Security & Compliance
Workforce is built with sovereignty, security, and compliance at its core. Your data stays in your infrastructure, under your control.
4
Frameworks Tracked
63
Total Controls
29
Implemented
48.3%
Overall Coverage
Compliance Frameworks
SOC 2 Type II
2017 — Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
6 implemented, 9 partial
16 controls
NIST CSF 2.0
2.0 — Voluntary framework for managing cybersecurity risk
8 implemented, 6 partial
17 controls
CIS Controls v8
8 — Prioritized set of actions to protect organizations and data from cyber attack vectors
8 implemented, 5 partial
13 controls
HIPAA Security
45 CFR 164 — Standards for the protection of electronic protected health information (ePHI)
7 implemented, 5 partial
14 controls
Sovereignty Principles
Customer-Owned Infrastructure
Deploys into your AWS account, Azure subscription, or on-premises datacenter. No shared tenancy, ever.
Bring Your Own Model
Use any LLM provider — AWS Bedrock, Anthropic, Azure OpenAI, or self-hosted. Your model, your data.
Tamper-Proof Audit Logs
CloudTrail with SCP-enforced immutability. Every agent action is logged and traceable.
Predictable Pricing
Flat license fee. No per-token charges, no credit roulette, no seat inflation. You pay your cloud provider directly.
Active Gaps (31)
| Framework | Control | Title | Status | Notes |
|---|---|---|---|---|
| SOC 2 Type II | CC1.1 | COSO Principle 1 — Integrity and Ethical Values | partial | BSL 1.1 license terms, CLAUDE.md accountability framework |
| SOC 2 Type II | CC1.3 | COSO Principle 3 — Management Structure | partial | Agent roster defines delegation hierarchy; approval queue enforces authority |
| SOC 2 Type II | CC2.1 | COSO Principle 13 — Quality Information | partial | Structured logging via structlog, X-Ray tracing, cost tracking in DynamoDB |
| SOC 2 Type II | CC3.1 | COSO Principle 6 — Risk Objectives | partial | ADR-001 defines positioning and security commitments |
| SOC 2 Type II | CC3.2 | COSO Principle 7 — Risk Identification | not started | Formal threat model needed — Sprint 7 |
| SOC 2 Type II | CC5.1 | COSO Principle 10 — Control Selection | partial | SCPs on workloads OU, least-privilege IAM, approval queue for external outputs |
| SOC 2 Type II | CC6.3 | Access Removal | partial | Manual process — automate with SCIM in Sprint 9 |
| SOC 2 Type II | CC6.8 | Malicious Software Prevention | partial | GuardDuty enabled, GitHub Dependabot for dependency scanning |
| SOC 2 Type II | CC7.2 | Anomaly Detection | partial | GuardDuty for threat detection, CloudWatch for operational anomalies |
| SOC 2 Type II | CC9.1 | Risk Mitigation | partial | ADR-001 documents risk decisions, accountability framework prevents scope creep |
| NIST CSF 2.0 | GV.RM-01 | Risk Management Strategy | partial | ADR-001 covers strategic risk; formal risk register needed |
| NIST CSF 2.0 | GV.SC-01 | Supply Chain Risk Management | partial | Dependabot for dependency scanning, pinned versions in requirements-lambda.txt |
| NIST CSF 2.0 | ID.AM-01 | Asset Inventory | partial | CDK manages infrastructure as code; agent registry tracks all agents |
| NIST CSF 2.0 | ID.RA-01 | Risk Identification | partial | Automated dependency scanning, GuardDuty for runtime threats |
| NIST CSF 2.0 | ID.RA-03 | Threat Identification | not started | Formal threat model planned for Sprint 7 |
| NIST CSF 2.0 | DE.CM-04 | Malicious Code Detection | partial | GuardDuty runtime detection, Dependabot for known vulnerabilities in dependencies |
| NIST CSF 2.0 | DE.AE-02 | Anomalous Activity Analysis | partial | Cost anomaly tracking, CloudWatch metric alarms for Lambda errors/duration |
| NIST CSF 2.0 | RS.MA-01 | Incident Management | not started | Formal incident response plan needed — Sprint 7 with Compliance Auditor |
| NIST CSF 2.0 | RC.RP-01 | Recovery Plan Execution | not started | DR plan needed — DynamoDB PITR enabled, S3 versioning on |
| CIS Controls v8 | 1.1 | Establish and Maintain Enterprise Asset Inventory | partial | CDK stacks define all infrastructure; AWS Config can enumerate resources |
| CIS Controls v8 | 2.3 | Address Unauthorized Software | partial | Dependabot alerts on known vulnerabilities; manual review cycle |
| CIS Controls v8 | 3.1 | Establish and Maintain a Data Management Process | partial | 3-tier memory architecture with clear retention policies; formal data classification needed |
| CIS Controls v8 | 6.2 | Establish an Access Revoking Process | partial | Manual process — automate with SCIM in Sprint 9 |
| CIS Controls v8 | 13.1 | Centralize Security Event Alerting | partial | GuardDuty for threat detection; centralized alerting pipeline needed |
| HIPAA Security | 164.308(a)(1)(i) | Security Management Process | partial | GuardDuty + CloudTrail provide detection; formal security policy needed |
| HIPAA Security | 164.308(a)(1)(ii)(A) | Risk Analysis (R) | not started | Formal risk assessment planned for Sprint 7 |
| HIPAA Security | 164.308(a)(1)(ii)(B) | Risk Management (R) | partial | Technical controls implemented; formal risk management plan needed |
| HIPAA Security | 164.308(a)(3)(i) | Workforce Security | partial | Agent-level tool allowlists, IAM scoping; workforce access policy needed |
| HIPAA Security | 164.308(a)(4)(i) | Information Access Management | partial | Approval queue controls external data access; access authorization policy needed |
| HIPAA Security | 164.308(a)(6)(i) | Security Incident Procedures | not started | Incident response plan needed — Sprint 7 |
| HIPAA Security | 164.308(a)(7)(i) | Contingency Plan | partial | DynamoDB PITR enabled, S3 versioning on; formal contingency plan needed |