential leak monitoring (Have I Been Pwned)
Password breach detection
MFA enforcement

Priority: High Current Status: ✅ Implemented - MFA, security awareness training

Development & Operations Controls

UC-141: Secure Coding Standards

Domain: Development & Operations Description: Establish and enforce secure coding standards covering input validation, output encoding, error handling, and common vulnerabilities.

Standards Coverage:

ISO 27001:2022 A.8.25. Secure development life cycle
OWASP ASVS. Secure coding requirements
CSA CCM AIS-05. Secure coding practices

Implementation Type: Administrative + Technical Evidence Needed:

Secure coding guidelines document
Code review checklists
OWASP Top 10 mitigation
Language-specific security patterns (Rust, TypeScript)
Developer training on secure coding

Priority: High Current Status: ✅ Implemented - Rust memory safety, code review standards

UC-142: Static Application Security Testing (SAST)

Domain: Development & Operations Description: Implement automated static code analysis to detect security vulnerabilities before deployment.

Standards Coverage:

ISO 27001:2022 A.8.29. Security testing in development and acceptance
CSA CCM AIS-06. Static analysis
NIST. Secure SDLC practices

Implementation Type: Technical Evidence Needed:

SAST tools (CodeQL, clippy, ESLint)
CI/CD integration
Vulnerability findings and remediation
False positive management
SAST coverage metrics

Priority: High Current Status: ✅ Implemented - CodeQL, clippy, ESLint in CI/CD

UC-143: Dynamic Application Security Testing (DAST)

Domain: Development & Operations Description: Perform automated security testing against running applications to identify runtime vulnerabilities.

Standards Coverage:

ISO 27001:2022 A.8.29. Security testing in development and acceptance
CSA CCM AIS-07. Dynamic analysis
OWASP. DAST best practices

Implementation Type: Technical Evidence Needed:

DAST tools (Zap, Burp)
Vulnerability scan results
Remediation tracking
Scan frequency (per release)
DAST in staging environment

Priority: Medium Current Status: 🔄 Deferred. May evaluate DAST tooling as security testing maturity develops

UC-144: Software Composition Analysis (SCA)

Domain: Development & Operations Description: Continuously scan dependencies for known vulnerabilities. Track and update vulnerable libraries.

Standards Coverage:

ISO 27001:2022 A.8.30. Outsourced development
CSA CCM STA-02. Software composition analysis
NIST. Supply chain security

Implementation Type: Technical Evidence Needed:

SCA tools (cargo audit, npm audit, GitHub Dependabot)
Dependency vulnerability reports
Remediation SLAs by severity
Dependency update tracking
License compliance

Priority: Critical Current Status: ✅ Implemented - cargo audit, npm audit, GitHub Security Alerts

UC-145: Secrets Management

Domain: Development & Operations Description: Securely manage secrets (API keys, credentials, encryption keys) with rotation, access control, and audit logging.

Standards Coverage:

ISO 27001:2022 A.8.24. Use of cryptography
ISO 27001:2022 A.5.17. Authentication information
CSA CCM EKM-07. Secrets management

Implementation Type: Technical + Administrative Evidence Needed:

Secrets management solution (Cloudflare KV, secrets)
No secrets in source code or logs
Secrets rotation procedures
Secrets access audit logs
Secrets scanning in CI/CD

Priority: Critical Current Status: ✅ Implemented - Secrets in Cloudflare KV, never in code

UC-146: Container and Orchestration Security

Domain: Development & Operations Description: Secure containers and orchestration platforms with image scanning, runtime protection, and network policies.

Standards Coverage:

ISO 27001:2022 A.8.22. Segregation of networks
CSA CCM IVS-02. Container security
CIS Benchmarks. Container security

Implementation Type: Technical Evidence Needed:

Container image scanning
Base image security (minimal, patched)
Runtime security monitoring
Network policies and segmentation
Container orchestration hardening

Priority: Low Current Status: ❌ Not Applicable - Serverless (Cloudflare Workers), no containers

UC-147: Infrastructure as Code (IaC) Security

Domain: Development & Operations Description: Secure infrastructure as code with version control, code review, security scanning, and testing.

Standards Coverage:

ISO 27001:2022 A.8.32. Change management
CSA CCM CCC-02. Infrastructure as code
DevSecOps. IaC security practices

Implementation Type: Technical + Administrative Evidence Needed:

IaC in version control (Git)
IaC security scanning (terraform scan, wrangler.toml review)
Code review for infrastructure changes
IaC testing (validation, dry-runs)
IaC documentation

Priority: High Current Status: ✅ Implemented - wrangler.toml in Git, reviewed changes

UC-148: CI/CD Pipeline Security

Domain: Development & Operations Description: Secure CI/CD pipelines with authentication, access control, artifact signing, and audit logging.

