Skip to main content

Compliance Mapping Notes (Evidence-Based)

Important Scope Note

This is not a certification statement. It is a code-evidence mapping snapshot for enterprise review preparation.

SOC 2 (Security/Availability/Confidentiality) - Preliminary Mapping

Controls with some evidence

  • Logical access controls via API key/JWT dependencies.
  • Credential hashing for Hub API keys.
  • Webhook signature validation in key telephony paths.
  • Logging and operational telemetry in both systems.

Controls partially evidenced

  • Change/security management process (technical controls exist, formal process not evidenced in code).
  • Incident response readiness (technical logs exist, formal playbooks not evidenced).
  • Availability/DR controls (deploy/restart exists; backup/restore governance not fully evidenced).

Controls not evidenced in code

  • Organization-wide policy governance and risk assessment process.
  • Vendor management process and formal control ownership framework.
  • Enterprise key management policy and central secrets governance proof.

ISO 27001 - Preliminary Mapping

Likely aligned technical practices (partial)

  • Access control implementation at application layer.
  • Event logging in application services.
  • Secure development potential (modularized auth checks, signature validation).

Major evidence gaps for ISMS conformance

  • Documented ISMS scope, risk treatment plan, internal audit cycle, management review.
  • Asset register and formal data classification policy.
  • Supplier security governance artifacts.

HIPAA/PHI (If In Scope) - Preliminary Notes

  • Repositories process communication and user/interaction data; PHI classification requires business context.
  • No claim is made for HIPAA compliance.
  • Required safeguards (administrative, technical, physical) cannot be confirmed from app code alone.

PCI DSS (If Payment Data In Scope)

  • No claim is made for PCI DSS compliance.
  • Payment-related references exist, but cardholder data environment controls are not verifiable here.

Immediate Compliance Risks for Enterprise Review

  1. Secret exposure hygiene issue (committed real-looking secrets in sample/template env files).
  2. CORS hardening inconsistency (Hub wildcard origin).
  3. Potential sensitive logging exposure from request/auth/body logging.
  4. Inconsistent control standardization across two systems.

Evidence Anchors

  • Aventora-Assistant/auth/middleware.py
  • Aventora-Assistant/db/api_key_manager.py
  • Aventora-Assistant/server/server.py
  • Aventora-Assistant/server/middleware/timing.py
  • domain-chatbot/LLM_full/main.py
  • domain-chatbot/LLM_full/auth/router.py
  • domain-chatbot/Agent/phone/webhook.py
  • domain-chatbot/.env.sample
  • domain-chatbot/.env.template

Next Step for Formal Assessment

Create a control matrix with three fields per control:

  1. Implemented in code (yes/no + evidence path)
  2. Implemented outside code (owner-provided evidence)
  3. Gap and remediation plan (owner + target date)