Compliance
The compliance map you forward to your enterprise prospect's security team.
Every Aleutian capability mapped to the SOC 2, GDPR, HIPAA, NIST, ISO, PCI, CCPA, and EU AI Act control it satisfies. Each row marked designed or operating in production.
GDPR Article 17's expanded right-to-erasure takes effect August 2026.
If your product touches EU users, you'll need a defensible DSAR pipeline in place before the deadline arrives, and Aleutian's end-user DSAR portal and signed deletion certificates are already operating today — the flow is documented in detail below under the GDPR Article 17 section.
Jump to the GDPR section →Feature-to-Framework Matrix
Quick reference: which Aleutian features support which frameworks?
| Aleutian Feature | SOC 2 | GDPR | HIPAA | NIST CSF | NIST 800-53 | ISO 27001 | PCI DSS |
|---|---|---|---|---|---|---|---|
| Hash chain audit trail | CC7.2 | Art. 5(1)(f) | §164.312(b),(c) | PR.DS-6 | AU-9, AU-10 | A.5.33, A.8.15 | 10.3, 10.5 |
| DLP scanning | CC7.1 | Art. 5(1)(c), 30 | §164.312(b) | DE.AE-2 | SI-4 | A.8.12 | - |
| GDPR deletion + certificates | - | Art. 17 | - | - | - | A.8.10 | - |
| Retention automation | - | Art. 5(1)(e) | - | - | AU-11 | - | 10.7 |
| User activity timeline | CC7.3 | Art. 15 | §164.308 | DE.CM-3 | AU-6 | A.8.16 | 10.4.1 |
| Compliance reports | CC4.1 | Art. 5(2) | §164.308 | RS.AN-1 | AU-6 | A.8.16 | 10.4.1 |
| Verification API | CC4.1 | Art. 5(1)(f) | §164.312(c)(2) | PR.DS-6 | SI-7 | A.5.33 | 10.5 |
| Real-time alerting | CC4.2 | Art. 33 | §164.308 | DE.AE-2 | SI-4 | A.8.16 | - |
| Identity-bound tenant isolation (per-tenant Service Account) | CC6.1 | Art. 32(1)(b) | - | - | AC-3 | - | - |
| Post-quantum signing (ML-DSA-65, FIPS 204) | - | - | - | - | SP 800-208 successor | - | - |
| Zero-knowledge default operating mode | - | Art. 25, Art. 5(1)(c) | - | - | SC-28 | - | - |
SOC 2 Trust Services Criteria 7 controls
SOC 2 is the most common compliance framework for B2B SaaS companies. The following controls are addressable with Aleutian's audit trail and verification features.
| Control | Description | Aleutian Feature | Evidence Provided | Status |
|---|---|---|---|---|
| CC4.1 | Ongoing monitoring and evaluation | Hash chain verification | Continuous integrity checks, verification reports | |
| CC4.2 | Deficiency communication | DLP alerting | Real-time notifications when sensitive data detected | 🟡 Designed |
| CC5.2 | Technology controls | Hash chain | Cryptographic detective control | |
| CC7.1 | Detect security events | DLP scanning | Automated scanning for sensitive data patterns | 🟡 Designed |
| CC7.2 | Monitor system components | Audit trail | Tamper-evident logs of all AI conversations | |
| CC7.3 | Evaluate security events | Audit trail review | Verification reports, user activity timeline | |
| CC7.4 | Respond to incidents | Audit trail | Immutable evidence for investigation |
Evidence export:
The system generates SOC 2 CC7.2 evidence packages containing chain verification proof, sample audit entries, and control narratives suitable for auditor review.
