Compliance Matrix¶
MazeVault Alignment with Regulatory and Industry Standards
Document Version: 1.0.0
Last Updated: 2026-02-10
1. Overview¶
MazeVault is designed to support compliance with major regulatory frameworks and industry standards relevant to financial institutions, healthcare, and enterprises handling sensitive data.
Disclaimer
This matrix describes MazeVault's technical capabilities that support compliance. Achieving full compliance with any regulatory framework requires organizational policies, processes, and controls beyond the technical platform. Consult your compliance team for a complete assessment.
2. ISO/IEC 27001:2022¶
Information Security Management Systems
| Control | ISO 27001 Reference | MazeVault Implementation |
|---|---|---|
| Access Control | A.9.1 – A.9.4 | RBAC with granular permissions, project isolation, least privilege enforcement |
| Cryptography | A.10.1 | AES-256-GCM encryption at rest, TLS 1.2/1.3 in transit, HSM key protection |
| Operations Security | A.12.1 – A.12.7 | Audit logging, change management, capacity monitoring, backup procedures |
| Communications Security | A.13.1 – A.13.2 | TLS enforcement, network segmentation, API authentication |
| System Acquisition | A.14.1 – A.14.3 | Secure development lifecycle, dependency scanning, penetration testing |
| Supplier Relations | A.15.1 – A.15.2 | Service level monitoring, third-party integration security |
| Incident Management | A.16.1 | Audit trail, alerting, health monitoring |
| Business Continuity | A.17.1 – A.17.2 | Backup/restore, disaster recovery procedures, multi-DC sync |
| Compliance | A.18.1 – A.18.2 | Audit logging, data protection, license management |
3. SOC 2 Type II¶
Trust Service Criteria
| Criteria | Category | MazeVault Implementation |
|---|---|---|
| CC1 | Control Environment | Role-based access, administrative controls, configuration management |
| CC2 | Communication | Structured logging, alert notifications, health dashboards |
| CC3 | Risk Assessment | Vulnerability scanning, penetration testing, dependency auditing |
| CC4 | Monitoring | Real-time health checks, Prometheus metrics, alert thresholds |
| CC5 | Control Activities | Input validation, rate limiting, CSRF/CORS protection |
| CC6 | Logical Access | RBAC, MFA, SSO integration, session management, API key controls |
| CC7 | System Operations | Automated health checks, backup procedures, incident response |
| CC8 | Change Management | Database migrations, version control, deployment pipelines |
| CC9 | Risk Mitigation | Encryption, key rotation, certificate lifecycle management |
| A1 | Availability | Health endpoints, Kubernetes auto-restart, multi-DC sync |
| C1 | Confidentiality | AES-256-GCM encryption, zero-knowledge architecture, TLS enforcement |
| PI1 | Processing Integrity | Input validation, database constraints, audit logging |
| P1 | Privacy | Data encryption, access controls, audit trail |
4. PCI DSS v4.0¶
Payment Card Industry Data Security Standard
| Requirement | PCI DSS Section | MazeVault Implementation |
|---|---|---|
| Firewall/Network Security | 1.x | TLS enforcement, network segmentation support, ingress controls |
| Secure Configuration | 2.x | Hardened container images, security headers, disabled unnecessary services |
| Protect Stored Data | 3.x | AES-256-GCM encryption at rest, key rotation, secure key storage |
| Encrypt Transmission | 4.x | TLS 1.2+ for all communications, certificate validation |
| Malware Protection | 5.x | Container image scanning, dependency vulnerability scanning |
| Secure Development | 6.x | Input validation, code review, security testing |
| Access Control | 7.x | RBAC, least privilege, project isolation |
| User Identification | 8.x | MFA, strong password policies (SRP), session management |
| Physical Access | 9.x | N/A (customer responsibility for infrastructure physical security) |
| Logging & Monitoring | 10.x | Comprehensive audit logging, structured JSON logs, SIEM-ready format |
| Security Testing | 11.x | Penetration testing, vulnerability scanning, health monitoring |
| Security Policies | 12.x | Configuration management, documentation, incident procedures |
5. GDPR¶
General Data Protection Regulation
| Article | Requirement | MazeVault Implementation |
|---|---|---|
| Art. 5 | Data Processing Principles | Purpose limitation, data minimization in stored metadata |
| Art. 25 | Privacy by Design | Zero-knowledge encryption, minimal data collection |
| Art. 30 | Records of Processing | Comprehensive audit logging with timestamps and user identity |
| Art. 32 | Security of Processing | AES-256-GCM encryption, access controls, regular security testing |
| Art. 33/34 | Breach Notification | Audit trail for forensic analysis, alerting for security events |
| Art. 35 | Data Protection Impact | Security architecture documentation, risk assessment support |
6. NIS2 Directive¶
Network and Information Systems Directive 2 (EU)
| Requirement | MazeVault Implementation |
|---|---|
| Risk Management | Multi-layered security architecture, vulnerability management |
| Incident Handling | Audit logging, alerting, health monitoring, structured incident data |
| Business Continuity | Backup/restore procedures, multi-DC synchronization, DR documentation |
| Supply Chain Security | Dependency scanning, container image scanning, secure update process |
| Encryption | AES-256-GCM, TLS 1.2+, HSM support, key rotation policies |
| Access Control | RBAC, MFA, SSO, audit trail |
7. Czech National Cybersecurity Standards¶
Zákon o kybernetické bezpečnosti (Act No. 181/2014 Coll.) / Vyhláška č. 82/2018 Sb.
| Requirement | MazeVault Implementation |
|---|---|
| Řízení přístupu | RBAC, MFA, SSO, autorizace na úrovni projektu |
| Kryptografická ochrana | AES-256-GCM, TLS 1.2+, HSM podpora |
| Správa klíčů | Automatická rotace, HSM úložiště, oddělení šifrovacích klíčů |
| Bezpečnostní audit | Kompletní audit trail, strukturované JSON logy |
| Řízení zranitelností | Skenování závislostí, skenování kontejnerů, penetrační testy |
| Kontinuita činností | Zálohování, obnova, multi-DC synchronizace |
| Bezpečnost komunikace | TLS vynucení, mTLS pro agenty, certifikátová validace |
Related¶
- Security Overview — Security architecture details
- Encryption — Cryptographic implementation details
- Penetration Testing — Security testing results
- Audit Logging — Audit capabilities for compliance evidence