Standards Coverage:

ISO 27001:2022 A.8.6. Change management
SLSA. Supply chain levels for software artifacts
CSA CCM CCC-03. CI/CD security

Implementation Type: Technical Evidence Needed:

Pipeline access controls (GitHub Actions permissions)
Artifact signing and provenance (SLSA Level 3)
Secrets management in pipelines
Pipeline audit logs
Pipeline security scanning

Priority: Critical Current Status: ✅ Implemented - SLSA Level 3, signed artifacts, access controls

UC-149: Immutable Infrastructure

Domain: Development & Operations Description: Deploy immutable infrastructure where changes require redeployment rather than modification. Enhance security and reproducibility.

Standards Coverage:

DevOps. Immutable infrastructure pattern
ISO 27001:2022 A.8.19. Installation of software on operational systems
CSA CCM. Infrastructure security

Implementation Type: Technical Evidence Needed:

Immutable deployment model (serverless Workers)
No runtime modifications to production
Version-controlled deployments
Rollback capabilities
Deployment artifacts and provenance

Priority: High Current Status: ✅ Implemented - Serverless Workers (immutable)

UC-150: Dependency Management and Pinning

Domain: Development & Operations Description: Pin dependency versions, use lock files, and control dependency updates through testing and review.

Standards Coverage:

ISO 27001:2022 A.8.30. Outsourced development
SLSA. Hermetic builds
CSA CCM STA-03. Dependency management

Implementation Type: Technical Evidence Needed:

Dependency lock files (Cargo.lock, package-lock.json)
Pinned versions in manifests
Controlled dependency updates
Dependency testing before merge
Hermetic builds

Priority: High Current Status: ✅ Implemented - Lock files, hermetic builds

UC-151: Environment Parity

Domain: Development & Operations Description: Maintain parity between development, staging, and production environments to reduce deployment risks.

Standards Coverage:

12-Factor App. Dev/prod parity
ISO 27001:2022 A.8.31. Separation of development, test and production environments
DevOps. Environment consistency

Implementation Type: Technical + Administrative Evidence Needed:

Environment configuration management
Similar infrastructure across environments
Parity testing
Configuration drift detection
Environment-specific secrets only

Priority: Medium Current Status: ✅ Implemented - wrangler dev mirrors production, separate secrets

UC-152: Feature Flags and Rollout Control

Domain: Development & Operations Description: Use feature flags to control rollout of new features. Enable gradual rollout, A/B testing, and quick rollback.

Standards Coverage:

ISO 27001:2022 A.8.32. Change management
DevOps. Continuous delivery practices
SRE. Safe rollouts

Implementation Type: Technical Evidence Needed:

Feature flag system
Gradual rollout procedures
Rollback capabilities
Feature flag audit logs
User segmentation for flags

Priority: Medium Current Status: 🔄 Deferred. Sole operator deploys via CI/CD; feature flags may be implemented if team grows

UC-153: Logging and Observability

Domain: Development & Operations Description: Implement logging, metrics, and tracing for security, debugging, and performance monitoring.

Standards Coverage:

ISO 27001:2022 A.8.8. Logging and monitoring
CSA CCM LOG-03. Observability
SRE. Observability practices

Implementation Type: Technical Evidence Needed:

Structured logging implementation
Metrics collection (Cloudflare Workers Logs shipped to Grafana Loki)
Distributed tracing (where applicable)
Log aggregation and search
Dashboards and alerting

Priority: High Current Status: ✅ Implemented - Structured logging, Cloudflare Workers Logs (Grafana Loki)

UC-154: Error Handling and Logging

Domain: Development & Operations Description: Implement secure error handling that prevents information leakage while logging sufficient detail for debugging.

Standards Coverage:

OWASP ASVS. Error handling requirements
ISO 27001:2022 A.8.12. Data leakage prevention
CSA CCM. Secure error handling

Implementation Type: Technical Evidence Needed:

Generic error messages to users
Detailed errors logged server-side
No stack traces in production
No secrets in error messages
Error monitoring and alerting

Priority: High Current Status: ✅ Implemented - Generic errors to users, detailed logs server-side

UC-155: API Versioning and Deprecation

Domain: Development & Operations Description: Implement API versioning strategy with clear deprecation policies and migration support.

Standards Coverage:

ISO 27001:2022 A.8.6. Change management
API Design. Versioning best practices
DevOps. Backward compatibility

Implementation Type: Administrative + Technical Evidence Needed:

API versioning scheme (URL or header)
Deprecation policy and timeline
Backward compatibility testing
Client migration guidance
Version sunset notifications

Priority: Medium Current Status: 📋 Planned - API versioning strategy

UC-156: Rate Limiting and Throttling

Domain: Development & Operations Description: Implement rate limiting to prevent abuse, DoS attacks, and resource exhaustion.

Standards Coverage:

ISO 27001:2022 A.8.6. Capacity management
OWASP API Security. Rate limiting
CSA CCM. Abuse prevention

Implementation Type: Technical Evidence Needed:

Rate limiting rules (per-client, per-endpoint)
Cloudflare rate limiting configuration
Abuse detection and blocking
Rate limit headers (X-RateLimit-*)
Graceful degradation

Priority: High Current Status: ✅ Implemented - Cloudflare rate limiting

UC-157: Input Validation and Sanitization

Domain: Development & Operations Description: Validate and sanitize all inputs to prevent injection attacks, XSS, and data corruption.