GDPR (General Data Protection Regulation) 11 controls
GDPR applies to any company processing EU residents' data. The following articles have corresponding Aleutian features.
| Article | Requirement | Aleutian Feature | Evidence Provided | Status |
|---|---|---|---|---|
| Art. 5(1)(a) | Lawfulness, fairness, transparency | Audit trail | Documents what data was processed and when | |
| Art. 5(1)(c) | Data minimization | DLP scanning | Identifies personal data in AI conversations | 🟡 Designed |
| Art. 5(1)(e) | Storage limitation | Retention automation | Auto-delete after configurable period | 🟡 Designed |
| Art. 5(1)(f) | Integrity and confidentiality | Hash chain | Cryptographic integrity guarantee | |
| Art. 5(2) | Accountability | Compliance reports | Exportable verification reports | |
| Art. 12 | Transparent communication | Audit logs | Complete record of processing activities | |
| Art. 15 | Right of access | User query | Retrieve all data by user ID | |
| Art. 17 | Right to erasure. Operating in production today through an end-user DSAR portal that issues a signed deletion certificate, with the underlying chain anchoring the deletion event under an ML-DSA-65 signature, and the resulting certificate standalone-verifiable at verify.aleutian.ai without any Aleutian dependency. The August 2026 deadline applies if your product has EU users. | End-user DSAR portal + signed deletion certificate | Standalone-verifiable certificate at verify.aleutian.ai | |
| Art. 30 | Records of processing | Processing logs | Audit logs support Article 30 record-keeping obligations | |
| Art. 32 | Security of processing | Integrity controls | Hash chain, encryption, monitoring | |
| Art. 33 | Breach notification | DLP alerting | Automated DLP alerts support 72-hour notification window | 🟡 Designed |
| Art. 44 | Transfers to third countries / data residency | EU and JP regional residency | Per-region BigQuery datasets and Pub/Sub topics designed; EU and JP subdomains not yet stood up. | 🔵 Roadmap |
GDPR Deletion Flow:
- Customer receives deletion request for user X
- Call Aleutian API:
DELETE /v1/gdpr/users/{user_id} - Aleutian returns list of affected message hashes
- Aleutian deletes payloads, preserves chain structure
- Aleutian issues cryptographic deletion certificate
- Customer uses hashes to delete from their own systems
Three DSAR surfaces.
DSAR fulfillment has three distinct surfaces, each at a different completion state. The operator-facing fulfillment dashboard is running today against the dev environment with integration tests green; the customer-facing public REST API and the recipient-facing verifier streams are ticketed and in progress.
| Surface | What it is | Status |
|---|---|---|
| Operator-facing fulfillment | Dashboard for SAR triage with Acknowledge → Extend → Reject → Fulfill (erasure or access) all wired. All four GDPR articles covered (15, 17, 17(3), 12(3), 20). Chain entries on every transition; signed download URLs; operator rationale stays on chain. | |
| Customer-facing public REST API | POST /v1/sar/intent plus acknowledge / fulfilled / rejected lifecycle endpoints and webhook delivery. Designed for OneTrust, Transcend, Jira, and in-house tooling integration. |
🟡 Designed |
| Recipient-facing verifier | Cross-language verifier SDKs and the hosted verifier at verify.aleutian.ai. The artifact your data subject or regulator uses to confirm a deletion or access response. Go SDK operating; Python mid-flight; JavaScript not started. | 🟡 Designed |
What Aleutian sees of your data, and when.
Aleutian operates in one of three visibility modes, selected per-deployment by the customer. The default is zero-knowledge. The other modes require the customer's explicit opt-in, and any extended visibility Aleutian receives is itself recorded as a signed event in the customer's tamper-evident chain — meaning even Aleutian's access patterns are auditable in the same record that audits everything else.
