1. Encryption
All data at rest is encrypted with AES-256-GCM. All data in transit uses TLS 1.3. Database connections use TLS-encrypted connections to PostgreSQL. Document content in the Secure Document Vault is server-side AES-256 encrypted on Hetzner Object Storage. Passwords are hashed with Argon2id (memory-hard, time cost >= 3, memory >= 64 MiB) with a platform-wide pepper.
2. Access Control
Role-based access control with least-privilege defaults. Six user types: Foundation, Grantee, Council, JIL Operator, Auditor, Regulator. MFA is available; required for high-value disbursement decisions and break-glass operator access. Quarterly access reviews. Privileged access logged with action, actor, and outcome to a Merkle-chained audit log.
3. Key Management
Cryptographic keys for HMAC webhook signing and CREB attestation are stored separately from data, with rotation procedures documented in the Key Management Standard (internal). Master keys never leave the controlled environment; signing happens in containers with restricted file-system access.
4. Network Security
Production network is TLS-only at the edge; internal services communicate over a private Docker network with no public ingress. Service-to-service TLS where commercially available. WAF + DDoS protection at the edge.
5. Vulnerability Management
Dependency CVE scanning on every CI run. Annual third-party penetration testing. Vulnerability Disclosure Policy published. Critical vulnerabilities patched within 7 days; high within 30; medium within 90.
6. Incident Response
Incident classification (P1/P2/P3/P4) with response and communication SLAs. Personal-data breach: notify affected Foundations within 72 hours per GDPR Art. 33. PHI breach: notify within 60 calendar days per HIPAA § 164.410. Public post-incident review within 30 days for P1/P2.
7. Audit + Certification
SOC 2 Type II audit planned for Q4 2027. ISO 27001 alignment in interim. Continuous Trust Center publication of compliance posture.