Security & Compliance

Audience: SOC 2 Type II, HIPAA, and CMS EDE Phase 3 auditors; AskFlorence engineering + ops; compliance-automation vendor onboarding (Drata / Vanta).
Scope: the documented operating-control layer. The infrastructure layer is documented under Infrastructure and the ADRs (0001, 0002, 0003, 0004).
Status: living set of documents. Each policy + control mapping records its own Last updated date. Index last revised 2026-05-11.

Audit-readiness posture (2026-05-11)

Framework	Posture	Evidence window	Next milestone
HIPAA Security Rule	In-force today. PHI scope = MongoDB Atlas M10 HIPAA-tier prod cluster + AWS BAA-covered services + Google Workspace.	Continuous (no formal window)	Mongo Atlas BAA signed PDF on file (Asad-owned, in flight)
SOC 2 Type II	Pre-evidence-window. Documentation foundation laid; vendor sign + evidence window start targeting ~July 2026 post-funding.	Not yet — target July 2026 → July 2027	Sign Drata or Vanta after funding closes; commission pen test in parallel
CMS EDE Phase 3	Multi-month preparation. Submission targeting ~February 2027 for the April–June 2027 audit period.	Not yet — auditors look at multi-month operating history at submission time	Atlas → Atlas for Government migration at submission cutover; Bedrock-Claude swap if Florence direct-API ships

The infrastructure layer is largely in place — AWS Organizations with 4 accounts, KMS CMKs, Secrets Manager, narrow-scoped Atlas users, append-only audit log, CloudTrail org-trail, Security Hub, GuardDuty, IAM OIDC for CI. The documented operating-control layer (this directory) is what auditors walk through; it captures the policies + control mappings + runbooks that bind those controls to documented procedure.

How to read this directory (auditor entry point)

If you are an auditor (SOC 2 / HIPAA / EDE), this is the recommended path:

Start with the control mappings. Open the framework you're assessing:
- SOC 2 Control Mapping — CC criteria, append-only evidence register
- HIPAA Control Mapping — 45 CFR §164.308 / .310 / .312 mapping
- CMS EDE Appendix A Mapping — Phase 3 § 1–11 mapping
From each control row, follow the evidence link — ADR, runbook, Terraform configuration, CI workflow run, or Atlas role JSON. Every row cites a specific artifact, not a generic claim.
For org-level policy questions, consult the matching policy doc:
- Risk Assessment — annual risk register
- Encryption Policy — at-rest, in-transit, key management
- Data Retention Policy — per data class
- Privacy Impact Assessment — current PHI-adjacent flows
- Incident Response Plan — roles, escalation, regulatory timelines
- Access Control Policy — SSO, MFA, quarterly reviews, break-glass
- Marketing vs. Portal Analytics — auth-wall isolation control, tool-approval SOP, living registry of approved third-party tools on apex
- Vendor / subprocessor register — BAA / DPA / FedRAMP status
For operational procedure, consult the runbooks:
- Security Incident Response — first-responder playbook
- Break-Glass Root Login — when, how, audit posture
- Onboard Team Member — SOC 2-grade checklist
- Offboard Team Member — revocation checklist
- Atlas User Provisioning — DB user lifecycle
For standing operational artifacts:
- Access reviews — quarterly review records
- Penetration test reports — pen test history (first report target Q4 2026)

What HIPAA covers today

PHI touchpoints exist now. The Security Rule applies in-force to:

Touchpoint	Data class	HIPAA control surface
Quote browsing (ZIP + age + income)	Anonymous (not PHI)	Stateless — no storage, no audit log row, no PHI implication
Agent waitlist + survey (`agent_waitlist_submissions`, `agent_survey_responses` on Atlas)	PII (email, name, NPN, phone)	§164.308(a)(4) least-privilege role binding via `app_writer_survey`; §164.312(b) audit via `agent_audit_log`
MongoDB Atlas prod cluster	PHI-scope-enabled (M10 HIPAA tier — see vendor register Atlas row)	§164.308(b) BAA; §164.312(a)(1) per-service unique-ID auth; §164.312(b) append-only audit log; §164.312(e)(1) TLS 1.2+
AWS (compute, storage, secrets, monitoring)	All classes	§164.308(b) AWS Organizations BAA signed 2026-04-18; §164.310 physical safeguards inherited; §164.312 technical safeguards via KMS + Secrets Manager + CloudTrail
Google Workspace (founder + ops email)	PII (could be PHI if member info flows in)	§164.308(b) BAA accepted 2026-05-01 via admin console click-through

What is NOT yet in scope (Phase 5 agent platform + member enrollment, target 2026-06-15): consumer SSN, DOB, plan-enrollment records. When those collections land, the HIPAA mapping rows in hipaa-control-mapping.md for the not-yet-applicable safeguards graduate from "planned" to evidenced.

Encryption posture (current state)

See encryption-policy.md for the full policy. Summary:

In transit: TLS 1.2+ enforced on all Atlas connections (Atlas-side floor); HTTPS-only on apex via CloudFront + ACM; AWS PrivateLink for the cross-cluster reference read path (network-layer protection on top of TLS); no plaintext channels exist between prod ECS and any data store.
At rest: Atlas cluster-level AES-256 (default at M10 tier); S3 SSE-KMS with project-owned CMK; CloudWatch encrypted; Secrets Manager encrypted with project-owned CMK.
Application-level field encryption (CSFLE): not yet implemented. Will be required for the consumers and enrollments collections (Phase 5+) before any PHI lands there. Roadmap in encryption-policy.md.
Key management: AWS KMS CMKs per project (state, data, secrets). Rotation cadence in encryption-policy.md. CMK access is restricted to specific IAM roles per least-privilege.

