Security
Compliance Controls Mapping
Article-by-article mapping of OGuardAI controls to GDPR, HIPAA, SOC 2, and PCI DSS requirements
GDPR Alignment
| GDPR Article | Requirement | OGuardAI Control | How to Verify |
|---|---|---|---|
| Art. 5(1)(c) | Data minimization | Tokenization removes PII from LLM context | Transform API returns safe_text without PII |
| Art. 5(1)(e) | Storage limitation | Sealed sessions auto-expire, no server-side retention | Check session TTL configuration |
| Art. 25 | Data protection by design | Trust boundary model, sealed sessions | Security whitepaper Section 1 |
| Art. 28 | Processor obligations | Self-hosted, no subprocessors in sealed mode | Deployment guide |
| Art. 30 | Records of processing | Structured audit events per operation | Audit module, diagnostics endpoint |
| Art. 32 | Security of processing | AES-256-GCM encryption, key rotation | Security whitepaper Section 2 |
| Art. 17 | Right to erasure | Sessions auto-expire, no server-side retention | Data retention doc |
| Art. 20 | Data portability | Sealed sessions are portable (client-held) | Session model |
| Art. 35 | Data protection impact assessment | Audit trail, policy validation, dry-run mode | Admin endpoints |
HIPAA Alignment
| HIPAA Section | Requirement | OGuardAI Control | Implementation Detail |
|---|---|---|---|
| SS 164.312(a)(1) | Access control | JWT/API key auth + scope model | Auth middleware with Admin/Transform/Rehydrate/Detect/Policy scopes |
| SS 164.312(a)(2)(iv) | Encryption/decryption | AES-256-GCM sealed sessions | Session crate with AEAD encryption |
| SS 164.312(b) | Audit controls | Structured audit events | Audit module emits events via tracing |
| SS 164.312(c)(1) | Integrity controls | AEAD authentication tag on session blobs | Tamper detection built into AES-GCM |
| SS 164.312(e)(1) | Transmission security | TLS support, encrypted session state | Deployment guide covers TLS setup |
| SS 164.502(b) | Minimum necessary | Tokenization + policy-based restore modes | 6 restore modes: full, partial, masked, formatted, abstract, none |
| SS 164.308(a)(5)(ii) | Security awareness | Policy validation and dry-run endpoints | Admin can preview impact before changes |
SOC 2 Type II Alignment
| Control | Description | OGuardAI Feature | Evidence |
|---|---|---|---|
| CC6.1 | Logical access | Auth middleware with scopes | API key/JWT validation on every request |
| CC6.3 | Role-based access | Admin/Transform/Rehydrate/Detect/Policy scopes | Scope-based authorization checks |
| CC6.6 | System boundary protection | Trust boundary model | PII never leaves runtime boundary |
| CC6.7 | Restrict data mobility | Policy engine controls entity exposure | Per-entity-type action rules |
| CC7.1 | Detect security events | Prompt security engine, output guard | Input/output scanning for injection and PII leaks |
| CC7.2 | System monitoring | Structured audit events, diagnostics endpoint | Audit trail, health checks |
| CC8.1 | Change management | Policy diffing, validation endpoint | Preview impact of policy changes before deployment |
| CC9.1 | Risk mitigation | Multi-layer detection (regex + NLP) | Builtin + advanced detector modes |
PCI DSS Alignment (Where Applicable)
| PCI DSS Requirement | OGuardAI Control |
|---|---|
| 3.4 -- Render PAN unreadable | Credit card tokenization with Luhn validation |
| 3.5 -- Protect cryptographic keys | Session key derived from configured secret, key rotation supported |
| 10.1 -- Audit trails | Structured audit events per operation |
| 10.3 -- Record audit trail entries | Timestamp, tenant, entity types, policy, duration in every event |
Audit Event Schema
Every OGuardAI operation emits a structured audit event:
{
"timestamp_unix": 1700000000,
"event_type": "transform",
"tenant_id": "tenant_acme",
"session_id": "550e8400-...",
"policy_applied": "gdpr-strict",
"entity_types": ["email", "phone"],
"entity_count": 3,
"entities_blocked": 1,
"entities_tokenized": 2,
"duration_ms": 12.5,
"detector_mode": "builtin",
"output_guard_triggered": false,
"prompt_security_triggered": false
}Key property: No raw PII values appear in audit events.
Audit Export
Audit events are emitted as structured tracing events on the guardai::audit target.
They can be collected by any log aggregation system:
- ELK Stack: Filebeat -> Logstash -> Elasticsearch -> Kibana
- Datadog: Datadog Agent with JSON log parsing
- Splunk: Universal Forwarder with JSON sourcetype
- AWS CloudWatch: CloudWatch Logs agent
- Google Cloud Logging: Fluentd/Fluent Bit
Configure your tracing subscriber to output JSON format for easy parsing:
RUST_LOG=guardai::audit=info oguardai-server runPolicy Governance Events
In addition to operational audit events, OGuardAI emits policy governance events:
| Event Type | When Emitted | What It Records |
|---|---|---|
policy_loaded | Server startup | Each policy loaded from the policies directory |
policy_validated | Admin validation endpoint | Proposed policy validation result |
policy_diff_preview | Admin validation with diff | Changes between current and proposed policies |
These events create an immutable record of policy state changes over time.
Verification Checklist
Use this checklist to verify OGuardAI compliance controls in your deployment:
- Sealed session mode enabled (default)
- Session TTL configured appropriately
- TLS enabled for all endpoints
- Auth mode set to
ApiKeyorJwt(notDev) - Audit events routed to SIEM/log aggregator
- Log rotation and retention configured
- Policy directory version-controlled (git)
- Policy validation run before deployments
- Encryption key rotation schedule established
- Output guard enabled for sensitive workflows
- Prompt security enabled (default)