Standards Coverage:

OWASP Top 10. Injection prevention
ISO 27001:2022 A.8.25. Secure development life cycle
CSA CCM AIS-08. Input validation

Implementation Type: Technical Evidence Needed:

Input validation rules
Whitelisting over blacklisting
Type safety (Rust, TypeScript)
Sanitization for output contexts
Parameterized queries (if using SQL)

Priority: Critical Current Status: ✅ Implemented - Strong typing, input validation

UC-158: Output Encoding and Escaping

Domain: Development & Operations Description: Encode outputs appropriately for context (HTML, JavaScript, URL, SQL) to prevent injection attacks.

Standards Coverage:

OWASP. XSS prevention
ISO 27001:2022 A.8.25. Secure development life cycle
CSA CCM AIS-09. Output encoding

Implementation Type: Technical Evidence Needed:

Context-aware output encoding
HTML escaping in templates
JSON encoding for APIs
URL encoding where needed
Content Security Policy (CSP)

Priority: High Current Status: ✅ Implemented - Template escaping, JSON APIs

UC-159: Penetration Testing

Domain: Development & Operations Description: Conduct regular penetration testing by qualified security professionals. Remediate findings promptly.

Standards Coverage:

ISO 27001:2022 A.5.35. Independent review of information security
PCI DSS. Annual penetration testing
CSA CCM. Penetration testing
GDPR Article 32. Regular testing and evaluation

Implementation Type: Administrative Evidence Needed:

Penetration testing schedule (annual minimum)
Penetration testing reports
Tester qualifications
Remediation tracking
Re-testing of fixed vulnerabilities

Priority: High Current Status: 📋 Planned - Annual penetration testing (2025)

UC-160: Bug Bounty Program

Domain: Development & Operations Description: Establish bug bounty program to incentivize security researchers to report vulnerabilities responsibly.

Standards Coverage:

ISO 27001:2022 A.6.8. Information security event reporting
Best Practices. Coordinated vulnerability disclosure
CSA CCM. Vulnerability disclosure

Implementation Type: Administrative Evidence Needed:

Bug bounty program policy
Platform (HackerOne, Bugcrowd, etc.) or self-hosted
Reward structure
Response SLAs
Vulnerability disclosure timeline

Priority: Medium Current Status: ❌ Not Applicable. Responsible disclosure via security@maelstrom.au; no formal bug bounty programme

UC-161: Deployment Automation and Repeatability

Domain: Development & Operations Description: Automate deployments for consistency, repeatability, and auditability. Minimise manual intervention.

Standards Coverage:

ISO 27001:2022 A.8.32. Change management
DevOps. Automation principles
CSA CCM CCC-04. Deployment automation

Implementation Type: Technical Evidence Needed:

Automated deployment pipelines (GitHub Actions)
Deployment scripts and procedures
No manual production changes
Deployment audit logs
Rollback automation

Priority: High Current Status: ✅ Implemented - CI/CD automated deployments

UC-162: Production Access Controls

Domain: Development & Operations Description: Strictly control production access. Require approval, MFA, and logging for production activities.

Standards Coverage:

ISO 27001:2022 A.8.2. Privileged access rights
SOC 2. Production access controls
CSA CCM IAM-17. Production access

Implementation Type: Administrative + Technical Evidence Needed:

Production access policy (limited, approved only)
MFA required for production
Production access logs
No direct database access (API only)

Priority: Critical Current Status: ✅ Implemented - Limited production access, MFA, audit logs

UC-163: Chaos Engineering and Resilience Testing

Domain: Development & Operations Description: Conduct chaos engineering experiments to test system resilience under failure conditions.

Standards Coverage:

SRE. Chaos engineering practices
ISO 27001:2022 A.5.13. Business continuity testing
CSA CCM. Resilience testing

Implementation Type: Technical Evidence Needed:

Chaos engineering experiments
Failure injection testing
Resilience improvement tracking
Game day exercises
Incident response readiness

Priority: Low Current Status: ❌ Not Applicable. Cloudflare Workers serverless architecture; resilience tested via BCP tabletop exercises

UC-164: Technical Debt Management

Domain: Development & Operations Description: Track and prioritise technical debt including security debt. Allocate time for remediation.

Standards Coverage:

ISO 27001:2022 A.8.27. Secure system architecture and engineering principles
DevOps. Sustainable development practices
Agile. Technical debt management

Implementation Type: Administrative Evidence Needed:

Technical debt register
Security debt prioritisation
Remediation roadmap
Time allocation for debt reduction
Debt metrics and trends

Priority: Medium Current Status: 🔄 Partially Implemented. Technical debt tracked informally via Technical Debt Policy; will formalise as team grows

UC-186: Sandbox Environment Isolation (Build, CI, Runtime)

Domain: Development & Operations Description: Enforce isolation of the docs interactive sandbox from production code paths through a defence-in-depth chain: a Cargo feature flag gates sandbox-only modules at compile time, a CI bundle-grep step fails the build if any sandbox symbol reaches a production artifact, and request-middleware prefix rejection refuses sandbox paths at the production ingress. The three layers are independent so that a failure of any one does not collapse the isolation boundary.

