Compliance Controls¶
Section: 5-security-architecture
Document: Compliance & Regulatory Controls
Status: Technical Compliance Implementation
Audience: Compliance officers, legal teams, security teams
๐ฏ Overview¶
MachineAvatars implements comprehensive technical controls to ensure compliance with GDPR (EU), DPDPA 2023 (India), HIPAA (US - on-premise only), SOC 2, PCI DSS, and prepares for ISO 27001 certification.
Compliance Status:
- โ GDPR (EU) - Compliant
- โ DPDPA 2023 (India) - Compliant
- โ ๏ธ HIPAA (US) - On-premise only
- ๐ก SOC 2 Type II - In progress (Q2 2025)
- โ PCI DSS - Compliant (via Razorpay)
- โณ ISO 27001 - Planned (Q4 2025)
๐ช๐บ GDPR Compliance (General Data Protection Regulation)¶
Jurisdiction: European Union
Applicability: All EU citizens/residents
Status: โ
Compliant
Article 32: Security of Processing¶
Technical Measures Implemented:
// Encryption (Article 32.1.a)
{
"data_at_rest": "AES-256 (MongoDB, Milvus)",
"data_in_transit": "TLS 1.3 (all connections)",
"backups": "AES-256 encrypted"
}
// Access Control (Article 32.1.b)
{
"authentication": "JWT tokens, OTP verification",
"authorization": "RBAC (5 roles)",
"mfa": "Email OTP (SMS/App planned)",
"password_hashing": "โ ๏ธ MISSING - bcrypt needed!"
}
// Monitoring (Article 32.1.d)
{
"security_monitoring": "Azure Security Center",
"audit_logs": "90-day retention (Business+)",
"incident_detection": "Automated alerts"
}
Data Subject Rights Implementation¶
Right to Access (Article 15)¶
Implementation:
@app.get("/v1/gdpr/data-export")
@require_permission("data:export")
async def export_user_data(user_context: dict = Depends(verify_jwt_token)):
"""Export all user data (GDPR Article 15)."""
user_id = user_context["user_id"]
# Collect all user data
data_export = {
"user_profile": users_collection.find_one({"user_id": user_id}),
"chatbots": list(chatbots_collection.find({"user_id": user_id})),
"conversations": list(chat_history_collection.find({"user_id": user_id})),
"uploaded_files": list(files_collection.find({"user_id": user_id})),
"system_prompts": list(system_prompts_collection.find({"user_id": user_id})),
"subscription": list(features_collection.find({"user_id": user_id})),
"generated_at": datetime.utcnow().isoformat()
}
# Return as downloadable JSON
return JSONResponse(
content=data_export,
media_type="application/json",
headers={"Content-Disposition": f"attachment; filename=data_export_{user_id}.json"}
)
Frontend:
// User profile > Settings > Download My Data
async function downloadMyData() {
const response = await fetch("/v1/gdpr/data-export", {
headers: { Authorization: `Bearer ${token}` },
});
const blob = await response.blob();
saveAs(blob, "my_data.json");
}
Right to Erasure (Article 17 - "Right to be Forgotten")¶
Implementation:
@app.delete("/v1/gdpr/delete-account")
@require_permission("account:delete")
async def delete_user_account(user_context: dict = Depends(verify_jwt_token)):
"""Permanently delete user account and all data."""
user_id = user_context["user_id"]
# Log deletion request (for compliance audit)
audit_logs_collection.insert_one({
"timestamp": datetime.utcnow(),
"user_id": user_id,
"action": "account_deletion_requested",
"reason": "GDPR Article 17 - Right to Erasure"
})
# Delete from all collections
users_collection.delete_one({"user_id": user_id})
chatbots_collection.delete_many({"user_id": user_id})
chat_history_collection.delete_many({"user_id": user_id})
files_collection.delete_many({"user_id": user_id})
system_prompts_collection.delete_many({"user_id": user_id})
features_collection.delete_many({"user_id": user_id})
# Delete from Milvus (vector embeddings)
milvus_client.delete(expr=f"user_id == '{user_id}'")
# Note: Some data may be retained for legal/compliance (e.g., billing records for 7 years)
# This is documented in Privacy Policy
return {"message": "Account and data deleted successfully"}
Exceptions to Deletion:
- Billing records (7-year retention for tax compliance)
- Audit logs (security incident investigation)
- Data required by law
Right to Rectification (Article 16)¶
Implementation:
@app.put("/v1/users/profile")
async def update_user_profile(
profile_update: UserProfileUpdate,
user_context: dict = Depends(verify_jwt_token)
):
"""Update user profile (GDPR Article 16)."""
