Repo-verified gates
3/5
Security, reliability, and core product-release evidence are checked into the repo and guarded by CI.
Compliance
This page summarizes the current technical controls and the remaining compliance tasks. It is meant to stay aligned with the implementation and the repository-backed compliance pack.
Repo-verified gates
3/5
Security, reliability, and core product-release evidence are checked into the repo and guarded by CI.
Open external approvals
4
These are the remaining items that cannot be truthfully closed by code changes alone.
Public evidence surfaces
6
Each public page points back to a repository-backed source-of-truth document.
Repo-owned execution gates are separated from the external approvals still required for a production cutover claim.
Tenant isolation, auth/session hardening, internal token enforcement, and vulnerability evidence are checked in and guarded.
Source: docs/compliance/release-gate-checklist.md
Queue recovery, mail replay, subscription drift repair, backup/restore drill evidence, and migration smokes are recorded.
Source: docs/compliance/release-gate-checklist.md
Core flows, dashboard UX, evidence timeline, report-to-action loop, and authenticated pilot smoke are covered.
Source: docs/compliance/release-gate-checklist.md
Repo-owned controls and evidence are ready, but legal/compliance approval still requires named external owners and dated signoff.
Source: docs/compliance/external-approval-tracker.md
Feature flags, rollback criteria, and on-call docs are ready; production cutover approval still depends on external owner signoff.
Source: docs/compliance/external-approval-tracker.md
Dynafloxis uses controlled subprocessors for database, queueing, storage, billing, and transactional email. Each vendor needs an explicit data-transfer record, region note, and contract reference.
The platform now enforces retention cleanup for deleted users, notifications, support tickets, audit logs, and other operational records. Legal hold and configurable per-org retention are still open work.
The codebase includes health checks, metrics, and audit logs, but the incident workflow still needs alert routing, ownership, notification templates, and evidence handling.
Process mining, tenant administration, support tickets, and billing data all require explicit privacy-risk review before large-scale deployment or major feature expansion.
Privileged actions now require MFA step-up in the API. The remaining work is policy-level hardening: role matrix, secret handling, incident response, and external verification.
These remain intentionally open until the named owner, evidence location, approval state, and date are recorded.
Source: docs/compliance/external-approval-tracker.md