Placement note: UC-186 is numerically out of sequence with the UC-141 to UC-164 Development & Operations range. Existing UC-IDs are preserved verbatim to avoid renumbering evidence artefacts and SOA cross-references; the new control takes the next available ID after UC-185.

Standards Coverage:

ISO 27001:2022 A.8.25. Secure development life cycle. compile-time feature flag and CI bundle-grep operate as engineering controls inside the secure SDLC
ISO 27001:2022 A.8.31. Separation of development, test and production environments. middleware prefix rejection at the production ingress enforces the separation boundary at runtime
CSA CCM IVS-01. Infrastructure and virtualisation. environment separation
OWASP ASVS V14. Configuration and environment separation

Implementation Type: Technical

Control Layers:

Compile-time isolation via Cargo feature flag

docs-sandbox feature flag declared in the relevant workspace Cargo.toml
Sandbox-only modules (fixture issuer, synthetic attestation stamping, sandbox-scoped routes) are gated by #[cfg(feature = "docs-sandbox")]
Production builds omit the feature flag; the sandbox code is excluded from the resulting binary entirely
Workspace resolver hygiene: no transitive dependency re-enables the flag on production crates (risk tracked as RISK-2026-DOCS-H03)

CI bundle-grep gate

CI job scans the production artefact for strings that must not appear: sandbox module names, fixture issuer identity, synthetic: true stamp emitter, sandbox route prefixes
Any hit fails the build before the artefact can be promoted
Runs on every PR targeting main and on every tagged release build

Runtime middleware prefix rejection

Production provii-verifier middleware (including hosted mode routes) rejects request paths carrying the sandbox prefix (for example /sandbox/) with a 404 before the router is consulted
Production provii-verifier refuses the sandbox issuer identity at signature verification time (see COPPA Safe Harbor synthetic-only posture)
Rejection happens at the edge of the Worker, so no sandbox code path can be reached even if an isolation layer above it fails open

Evidence Needed:

Cargo.toml feature flag declaration and #[cfg] gating in sandbox modules
CI workflow YAML for the bundle-grep job (expected to live in the relevant repo’s .github/workflows/)
Middleware source implementing the prefix rejection (provii-verifier, including hosted mode routes)
Test fixtures demonstrating production build rejects sandbox issuer identity
Link to Docs Sandbox DPIA and DPIA Children’s Code Standard 2 for the risk context the control mitigates

Risk Register Cross-References:

UC-186 is the primary mitigator for:

RISK-2026-DOCS-H03 (sandbox feature flag hygiene under Rust workspace resolver). UC-186 layer 1 (Cargo feature flag) and layer 3 (CI bundle-grep) are the core controls.
RISK-2026-DOCS-M04 (handler blast radius on shared Worker). UC-186 layer 4 (runtime middleware prefix rejection) and the narrowed DocsEnv binding provide the isolation boundary.

UC-186 provides partial coverage for:

RISK-2026-DOCS-H01 (bearer token XSS via Scalar supply chain). UC-186 layer 4 reduces cross-surface blast radius if a token were to be stolen; primary mitigators are CSP, SRI, and __Host- cookie scoping tracked under separate SOA controls.
RISK-2026-DOCS-H02 (DOCS_SESSION_HMAC_KEY leak forges sessions across developer fleet). UC-186 layer 4 is designed to ensure a forged session cannot reach production endpoints; primary mitigators are Secrets Store storage and kid-prefixed rotation.
RISK-2026-DOCS-M01 (shared sandbox attestation replay across sessions). UC-186 layer 4 blocks any attempt to replay a sandbox attestation against production; primary mitigators are session-bound attestation and nonce TTL.
RISK-2026-DOCS-M02 (Bot Fight Mode passive bypass by patient bot farm). UC-186 layer 4 is designed to keep abuse scoped to the sandbox surface; primary mitigators are Cloudflare managed challenge and rate limits.
RISK-2026-DOCS-M03 (mobile sandbox abuse at scale via residential proxies). UC-186 layer 4 rejects any mwallet-sbx-* attempt against production ingress; primary mitigators are 7-day install TTL and per-install rate limits.
RISK-2026-DOCS-M05 (Scalar supply chain compromise via npm). UC-186 layer 4 is designed to prevent a compromised Scalar bundle from reaching production by rejecting sandbox prefixes at the production edge; primary mitigators are npm audit, Dependabot, CSP, and SRI.

UC-186 does not cover:

RISK-2026-DOCS-L01 (cross-border transfer of developer pseudonymous identifiers to Cloudflare global edge). Covered by SCCs, UK IDTA, and the transfer impact assessment in ROPA Section 4. Not an isolation control.

Priority: Critical

Current Status: 🔄 Planned. Control defined as part of docs sandbox Phase 0A uplift; implementation to follow under the DX docs sandbox delivery workstream. Compile-time gating and middleware rejection are preventive-by-design; the CI bundle-grep gate provides the detective layer.