user_id = user_context["user_id"]
# Validate and sanitize input
update_data = profile_update.dict(exclude_unset=True)
# Update user profile
users_collection.update_one(
{"user_id": user_id},
{"$set": update_data}
)
return {"message": "Profile updated"}
Right to Data Portability (Article 20)¶
Format: JSON (machine-readable)
Delivery: Immediate download
Implementation: Same as "Right to Access" endpoint
Data Breach Notification (Article 33 & 34)¶
Timeline: 72 hours to supervisory authority, ASAP to data subjects
Automated Notification System:
async def notify_data_breach(incident_details: dict):
"""Notify users and authorities of data breach (GDPR Article 33/34)."""
# Assess breach severity
if incident_details["affected_records"] > 100:
# Notify supervisory authority (within 72 hours)
await notify_supervisory_authority(incident_details)
# Notify affected users
affected_users = incident_details["affected_user_ids"]
for user_id in affected_users:
user = users_collection.find_one({"user_id": user_id})
await send_breach_notification_email(
email=user["email"],
breach_details={
"date": incident_details["breach_date"],
"data_affected": incident_details["data_types"],
"actions_taken": incident_details["mitigation_steps"],
"recommendations": "Change password, enable MFA"
}
)
๐ฎ๐ณ DPDPA 2023 Compliance (India)¶
Jurisdiction: India
Status: โ
Compliant
Implementation Date: 2023
Data Localization¶
Requirement: Process and store Indian citizens' data in India
Implementation:
# Azure region selection
AZURE_REGION = "centralindia" # โ
India data center
# MongoDB Atlas
MONGODB_REGION = "ASIA_SOUTH_1" # Mumbai
# Milvus deployment
MILVUS_REGION = "centralindia"
Verification:
# Check Azure resources location
az resource list --query "[?location!='centralindia'].{name:name, location:location}"
# Result: Empty (all resources in Central India)
Consent Management¶
Requirement: Explicit consent for data processing
Implementation:
// Signup flow - explicit consent
{
"user_consent": {
"data_processing": true, // Required
"marketing_emails": false, // Optional
"analytics_tracking": true, // Optional
"consented_at": "2025-01-15T10:00:00Z",
"consent_version": "v1.0"
}
}
Consent Withdrawal:
@app.post("/v1/consent/withdraw")
async def withdraw_consent(
consent_type: str,
user_context: dict = Depends(verify_jwt_token)
):
"""Withdraw consent for specific data processing."""
user_id = user_context["user_id"]
users_collection.update_one(
{"user_id": user_id},
{"$set": {f"user_consent.{consent_type}": False}}
)
# If withdrawal requires data deletion, trigger it
if consent_type == "data_processing":
await initiate_account_deletion(user_id)
return {"message": f"Consent for {consent_type} withdrawn"}
Data Principal Rights (same as GDPR)¶
- โ Right to Access
- โ Right to Correction
- โ Right to Erasure
- โ Right to Data Portability
๐ฅ HIPAA Compliance (US Healthcare)¶
Status: โ ๏ธ On-Premise Deployment Only
Applicability: Healthcare organizations handling PHI
Note: Cloud version NOT HIPAA compliant (shared infrastructure)
Technical Safeguards (45 CFR ยง 164.312)¶
Access Control (ยง 164.312(a)(1)):
- โ Unique user identification
- โ Emergency access procedure
- โณ Automatic logoff (planned)
- โ Encryption and decryption
Audit Controls (ยง 164.312(b)):
- โ Audit logs for PHI access
- โณ Unlimited retention (on-premise)
Integrity (ยง 164.312©(1)):
- โ Data integrity verification
- โ Backup encryption
Transmission Security (ยง 164.312(e)):
- โ TLS 1.3 encryption
- โณ End-to-end encryption (planned)
Business Associate Agreement (BAA)¶
Required for:
- On-premise deployments handling PHI
- Healthcare customers
Template:
BUSINESS ASSOCIATE AGREEMENT
This Agreement is entered into between:
- Covered Entity: [Healthcare Organization]
