Compliance

La discipline opérationnelle — documentée, vérifiable.

Frameworks we operate against

• SOC 2 Type II — on the platform side.
• ISO 27001 / 27017 / 27018 — on the managed-region tier.
• NIST SP 800‑171 — controls in place; SSP and POA&M maintained.
• CMMC Level 2 / 3 — roadmap to assessor‑led certification on DoD-triggering work.
• FedRAMP Moderate — roadmap on managed-region tier; sovereign deploys carry agency ATO support.
• FISMA Moderate / High — per customer control set.
• HIPAA with BAA — on health-information workloads.
• PCI DSS Level 1 — via card-processing partner integration.
• GDPR / CCPA — right-to-erasure via CEK crypto-shredding.

Data at rest

Canonical envelope encryption: Osage KMS root, per-org KEK, per-row / per-file CEK, AES-256-GCM with AAD-bound nonces. SQLite via Osage Base for OLTP; no production PostgreSQL anywhere. Analytics on a separated ClickHouse layer that never sees plaintext sensitive columns. Full spec at osage.tech/docs/storage.

Data in transit

• TLS 1.3 by default; PQ‑hybrid handshakes (X25519+ML-KEM) on supported endpoints.
• mTLS between every service; SPIFFE / SPIRE identity for service-to-service.
• End-to-end encryption for client ↔ backend on regulated workloads.

Cybersecurity

• FAR / DFARS — clause flow-down on every instrument; cybersecurity DFARS 252.204-7012/-7019/-7020/-7021 in place.
• Zero-trust — identity-aware proxy via Osage Gateway; attribute-based access; continuous verification.
• Post-quantum — the standing PQ brief is held by the Chief Architect & Cryptographer; see osage.global/capabilities.
• Supply chain — SBOM published per release; signed releases; reproducible builds where the language permits.

Audit & logging

Every administrative action and every KMS unwrap is a logged event. The KMS log is the system of record for sensitive-data access auditing. Logs are append-only, content-addressed, and retained per the customer’s retention policy.

Compliance: [email protected] · Security: [email protected].