Access control posture (current state)

See access-control-policy.md for the full policy. Summary:

Identity: AWS IAM Identity Center (SSO) as the source of truth for human access to AWS accounts. Permission sets: admin, power_user, billing_ro, security_audit. Pre-positioned but not yet imported into Terraform (Phase 3b pending; see infra/envs/management/outputs-reference.md).
MFA: required on the SSO directory; hardware-MFA enrollment tracked separately (#67).
CI/CD: GitHub Actions assumes GitHubActionsDeployRole via OIDC — short-lived STS credentials, no long-lived IAM access keys.
Database: narrow-scoped Atlas users per ADR 0003. Current authoritative state in atlas-access-matrix.md. CI-enforced drift check (scripts/audit/staging-cluster-drift.ts, nightly 08:00 UTC).
Compliance automation: DrataAutopilotRole deployed in all four accounts with SecurityAudit + ReadOnlyAccess, trust placeholder unactivated until vendor signing — see compliance-automation-integration.md.

Audit logging posture (current state)

See HIPAA control mapping §164.312(b) for the live row.

agent_audit_log collection in the prod Atlas cluster — append-only enforced at the DB permission layer (ADR 0002). No app-tier credential can mutate the log; tamper attempts are themselves logged by Atlas.
CloudTrail organization trail in the log-archive account — captures all AWS API events across the four-account org. Retention: 7 years.
Security Hub findings aggregated org-wide; cross-account export to log-archive S3 planned (see security-hub-setup.md).
GuardDuty enabled org-wide with malware protection on the agent-survey-uploads S3 bucket.

Standing operational cadence

Cadence	What	Where
Per PR	`staging-collections-guard` CI workflow — fails PR if `getReferenceDb()` accesses a non-allow-listed collection	`.github/workflows/staging-collections-guard.yml`
Per PR	`validate-secrets` CI workflow — fails PR if any secret has trailing whitespace, embedded newlines, or is empty (catches the bug class that broke Resend)	`.github/workflows/validate-secrets.yml`
Daily 08:00 UTC	`staging-cluster-drift` live nightly audit of `app_read_staging` role privileges; opens P1 issue on drift	`.github/workflows/staging-cluster-drift.yml`
Quarterly	Access review of SSO assignments, Atlas users, hardware MFA status, vendor BAA expirations	`../infrastructure/access-reviews/`
Annually	Pen test (first report target Q4 2026)	`./penetration-test-reports/`
At every new vendor adoption	Vendor-register row added before contract signed; BAA / DPA collected before any production data flows	vendor-register.md
At every retirement	Vendor moved to retired section + BAA retained in `docs/infrastructure/evidence/` for 6 years	vendor-register.md
At every control-relevant change	Append a row to the relevant control mapping with link to ADR / runbook / session log	soc2-control-mapping.md, hipaa-control-mapping.md, ede-control-mapping.md

Documented incidents (reference for IRP)

The full Incident Response Plan carries worked examples from these incidents:

2026-04-10 — Resend transactional email outage (literal \n in API key + DKIM mis-config). Detected via founder-side test send. Resolved by retiring Resend in favor of AWS SES (v0.33.0, 2026-04-30). Drove the validate-secrets CI workflow.
2026-04-10 — GET /api/waitlist route triggered real SES sends to a hardcoded recipient when crawled. ~15–25 spurious emails over 30 days before hotfix in commit 4422ca8. Drove the "no side-effects in GET handlers" engineering rule.
2026-04-30 — Homepage "Get early access" CTA was a no-op since v0.29.0 deploy. Anyone clicking between deploy and fix was lost (no Mongo row, no SES, no PostHog event). Drove tighter post-deploy smoke testing.
2026-05-06 — CMS ingest cost spike (~$2,800/mo on M60). Drove the delta-aware refresh cadence (../decisions/2026-05-09-refresh-cadence.md).
2026-05-09 — HubSpot GDPR-delete of [email protected] (irreversible blocklist). Drove the +alias@ convention for HubSpot test data.

Cross-references

Domain	Where it lives
Data classification taxonomy (Public / Internal / PII / PHI)	`../infrastructure/data-classification.md`
Atlas user / role / env-var matrix (authoritative)	`../infrastructure/atlas-access-matrix.md`
AWS organization + accounts	`../infrastructure/aws-organizations.md`
AWS deploy + change log	`../infrastructure/change-log.md`
Agent platform compliance design	`../agent-platform/compliance.md`
BAA evidence PDFs / screenshots	`../infrastructure/evidence/`
Architectural decision records	`../adr/`

Open follow-ups (referenced from policies)

#57 — Vendor HIPAA BAA coverage (Asad-owned); Mongo Atlas signed BAA PDF
#67 — Hardware MFA enrollment
#71 — This compliance documentation work (ENG-214)
#75 — PostHog Cloud removed (sub-A, 2026-05-12); replacement OpenPanel + GlitchTip self-hosted (ADR 0009 / ENG-347, build at #342)
Atlas-for-Government migration at EDE Phase 3 cutover (see encryption-policy.md)
Pen test vendor RFQ — July 2026 outreach for Q4 2026 report (see penetration-test-reports/)