- Business Associate: MachineAvatars
1. Definitions (HIPAA terms)
2. Permitted Uses and Disclosures
3. Safeguards (encryption, access control)
4. Breach Notification (60 days)
5. Subcontractors (Azure, if applicable)
๐ SOC 2 Type II (In Progress)¶
Status: ๐ก Audit scheduled Q2 2025
Framework: AICPA Trust Services Criteria
Trust Service Criteria¶
Security:
- โ Access control (RBAC)
- โ Encryption (AES-256, TLS 1.3)
- โ ๏ธ Secret management (migrating to Key Vault)
Availability:
- โ 99.9% uptime SLA (Premium)
- โ Azure DDoS protection
- โณ Disaster recovery testing
Processing Integrity:
- โ Input validation
- โ Data integrity checks
- โ Audit logging
Confidentiality:
- โ NDAs with employees/contractors
- โ Data classification
- โณ DLP (Data Loss Prevention) - planned
Privacy:
- โ GDPR compliance
- โ DPDPA compliance
- โ Privacy policy
Audit Preparation¶
Evidence Collection:
- Security policies documented
- Access control matrices
- Encryption certificates
- Incident response playbooks
- Penetration test reports
- Vulnerability scan results
- Change management logs
- Employee security training records
๐ณ PCI DSS (Payment Card Industry)¶
Status: โ
Compliant (via Razorpay)
Scope: Payment processing only
Implementation:
- โ NO card data stored on MachineAvatars servers
- โ Razorpay handles all payment processing (PCI DSS Level 1 certified)
- โ Payment tokens only (no PAN/CVV storage)
- โ TLS for payment API calls
Razorpay Compliance:
# Payment flow
def initiate_payment(order_details):
# Create Razorpay order
order = razorpay_client.order.create({
"amount": order_details["amount"],
"currency": "INR"
})
# Return order_id to frontend
# Frontend uses Razorpay checkout (hosted)
# No card details ever touch MachineAvatars servers
return {"order_id": order["id"]}
๐ ISO 27001 (Planned Q4 2025)¶
Status: โณ Planned
Framework: Information Security Management System (ISMS)
Requirements:
- Risk assessment and treatment
- Security policies
- Access control policy
- Cryptography policy
- Operations security
- Communications security
- Supplier relationships
- Incident management
- Business continuity
- Compliance
Timeline:
- Q1 2025: Gap analysis
- Q2-Q3 2025: ISMS implementation
- Q4 2025: Certification audit
๐ Compliance Dashboard¶
Compliance Status Tracking:
| Requirement | Status | Evidence | Next Audit |
|---|---|---|---|
| GDPR Data Export | โ | API endpoint | N/A |
| GDPR Data Deletion | โ | API endpoint | N/A |
| GDPR Breach Notification | โ | Automated system | N/A |
| DPDPA Data Localization | โ | Azure Central India | Ongoing |
| HIPAA Encryption | โ | AES-256, TLS 1.3 | N/A |
| HIPAA BAA | โณ | Template ready | On request |
| SOC 2 Security | ๐ก | 80% complete | Q2 2025 |
| PCI DSS | โ | Razorpay certified | Annual |
| ISO 27001 | โณ | 0% complete | Q4 2025 |
โ Compliance Checklist¶
Data Protection:
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Password hashing (bcrypt) - CRITICAL GAP!
- Backup encryption
Access Control:
- RBAC implemented
- Audit logging (Business+)
- MFA (planned)
- Session management
Data Rights:
- Data export API
- Data deletion API
- Profile update API
- Consent management
Incident Management:
- Breach notification process
- Incident response plan
- 72-hour GDPR timeline
- User notification system
Vendor Management:
- Razorpay (PCI DSS certified)
- Azure (ISO 27001, SOC 2)
- Data Processing Agreements
๐ Related Documentation¶
Security:
- Authentication & Authorization - Access controls
- Encryption - Data protection
- Incident Response - Breach notification
Legal:
- Privacy Policy (external document)
- Terms of Service (external document)
- Data Processing Agreement (DPA) template
- Business Associate Agreement (BAA) template
"Compliance is not a checkbox. It's a commitment." ๐๐