Compliance Mapping
SOX (Sarbanes-Oxley)
Section titled “SOX (Sarbanes-Oxley)”Relevant controls: IT General Controls (ITGC), access controls, audit trails, change management.
| SOX requirement | Cosmictron capability |
|---|---|
| Complete, accurate audit trail of financial system transactions | Event log with Ed25519 signatures and hash chain |
| Tamper-evident records | Hash chain detects deletion or modification |
| Non-repudiation of transactions | Per-event signatures bound to caller identity |
| Access controls | Row-level security, JWT identity, reducer-level capability checks |
| Segregation of duties for record production | FROST threshold signing requires M-of-N approvals for audit bundle production |
Relevant features: Event Signing, Hash Chain, Threshold Signing
FINRA (Financial Industry Regulatory Authority)
Section titled “FINRA (Financial Industry Regulatory Authority)”Relevant rules: Rule 17a-4 (broker-dealer records), WORM storage requirements.
| FINRA requirement | Cosmictron capability |
|---|---|
| Books and records retained in non-rewriteable, non-erasable format | Append-only WAL; hash chain detects any modification |
| Records available for examination | Audit bundle export with full event history |
| Trusted timestamps on records | RFC 3161 timestamp tokens from accredited TSA |
| Third-party verification possible | Standalone bundle verifier; no server connection required |
Relevant features: Audit Bundles, Timestamping
HIPAA (Health Insurance Portability and Accountability Act)
Section titled “HIPAA (Health Insurance Portability and Accountability Act)”Relevant rules: Security Rule (45 CFR 164.312), audit controls, integrity, transmission security.
| HIPAA requirement | Cosmictron capability |
|---|---|
| Audit controls — hardware/software activity recorded | All reducer calls logged in WAL with identity, timestamp |
| Integrity controls — data not improperly altered | Hash chain; Ed25519 signatures |
| PHI access controls | Row-level security with #[rls] policies |
| PHI encryption at rest | PII Gate (AES-256-GCM envelope encryption) |
| GDPR-style right to erasure (state-level) | DEK deletion in PII Gate renders PHI unreadable |
| Transmission security | TLS on all protocol surfaces (WebSocket, HTTP, PgWire) |
Relevant features: PII Gate, Event Signing, Row-Level Security
21 CFR Part 11 (FDA Electronic Records / Electronic Signatures)
Section titled “21 CFR Part 11 (FDA Electronic Records / Electronic Signatures)”This regulation applies to pharmaceutical, biotech, and medical device companies using electronic records.
| 21 CFR Part 11 requirement | Cosmictron capability |
|---|---|
| § 11.10(e) — Audit trail with date/time stamps | WAL with per-event timestamps; RFC 3161 TSA tokens |
| § 11.10(e) — Audit trail computer-generated, not modifiable | Append-only WAL; hash chain; signatures |
| § 11.50 — Signed records identify signer | Ed25519 signature bound to sender_identity |
| § 11.50(b) — Signatures indicate time/date | RFC 3161 timestamp tokens |
| § 11.100 — Unique signatures | Identity-keyed Ed25519 keys per principal |
| § 11.200 — Biometric or non-biometric signatures | Ed25519 constitutes a non-biometric electronic signature |
Relevant features: Event Signing, Timestamping, Audit Bundles
GxP (Good Practice guidelines — pharma, medical devices)
Section titled “GxP (Good Practice guidelines — pharma, medical devices)”GxP encompasses GMP, GLP, GCP (Good Manufacturing/Laboratory/Clinical Practice).
| GxP requirement | Cosmictron capability |
|---|---|
| Data integrity (ALCOA+: Attributable, Legible, Contemporaneous, Original, Accurate) | All five ALCOA+ attributes addressed by event log design |
| Attributable | sender_identity in every event |
| Contemporaneous | RFC 3161 trusted timestamps |
| Original | Append-only; hash chain prevents modification |
| Accurate | BSATN binary encoding is deterministic and schema-validated |
| Audit trail | Full WAL export with verification |
Relevant features: All compliance features apply. See Audit Bundles for the primary deliverable.
Compliance checklist
Section titled “Compliance checklist”Before going live in a regulated environment:
- Enable
event_signing = truein[compliance] - Configure RFC 3161 TSA (accredited for your jurisdiction)
- Set up FROST threshold signing if M-of-N approval is required
- Configure PII Gate for all PHI/PII fields
- Schedule regular audit bundle exports to immutable storage
- Test bundle verification with the standalone verifier
- Document key rotation procedures and test them
- Review row-level security policies with your compliance team
- Engage a qualified auditor to review your deployment