Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Compliance Automation Integration ​

Tracks the state of the compliance-automation platform that ingests evidence against our SOC 2, HIPAA, and EDE control mappings — what's connected, what's automated, what's manual, what's open.

Vendor decision: deferred to procurement post-funding (target July 2026). Candidate vendors are Drata and Vanta. See compliance-automation-vendor-evaluation.md for the side-by-side decision criteria. Both vendors implement the same assume-role pattern with SecurityAudit + ReadOnlyAccess against AWS, so the choice of vendor does not change the connector list below — only the trust-policy ExternalId and the dashboard the evidence lands in.

Connection status ​

No vendor connected today. Planned timing: after (a) all vendor BAAs collected (Mongo BAA is the key open item, Asad-owned, see vendor-register.md), (b) end-to-end platform v1 lands ~2026-06-15, and (c) funding closes ~July 2026. Connecting earlier surfaces "control not evidenced" findings against infrastructure that hasn't been built yet, which is noise.

Pre-positioned AWS resources: DrataAutopilotRole IAM role exists in all four AWS accounts (mgmt 778477254880, prod 039624954211, staging 549136075525, log-archive 754660694122) with SecurityAudit + ReadOnlyAccess AWS managed policies + a DrataAutopilotExtras inline policy. Trust policy is a placeholder with ExternalId PLACEHOLDER-REPLACE-ON-DRATA-ONBOARD — never used. At vendor signing, the trust policy + ExternalId swap to the chosen vendor's official autopilot account ARN; if the selected vendor is Vanta, the role is renamed to ComplianceAutopilotRole (15-min Terraform change in infra/envs/{mgmt,prod,staging,log-archive}/ once those roles are imported into Terraform state in Phase 3b). See infra/envs/management/outputs-reference.md for the Phase 3b import list.

Expected connectors at signing ​

Priority order matches what the chosen vendor will need to auto-evidence the CC6/CC7 + §164 + EDE control rows already populated in the mapping files.

ConnectorWhat it evidencesPriorityVendor coverage
AWS (all four org accounts)Account inventory, IAM, VPC, encryption, CloudTrail, Security Hub findingsP0 — blocks most CC6/CC7 evidenceBoth Drata + Vanta: first-class
MongoDB AtlasDatabase users, roles, access lists, audit logs (both projects: askflorence-prod-01 + askflorence-staging)P0Both: first-class
GitHubCode review, branch protection, secret scanning, dependency scanning, member accessP0Both: first-class
Google WorkspaceEmployee roster, MFA enforcement, device compliance, Drive sharing postureP0Both: first-class
HubSpotAgent waitlist + survey audit trail (no PHI by design — see agent-platform/compliance.md)P1Both: standard CRM connector
Linear / GitHub ProjectsTicket tracking, change-management evidenceP2Both: native integration

Retired connectors (do not configure): Vercel (replaced by AWS ECS Phase 10, 2026-04-23); Resend (replaced by AWS SES 2026-04-30).

Automated vs manual register ​

Populated once a vendor is connected. Every control row from soc2-control-mapping.md, hipaa-control-mapping.md, and ede-control-mapping.md gets a row here indicating whether the platform can auto-evidence it or whether manual attestation is required.

Empty table today. Fill in at connection time:

ControlVendor connectorAutomated?Manual evidence owner
empty

EDE Phase 3 is manual either way ​

Neither Drata nor Vanta pre-maps CMS EDE Phase 3 / MARS-E 2.2 controls. The vendor will auto-evidence the underlying NIST 800-53 R4 Moderate baseline + AWS FedRAMP Moderate inheritance, but EDE-specific narrative (Appendix A § 1–11) is hand-mapped in ede-control-mapping.md. Plan accordingly when budgeting vendor onboarding time — most of the SOC 2 + HIPAA mapping work absorbs automatically; the EDE mapping does not.

What "not yet connected" does NOT mean ​

It does not mean we skip building the evidence trail. Every control-relevant decision is captured in an ADR and linked from the SOC 2 / HIPAA / EDE mappings on the date it lands. When the vendor connects post-funding, most of that trail gets absorbed automatically; the parts that don't become manual-attestation rows here.

The operating habits (quarterly access reviews, incident postmortems, vendor-register updates) start happening as routine NOW — see ../infrastructure/access-reviews/ — so that July's evidence-window kickoff is a continuation of practice, not a new behavior.

Pager
Previous pageBAA / Compliance Evidence
Next pageCompliance-Automation Vendor Evaluation

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.