| Mode | Aleutian's visibility into cleartext | Relevant GDPR control |
|---|---|---|
| Zero-knowledge (default) | Transient access at the proxy moment only, while forwarding to your AI provider. Nothing stored, nothing logged. | Art. 25 (privacy by default), Art. 5(1)(c) (data minimisation) |
| Encrypted-and-chained | Visible at ingest only long enough to encrypt with your KMS wrap key; after encryption Aleutian cannot decrypt without your time-limited, chain-anchored consent. | Art. 32(1)(a) (pseudonymisation and encryption), Art. 5(1)(f) (integrity and confidentiality) |
| Consented PII scan | Visible for a customer-specified, time-limited window. The consent record is itself signed and anchored in your chain. | Art. 6(1)(a) (consent as lawful basis), Art. 7 (conditions for consent), Art. 30 (records of processing) |
| SDK-only (maximum ZK) | None. Your application hashes content locally and Aleutian receives only cryptographic fingerprints and audit metadata. | Art. 25 (privacy by design), Art. 5(1)(c) (data minimisation) |
The trust-anchor architecture means the chain entries themselves are cryptographically tamper-evident regardless of which mode is in use. The visibility mode determines what cleartext, if any, Aleutian sees; the chain integrity is mode-independent. This separation lets your data subjects and regulators receive a verifiable receipt of every processing event without requiring Aleutian to have ever held the underlying content.
HIPAA Security Rule 8 controls
HIPAA applies to healthcare organizations (Covered Entities) and their vendors (Business Associates).
| Section | Requirement | Aleutian Feature | Evidence Provided | Status |
|---|---|---|---|---|
| §164.312(a)(2)(i) | Unique user identification | User ID tracking | Every request tagged with user ID | |
| §164.312(b) | Audit controls | Audit trail | Immutable log of all PHI access | |
| §164.312(c)(1) | Integrity | Hash chain | Cryptographic proof data wasn't altered | |
| §164.312(c)(2) | Mechanism to authenticate ePHI | Verification API | Prove authenticity of any record | |
| §164.312(e)(1) | Transmission security | TLS + hashing | Encrypted transport, integrity verification | |
| §164.312(e)(2)(i) | Integrity controls | Per-message hash | Each message has integrity proof | |
| §164.308(a)(1)(ii)(D) | Information system activity review | Dashboard | Visual review of all activity | |
| §164.308(a)(5)(ii)(C) | Log-in monitoring | User timeline | Track all user access patterns |
NIST Cybersecurity Framework (CSF) 13 controls
NIST CSF is widely adopted across industries, especially in government and critical infrastructure.
| Function | Category | Subcategory | Aleutian Feature | Status |
|---|---|---|---|---|
| Identify | ID.AM-3 | Data flows mapped | Audit trail records all AI data flows | |
| Identify | ID.AM-5 | Resources prioritized | DLP scanning identifies sensitive data | 🟡 Designed |
| Protect | PR.AC-1 | Identities managed | User ID tracking | |
| Protect | PR.DS-1 | Data-at-rest protected | Encrypted storage with integrity hash | |
| Protect | PR.DS-2 | Data-in-transit protected | TLS + per-message hashing | |
| Protect | PR.DS-6 | Integrity checking | Hash chain verification | |
| Protect | PR.IP-1 | Configuration managed | Immutable audit of system state | |
| Detect | DE.AE-2 | Events analyzed | DLP scanning | 🟡 Designed |
| Detect | DE.AE-3 | Event data collected | Full conversation capture (browser, API, code tools) | |
| Detect | DE.CM-1 | Network monitored | All AI conversations logged | |
| Detect | DE.CM-3 | Personnel activity monitored | User activity timeline | |
| Detect | DE.CM-7 | Unauthorized activity detected | Audit trail enables review of unauthorized activity patterns | |
| Respond | RS.AN-1 | Notifications investigated | Forensic timeline for incidents | |
| Respond | RS.AN-3 | Forensics performed | Immutable chain of custody |
NIST 800-53 (Security Controls) 9 controls
NIST 800-53 is required for federal systems (FedRAMP) and widely used as a security baseline.
