Compliance

Dynafloxis compliance evidence

This page summarizes the current technical controls and the remaining compliance tasks. It is meant to stay aligned with the implementation and the repository-backed compliance pack.

Repo-verified gates

3/5

Security, reliability, and core product-release evidence are checked into the repo and guarded by CI.

Open external approvals

4

These are the remaining items that cannot be truthfully closed by code changes alone.

Public evidence surfaces

6

Each public page points back to a repository-backed source-of-truth document.

Release readiness status

Repo-owned execution gates are separated from the external approvals still required for a production cutover claim.

Open evidence index

Security gate

Repo verified

Tenant isolation, auth/session hardening, internal token enforcement, and vulnerability evidence are checked in and guarded.

Source: docs/compliance/release-gate-checklist.md

Reliability gate

Repo verified

Queue recovery, mail replay, subscription drift repair, backup/restore drill evidence, and migration smokes are recorded.

Source: docs/compliance/release-gate-checklist.md

Product gate

Repo verified

Core flows, dashboard UX, evidence timeline, report-to-action loop, and authenticated pilot smoke are covered.

Source: docs/compliance/release-gate-checklist.md

Compliance gate

External approval needed

Repo-owned controls and evidence are ready, but legal/compliance approval still requires named external owners and dated signoff.

Source: docs/compliance/external-approval-tracker.md

Rollout gate

External approval needed

Feature flags, rollback criteria, and on-call docs are ready; production cutover approval still depends on external owner signoff.

Source: docs/compliance/external-approval-tracker.md

Vendor and transfer evidence

Dynafloxis uses controlled subprocessors for database, queueing, storage, billing, and transactional email. Each vendor needs an explicit data-transfer record, region note, and contract reference.

Retention and deletion

The platform now enforces retention cleanup for deleted users, notifications, support tickets, audit logs, and other operational records. Legal hold and configurable per-org retention are still open work.

Incident response

The codebase includes health checks, metrics, and audit logs, but the incident workflow still needs alert routing, ownership, notification templates, and evidence handling.

DPIA and risk review

Process mining, tenant administration, support tickets, and billing data all require explicit privacy-risk review before large-scale deployment or major feature expansion.

Security and access control

Privileged actions now require MFA step-up in the API. The remaining work is policy-level hardening: role matrix, secret handling, incident response, and external verification.

Vendor registerRetention policyIncident responseSecurity baselineMining privacyRole matrixMonitoringSecretsEvidence indexDPIA notes

Current evidence pack

  • • Vendor register and transfer notes are tracked in `docs/compliance/vendor-register.md`.
  • • Retention behavior is tracked in `docs/compliance/retention-policy.md`.
  • • Incident response notes are tracked in `docs/compliance/incident-response.md`.
  • • DPIA triggers are tracked in `docs/compliance/dpia-notes.md`.
  • • Security baseline and access control expectations are tracked in `docs/compliance/security-controls.md`.
  • • Role and responsibility mapping is tracked in `docs/compliance/role-matrix.md`.

External approvals still open

These remain intentionally open until the named owner, evidence location, approval state, and date are recorded.

Source: docs/compliance/external-approval-tracker.md

Product pilot signoff

pending
Owner
TBD
Evidence
Pilot notes and exported decision report bundle
Target date
TBD

Engineering rollout approval

pending
Owner
TBD
Evidence
Staging validation bundle and rollback criteria
Target date
TBD

Operations rollout window

pending
Owner
TBD
Evidence
On-call plan, monitoring proof, and backup evidence
Target date
TBD

Legal/compliance approval

pending
Owner
TBD
Evidence
Legal signoff record plus DPIA/DPA/subprocessor review
Target date
TBD
Access governanceSecurity review and pentestPrivacy notice summaryAlertsTransfersKMS policyProcessing register