Business Continuity Controls

UC-165: Business Impact Analysis (BIA)

Domain: Business Continuity Description: Conduct business impact analysis to identify critical business functions and their recovery requirements.

Standards Coverage:

ISO 27001:2022 A.5.13. Business continuity management
ISO 22301. Business continuity management systems
CSA CCM BCR-04. Business impact analysis

Implementation Type: Administrative Evidence Needed:

BIA document
Critical business functions identified
RTOs and RPOs defined
Impact assessment (financial, reputational, regulatory)
Dependency mapping

Priority: High Current Status: ✅ Implemented - BIA in Business Continuity Plan

UC-166: Disaster Recovery Plan (DRP)

Domain: Business Continuity Description: Establish disaster recovery plan with procedures to restore systems and data after major disruptions.

Standards Coverage:

ISO 27001:2022 A.5.13. Business continuity
CSA CCM BCR-05. Disaster recovery
NIST. Disaster recovery planning

Implementation Type: Administrative + Technical Evidence Needed:

DRP document
Recovery procedures by scenario
Backup and restore procedures
Disaster declaration criteria
DRP testing results

Priority: High Current Status: ✅ Implemented - DRP in Business Continuity Plan

UC-167: High Availability Architecture

Domain: Business Continuity Description: Design systems for high availability with redundancy, failover, and geographic distribution.

Standards Coverage:

ISO 27001:2022 A.8.14. Redundancy of information processing facilities
CSA CCM BCR-06. High availability
SRE. Availability targets

Implementation Type: Technical Evidence Needed:

HA architecture design (Cloudflare 300+ PoPs)
Redundancy implementation
Automatic failover mechanisms
Load balancing
Availability monitoring and SLA (99.9%+)

Priority: Critical Current Status: ✅ Implemented - Cloudflare global distribution, auto-failover

UC-168: Data Backup Procedures

Domain: Business Continuity Description: Implement regular, automated backups of critical data with off-site storage and encryption.

Standards Coverage:

ISO 27001:2022 A.8.13. Information backup
CSA CCM BCR-07. Data backup
GDPR Article 32. Ability to restore availability

Implementation Type: Technical Evidence Needed:

Backup schedule and automation
Off-site backup storage
Backup encryption
Full backups at multiple frequencies (hourly, daily, weekly)
Immutable backups (ransomware protection)

Priority: Critical Current Status: ✅ IMPLEMENTED (January 2025) - provii-backup with automated backup system

Implementation Evidence:

/trust/evidence/business-continuity/provii-backup-evidence.md
provii-backup/ (technical implementation)
Automated schedule: Hourly full + daily full + weekly complete backups
Off-site storage: Cloudflare R2 (separate from production KV, geo-distributed)
Encryption: AES-256-GCM with unique IVs, PBKDF2 key derivation
All backup tiers are full backups (no incremental diff logic)
Compression: MessagePack + Gzip (70-80% size reduction)
Coverage: 30 KV namespaces, 9 Durable Objects, 2 R2 buckets
Retention: 7-90 days tiered policy
Cost: <$0.01/month
Closes GAP-H006

UC-169: Recovery Time and Point Objectives

Domain: Business Continuity Description: Define and achieve Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.

Standards Coverage:

ISO 27001:2022 A.5.13. Business continuity
ISO 22301. RTO/RPO requirements
CSA CCM BCR-08. Recovery objectives

Implementation Type: Administrative + Technical Evidence Needed:

RTO/RPO definitions per system
RTO achievement evidence (failover testing)
RPO achievement evidence (backup frequency)
Gap analysis and remediation
Executive approval of objectives

Priority: High Current Status: ✅ Implemented - RTO: 1 hour, RPO: 24 hours (documented in BCP)

UC-170: Incident Communication Plan

Domain: Business Continuity Description: Establish communication procedures for incidents including internal notifications, customer communications, and status pages.

Standards Coverage:

ISO 27001:2022 A.5.12. Incident management
CSA CCM SEF-06. Incident communication
Best Practices. Transparency during incidents

Implementation Type: Administrative + Technical Evidence Needed:

Communication plan document
Escalation contact lists
Customer notification templates
Status page (status.provii.app)
Communication logs during incidents

Priority: High Current Status: ✅ Enhanced - Incident response plan implemented, status page deployed at status.provii.app

Implementation Details:

Incident Response Plan. Documented in /trust/security/business-continuity.mdx
Status Page. Real-time monitoring at https://status.provii.app
4 services monitored (Production + Sandbox Verify/Issuer)
Auto-refresh every 60 seconds
Public API endpoint (/api/status)
$0/month cost (Cloudflare Workers free tier)
Communication Templates. Service degradation, restoration, security advisory
Escalation Chain. Security Lead → Engineering → ISMS Owner
Customer Communication. Status page (primary), email (backup), social media (major outages)

Evidence Location:

/trust/evidence/business-continuity/status-page-evidence.md
/trust/evidence/business-continuity/bc-dr-evidence.md (UC-170 section)
provii-status/

Gap Closed: GAP-M001 (Status Page for Service Transparency) ✅ CLOSED

UC-171: Tabletop Exercises and Drills

Domain: Business Continuity Description: Conduct regular tabletop exercises and drills to test business continuity and disaster recovery plans.