| Control | Name | Aleutian Feature | Evidence Provided | Status |
|---|---|---|---|---|
| AU-2 | Audit Events | Audit trail | Captures all AI conversation events | |
| AU-3 | Content of Audit Records | Full logging | Request, response, timestamp, user ID, model | |
| AU-6 | Audit Review, Analysis, Reporting | Dashboard + reports | Visual review, exportable reports | |
| AU-9 | Protection of Audit Information | Hash chain | Tampering is cryptographically detectable | |
| AU-10 | Non-repudiation | Verification API | Cryptographic proof of events | |
| AU-11 | Audit Record Retention | Retention automation | Configurable retention periods | 🟡 Designed |
| AU-12 | Audit Generation | Automatic logging | All requests logged automatically | |
| SI-4 | System Monitoring | DLP scanning | Continuous monitoring for sensitive data | 🟡 Designed |
| SI-7 | Integrity Verification | Hash chain | Verify integrity of any record | |
| CA-6 | Authorization (FedRAMP, StateRAMP, CMMC, CJIS, IRS 1075, FISMA) | Regulated-industry authorizations | Underlying controls largely satisfied via NIST 800-53 mapping; no authorization packages submitted. | 🔵 Roadmap |
ISO 27001:2022 6 controls
ISO 27001 is the international standard for information security management systems (ISMS).
| Control | Name | Aleutian Feature | Evidence Provided | Status |
|---|---|---|---|---|
| A.5.33 | Protection of records | Hash chain | Tamper-evident audit logs | |
| A.8.10 | Information deletion | GDPR deletion | Secure deletion with certificates | |
| A.8.12 | Data leakage prevention | DLP scanning | Detects sensitive data in AI conversations | 🟡 Designed |
| A.8.15 | Logging | Audit trail | Full conversation logging across capture sources | |
| A.8.16 | Monitoring activities | Dashboard + alerting | Real-time monitoring and alerts | |
| A.8.17 | Clock synchronization | Timestamps | UTC timestamps on all entries | |
| A.5.14 | Information transfer / cross-border data residency | EU and JP regional residency | Per-region tenant deployment designed; subdomains and regional control planes not yet stood up. | 🔵 Roadmap |
PCI DSS v4.0 7 controls
PCI DSS applies if you process, store, or transmit payment card data.
| Requirement | Name | Aleutian Feature | Evidence Provided | Status |
|---|---|---|---|---|
| 10.2 | Audit logs enabled | Audit trail | Automatic logging of all events | |
| 10.2.1 | Log user access | User tracking | User ID on every request | |
| 10.3 | Audit logs protected | Hash chain | Cryptographic integrity protection | |
| 10.4.1 | Audit logs reviewed | Dashboard | Visual log review capability | |
| 10.5 | Audit log integrity | Hash chain | Tamper-evident via cryptographic linking | |
| 10.7 | Audit log retention | Retention automation | Configurable retention periods | 🟡 Designed |
| 12.10.5 | Incident response | Audit trail review | Complete timeline for investigations |
CCPA / CPRA (California Privacy) 3 controls
California's privacy laws grant consumers rights similar to GDPR.
| Right | Aleutian Feature | How It Helps | Status |
|---|---|---|---|
| Right to Know | User query API | Retrieve all data associated with a user | |
| Right to Delete | GDPR deletion flow | Same deletion mechanism works for CCPA | |
| Data Inventory | DLP scanning | Shows what personal data is collected | 🟡 Designed |
EU AI Act 4 controls
The EU AI Act introduces logging and transparency requirements for AI systems. The following articles are relevant to AI conversation auditing.
| Article | Requirement | Aleutian Feature | How It Helps | Status |
|---|---|---|---|---|
| Art. 12 | Record-keeping | Audit trail | Comprehensive logs of AI inputs/outputs | |
| Art. 13 | Transparency | Audit logs | Shows what AI systems processed | |
| Art. 14 | Human oversight | Dashboard | Enables human review of AI activity | |
| Art. 17 | Quality management | Verification | Integrity verification of records |
Take a 20-minute call.
If you're prepping for a security review and want to know whether Aleutian fits, this is the fastest way to find out.
Book a call