Standards Coverage:

ISO 27001:2022 A.5.30. ICT readiness for business continuity
CSA CCM BCR-09. BCP/DRP testing
ISO 22301. Testing requirements

Implementation Type: Administrative Evidence Needed:

Tabletop exercise schedule (annual minimum)
Exercise scenarios and objectives
Participant lists
Exercise findings and improvements
Plan updates based on lessons learned

Priority: Medium Current Status: 📋 Planned - Annual tabletop exercises (Q1 2026)

UC-172: Alternative Processing Sites

Domain: Business Continuity Description: Identify and prepare alternative processing sites for critical functions in case primary site is unavailable.

Standards Coverage:

ISO 27001:2022 A.5.13. Business continuity
ISO 22301. Alternative site requirements
CSA CCM BCR-10. Alternative sites

Implementation Type: Administrative + Technical Evidence Needed:

Alternative site identification (Cloudflare global network)
Automatic geographic failover
Alternative site testing
Activation procedures
Site parity verification

Priority: Medium Current Status: ✅ Implemented - Cloudflare global distribution (automatic geographic failover)

Vendor & Supply Chain Controls

UC-173: Vendor Security Assessment

Domain: Vendor & Supply Chain Description: Assess security posture of vendors before engagement and periodically thereafter. Risk-based assessment depth.

Standards Coverage:

ISO 27001:2022 A.5.19. Information security in supplier relationships
CSA CCM STA-04. Vendor security assessment
GDPR Article 28. Processor due diligence
NIST. Supply chain risk management

Implementation Type: Administrative Evidence Needed:

Vendor security questionnaires
Third-party certifications (SOC 2, ISO 27001)
Risk-based assessment (critical vendors get deep assessment)
Assessment records and approvals
Periodic re-assessment (annual for critical)

Priority: High Current Status: ✅ Implemented - Cloudflare/GitHub security assessments, Supplier Management

UC-174: Supply Chain Transparency

Domain: Vendor & Supply Chain Description: Maintain visibility into supply chain including sub-processors, open source dependencies, and service providers.

Standards Coverage:

ISO 27001:2022 A.5.21. Managing information security in the ICT supply chain
GDPR Article 28(2). Sub-processor approval
CSA CCM STA-05. Supply chain transparency
SLSA. Supply chain levels

Implementation Type: Administrative Evidence Needed:

Supplier and sub-processor list
Dependency inventory (Cargo.toml, package.json)
Software bill of materials (SBOM)
Supply chain documentation
Customer notification of sub-processor changes

Priority: High Current Status: ✅ Implemented - Supplier list, SBOM from SLSA provenance

UC-175: Vendor Contract Security Requirements

Domain: Vendor & Supply Chain Description: Include security, privacy, and compliance requirements in vendor contracts. Specify incident notification, audits, and data handling.

Standards Coverage:

ISO 27001:2022 A.5.20. Addressing information security within supplier agreements
GDPR Article 28. Processor contracts
CSA CCM STA-06. Contractual requirements

Implementation Type: Administrative Evidence Needed:

Security requirements in contracts
Data processing agreements (DPAs)
SLAs with security provisions
Audit rights in contracts
Breach notification requirements

Priority: High Current Status: ✅ Implemented - Cloudflare/GitHub ToS include security provisions

UC-176: Open Source Dependency Management

Domain: Vendor & Supply Chain Description: Manage open source dependencies with security scanning, license compliance, and update tracking.

Standards Coverage:

ISO 27001:2022 A.5.21. Managing information security in the ICT supply chain
ISO 27001:2022 A.5.32. Intellectual property rights
CSA CCM STA-07. Open source management

Implementation Type: Technical + Administrative Evidence Needed:

Dependency scanning (cargo audit, npm audit)
License compliance review
Open source usage policy
Dependency update procedures
SBOM generation

Priority: Critical Current Status: ✅ Implemented - cargo audit, npm audit, SBOM, license review

UC-177: Vendor Incident Response Coordination

Domain: Vendor & Supply Chain Description: Coordinate incident response with vendors including notification procedures, shared investigation, and joint remediation.

Standards Coverage:

ISO 27001:2022 A.5.12. Incident management
GDPR Article 33. Processor breach notification
CSA CCM SEF-07. Vendor incident coordination

Implementation Type: Administrative Evidence Needed:

Vendor incident notification procedures
Escalation contacts for vendor incidents
Joint incident investigation protocols
Vendor security incident history
Lessons learned from vendor incidents

Priority: High Current Status: 🔄 Partially Implemented - Cloudflare/GitHub incident channels, formal coordination procedures needed

UC-178: Critical Vendor Monitoring

Domain: Vendor & Supply Chain Description: Continuously monitor critical vendors for security incidents, service disruptions, and compliance changes.

Standards Coverage:

ISO 27001:2022 A.5.7. Threat intelligence
CSA CCM STA-08. Vendor monitoring
NIST. Supply chain monitoring

Implementation Type: Administrative + Technical Evidence Needed:

Vendor monitoring tools (status pages, security feeds)
Critical vendor identification
Vendor health dashboards
Alerting on vendor incidents
Contingency plans for vendor failures

Priority: Medium Current Status: ✅ Implemented - Monitor Cloudflare/GitHub status pages

UC-179: Vendor Offboarding

Domain: Vendor & Supply Chain Description: Securely offboard vendors with data deletion, access revocation, and contract termination procedures.

Standards Coverage:

ISO 27001:2022 A.5.10. Supplier relationships
GDPR Article 28. End of processing obligations
CSA CCM STA-09. Vendor offboarding

Implementation Type: Administrative Evidence Needed:

Vendor offboarding checklist
Data deletion verification
Access revocation confirmation
Contract termination procedures
Transition planning

Priority: Medium Current Status: 🔄 Deferred. Single vendor (Cloudflare); offboarding procedures will be documented as vendor portfolio grows

UC-180: Fourth-Party Risk Management

Domain: Vendor & Supply Chain Description: Manage risks from vendors’ vendors (fourth parties). Require disclosure and assessment of sub-processors.

Standards Coverage:

GDPR Article 28(2). Sub-processor authorisation
ISO 27001:2022 A.5.21. Managing information security in the ICT supply chain
CSA CCM STA-10. Fourth-party risk

Implementation Type: Administrative Evidence Needed:

Sub-processor disclosure requirements
Fourth-party risk assessment
Approval process for sub-processors
Sub-processor changes notification
Liability flow-down in contracts

Priority: Medium Current Status: 🔄 Partially Implemented - Cloudflare sub-processors documented, formal approval process needed

UC-181: Supply Chain Attack Prevention

Domain: Vendor & Supply Chain Description: Implement controls to prevent supply chain attacks including dependency confusion, typosquatting, and compromised packages.

Standards Coverage:

SLSA Level 3/4. Supply chain integrity
ISO 27001:2022 A.5.21. Managing information security in the ICT supply chain
CSA CCM STA-11. Supply chain attack prevention

Implementation Type: Technical Evidence Needed:

Hermetic builds (locked dependencies)
Dependency verification (checksums, signatures)
Private package repository (if applicable)
Artifact provenance (SLSA)
Supply chain attack monitoring

Priority: Critical Current Status: ✅ Implemented - SLSA Level 3, hermetic builds, signed artifacts

Governance & Compliance Controls

UC-182: Compliance Monitoring and Reporting

Domain: Governance & Compliance Description: Continuously monitor compliance with applicable regulations and standards. Generate compliance reports for management and auditors.

Standards Coverage:

ISO 27001:2022 Clause 9. Performance evaluation and monitoring
ISO 27701:2019 Clause 9. Compliance monitoring
CSA CCM GRC-07. Compliance monitoring

Implementation Type: Administrative Evidence Needed:

Compliance register (laws, regulations, standards)
Compliance monitoring procedures
Compliance dashboards and reports
Gap identification and remediation
Executive compliance reporting

Priority: High Current Status: ✅ Implemented. ISMS documentation site provides compliance visibility; quarterly management review tracks compliance posture

UC-183: Management Review and Oversight

Domain: Governance & Compliance Description: Conduct regular management reviews of ISMS/PIMS effectiveness, compliance status, and improvement opportunities.

Standards Coverage:

ISO 27001:2022 Clause 9.3. Management review
ISO 27701:2019 Clause 9.3. Privacy management review
CSA CCM GRC-08. Management review

Implementation Type: Administrative Evidence Needed:

Management review schedule (quarterly minimum)
Management review agendas and minutes
Review inputs (audit results, incidents, metrics, changes)
Management decisions and action items
Follow-up on previous action items

Priority: High Current Status: ✅ Implemented - Management Review Process

UC-184: Internal Audit Program

Domain: Governance & Compliance Description: Conduct regular internal audits to verify ISMS/PIMS compliance and effectiveness. Use independent auditors where possible.

Standards Coverage:

ISO 27001:2022 Clause 9.2. Internal audit
ISO 27701:2019 Clause 9.2. Privacy internal audit
CSA CCM GRC-09. Internal audit

Implementation Type: Administrative Evidence Needed:

Internal audit program and schedule
Audit plans and scopes
Audit findings and non-conformities
Corrective action tracking
Auditor independence

Priority: High Current Status: ✅ Implemented - Internal Audit Program

UC-185: Legal and Regulatory Compliance Register

Domain: Governance & Compliance Description: Maintain register of applicable legal, regulatory, contractual, and industry requirements. Update as requirements change.

Standards Coverage:

ISO 27001:2022 A.5.31. Legal, statutory, regulatory and contractual requirements
ISO 27701:2019. Privacy law compliance
CSA CCM GRC-10. Compliance register

Implementation Type: Administrative Evidence Needed:

Compliance register document
Legal requirements by jurisdiction (GDPR, CCPA, Privacy Act, COPPA, etc.)
Contractual obligations
Industry standards (ISO 27001, ISO 27701, ISO 27566-1)
Quarterly compliance register review

Priority: Critical Current Status: 🔄 Partially Implemented - Key regulations documented, register in progress

Notes on Current Status Legend

✅ Implemented: Control is fully operational with evidence available
🔄 Partially Implemented: Control is in progress or partially complete
📋 Planned: Control is documented in roadmap with timeline
❌ Not Applicable: Control does not apply to our architecture or context

Appendices

Appendix A: Standards Cross-Reference

Detailed mapping of each unified control to specific clauses/articles in each standard.

Appendix B: Evidence Collection Plan

list of evidence artifacts needed for each control with collection procedures.

Appendix C: Compliance Roadmap

Timeline for implementing planned controls and achieving certifications.

Appendix D: Gap Analysis

Detailed analysis of gaps between current state and full compliance with each standard.

Document Control Version: 1.3 Last Updated: 2026-05-21 Next Review: 2026-11-21 Owner: ISMS Owner Maintained By: ISMS Owner

Changelog

Version	Date	Summary
1.2	2026-04-13	Added UC-186 (Sandbox Environment Isolation) under Development & Operations, mapping to ISO 27001:2022 A.8.25 and A.8.31. Matrix total bumped from 185 to 186; Development & Operations domain total bumped from 24 to 25. Executive summary deduplication table, domain breakdown, TOC entry, and title updated accordingly. Existing UC-001 to UC-185 IDs preserved to avoid renumbering evidence artefacts. from .
1.1	2026-02-16	Status updates across multiple controls (implementation progress, evidence refresh).
1.0	2025-11-08	Initial publication of the unified compliance requirements matrix.

End of Unified Compliance Requirements Matrix

Unified Compliance Requirements Matrix

Executive Summary

Deduplication Results

Standards Covered

Control Domain Breakdown

Priority Distribution

Table of Contents

Privacy Controls

UC-001: Data Minimization

UC-002: Purpose Limitation

UC-003: Transparency and Notice

UC-004: User Consent Management

UC-005: User Rights Facilitation

UC-006: Privacy by Design and Default

UC-007: Privacy Impact Assessment (PIA/DPIA)

UC-008: Privacy Governance and Accountability

UC-009: Anonymity and Pseudonymity Support

UC-010: Cross-Border Data Transfer Safeguards

UC-011: Profiling and Automated Decision-Making Restrictions

UC-012: Children’s Privacy Protections

UC-013: Geolocation Privacy Controls

UC-014: Parental Controls and Transparency

UC-015: Nudge Technique Restrictions

UC-016: Data Sharing Restrictions

UC-017: Retention Limitation

UC-018: Privacy Policy and Standards Compliance

UC-019: Detrimental Use Prevention

UC-020: Best Interests of the Child

UC-021: Connected Toys and Devices Privacy

UC-022: Privacy Training and Awareness

UC-023: Privacy-Enhancing Technologies

UC-024: Data Quality and Accuracy

UC-025: Sensitive Data Protections

UC-026: Privacy Incident Response

UC-027: Records of Processing Activities

UC-028: Privacy Rights for Complaints and Redress

UC-029: Direct Marketing Restrictions

UC-030: Privacy for Employment and HR

UC-031: Marketing to Children Restrictions

UC-032: Unlinkability and Selective Disclosure

UC-033: Privacy-Preserving Analytics

UC-034: Processor Obligations and Contracts

UC-035: Third-Party Privacy Audits

UC-036: Privacy Shield / Adequacy Mechanisms

UC-037: Privacy Dispute Resolution

UC-038: Privacy Performance Metrics

Security Controls

UC-039: Information Security Policy

UC-040: Security Roles and Responsibilities

UC-041: Risk Assessment and Treatment

UC-042: Access Control Policy and Management

UC-043: Multi-Factor Authentication (MFA)

UC-044: Encryption in Transit

UC-045: Encryption at Rest

UC-046: Security Monitoring and Logging

UC-047: Incident Response Plan

UC-048: Vulnerability Management

UC-049: Secure Software Development Lifecycle (SSDLC)

UC-050: Security Testing and Assessment

UC-051: Change Management and Control

UC-052: Business Continuity and Disaster Recovery

UC-053: Asset Management and Inventory

UC-054: Supplier and Third-Party Security

UC-055: Physical and Environmental Security

UC-056: Network Security and Segmentation

UC-057: Endpoint Security

UC-058: Secure Authentication and Password Management

UC-059: Privileged Access Management

UC-060: Security Awareness and Training

UC-061: Malware Protection

UC-062: Backup and Recovery

UC-063: Security of Development and Test Environments

UC-064: Capacity Management and Availability

UC-065: Clock Synchronization

UC-066: Secure Disposal and Sanitization

UC-067: Information Leakage Prevention

UC-068: Segregation of Duties

UC-069: Security Metrics and Reporting

UC-070: Security Contact and Disclosure

Cryptographic Controls