Security & Compliance

Audience: SOC 2 Type II, HIPAA, and CMS EDE Phase 3 auditors; AskFlorence engineering + ops; compliance-automation vendor onboarding (Drata / Vanta).

Scope: the documented operating-control layer. The infrastructure layer is documented under Infrastructure and the ADRs (0001, 0002, 0003, 0004).

Status: living set of documents. Each policy + control mapping records its own Last updated date. Index last revised 2026-05-11.

---

Audit-readiness posture (2026-05-11)

Framework	Posture	Evidence window	Next milestone
HIPAA Security Rule	In-force today. PHI scope = MongoDB Atlas M10 HIPAA-tier prod cluster + AWS BAA-covered services + Google Workspace.	Continuous (no formal window)	Mongo Atlas BAA signed PDF on file (Asad-owned, in flight)
SOC 2 Type II	Pre-evidence-window. Documentation foundation laid; vendor sign + evidence window start targeting ~July 2026 post-funding.	Not yet — target July 2026 → July 2027	Sign Drata or Vanta after funding closes; commission pen test in parallel
CMS EDE Phase 3	Multi-month preparation. Submission targeting ~February 2027 for the April–June 2027 audit period.	Not yet — auditors look at multi-month operating history at submission time	Atlas → Atlas for Government migration at submission cutover; Bedrock-Claude swap if Florence direct-API ships

The infrastructure layer is largely in place — AWS Organizations with 4 accounts, KMS CMKs, Secrets Manager, narrow-scoped Atlas users, append-only audit log, CloudTrail org-trail, Security Hub, GuardDuty, IAM OIDC for CI. The documented operating-control layer (this directory) is what auditors walk through; it captures the policies + control mappings + runbooks that bind those controls to documented procedure.

---

How to read this directory (auditor entry point)

If you are an auditor (SOC 2 / HIPAA / EDE), this is the recommended path:

1. Start with the control mappings. Open the framework you're assessing:
   • SOC 2 Control Mapping — CC criteria, append-only evidence register
   • HIPAA Control Mapping — 45 CFR §164.308 / .310 / .312 mapping
   • CMS EDE Appendix A Mapping — Phase 3 § 1–11 mapping
2. From each control row, follow the evidence link — ADR, runbook, Terraform configuration, CI workflow run, or Atlas role JSON. Every row cites a specific artifact, not a generic claim.
3. For org-level policy questions, consult the matching policy doc:
   • Risk Assessment — annual risk register
   • Encryption Policy — at-rest, in-transit, key management
   • Data Retention Policy — per data class
   • Privacy Impact Assessment — current PHI-adjacent flows
   • Incident Response Plan — roles, escalation, regulatory timelines
   • Access Control Policy — SSO, MFA, quarterly reviews, break-glass
   • Marketing vs. Portal Analytics — auth-wall isolation control, tool-approval SOP, living registry of approved third-party tools on apex
   • Vendor / subprocessor register — BAA / DPA / FedRAMP status
4. For operational procedure, consult the runbooks:
   • Security Incident Response — first-responder playbook
   • Break-Glass Root Login — when, how, audit posture
   • Onboard Team Member — SOC 2-grade checklist
   • Offboard Team Member — revocation checklist
   • Atlas User Provisioning — DB user lifecycle
5. For standing operational artifacts:
   • Access reviews — quarterly review records
   • Penetration test reports — pen test history (first report target Q4 2026)

---

What HIPAA covers today

PHI touchpoints exist now. The Security Rule applies in-force to:

Touchpoint	Data class	HIPAA control surface
Quote browsing (ZIP + age + income)	Anonymous (not PHI)	Stateless — no storage, no audit log row, no PHI implication
Agent waitlist + survey (agent_waitlist_submissions, agent_survey_responses on Atlas)	PII (email, name, NPN, phone)	§164.308(a)(4) least-privilege role binding via app_writer_survey; §164.312(b) audit via agent_audit_log
MongoDB Atlas prod cluster	PHI-scope-enabled (M10 HIPAA tier — see vendor register Atlas row)	§164.308(b) BAA; §164.312(a)(1) per-service unique-ID auth; §164.312(b) append-only audit log; §164.312(e)(1) TLS 1.2+
AWS (compute, storage, secrets, monitoring)	All classes	§164.308(b) AWS Organizations BAA signed 2026-04-18; §164.310 physical safeguards inherited; §164.312 technical safeguards via KMS + Secrets Manager + CloudTrail
Google Workspace (founder + ops email)	PII (could be PHI if member info flows in)	§164.308(b) BAA accepted 2026-05-01 via admin console click-through

What is NOT yet in scope (Phase 5 agent platform + member enrollment, target 2026-06-15): consumer SSN, DOB, plan-enrollment records. When those collections land, the HIPAA mapping rows in hipaa-control-mapping.md for the not-yet-applicable safeguards graduate from "planned" to evidenced.

---

Encryption posture (current state)

See encryption-policy.md for the full policy. Summary:

• In transit: TLS 1.2+ enforced on all Atlas connections (Atlas-side floor); HTTPS-only on apex via CloudFront + ACM; AWS PrivateLink for the cross-cluster reference read path (network-layer protection on top of TLS); no plaintext channels exist between prod ECS and any data store.
• At rest: Atlas cluster-level AES-256 (default at M10 tier); S3 SSE-KMS with project-owned CMK; CloudWatch encrypted; Secrets Manager encrypted with project-owned CMK.
• Application-level field encryption (CSFLE): not yet implemented. Will be required for the consumers and enrollments collections (Phase 5+) before any PHI lands there. Roadmap in encryption-policy.md.
• Key management: AWS KMS CMKs per project (state, data, secrets). Rotation cadence in encryption-policy.md. CMK access is restricted to specific IAM roles per least-privilege.

---

Access control posture (current state)

See access-control-policy.md for the full policy. Summary:

• Identity: AWS IAM Identity Center (SSO) as the source of truth for human access to AWS accounts. Permission sets: admin, power_user, billing_ro, security_audit. Pre-positioned but not yet imported into Terraform (Phase 3b pending; see infra/envs/management/outputs-reference.md).
• MFA: required on the SSO directory; hardware-MFA enrollment tracked separately (#67).
• CI/CD: GitHub Actions assumes GitHubActionsDeployRole via OIDC — short-lived STS credentials, no long-lived IAM access keys.
• Database: narrow-scoped Atlas users per ADR 0003. Current authoritative state in atlas-access-matrix.md. CI-enforced drift check (scripts/audit/staging-cluster-drift.ts, nightly 08:00 UTC).
• Compliance automation: DrataAutopilotRole deployed in all four accounts with SecurityAudit + ReadOnlyAccess, trust placeholder unactivated until vendor signing — see compliance-automation-integration.md.

---

Audit logging posture (current state)

See HIPAA control mapping §164.312(b) for the live row.

• agent_audit_log collection in the prod Atlas cluster — append-only enforced at the DB permission layer (ADR 0002). No app-tier credential can mutate the log; tamper attempts are themselves logged by Atlas.
• CloudTrail organization trail in the log-archive account — captures all AWS API events across the four-account org. Retention: 7 years.
• Security Hub findings aggregated org-wide; cross-account export to log-archive S3 planned (see security-hub-setup.md).
• GuardDuty enabled org-wide with malware protection on the agent-survey-uploads S3 bucket.

---

Standing operational cadence

Cadence	What	Where
Per PR	staging-collections-guard CI workflow — fails PR if getReferenceDb() accesses a non-allow-listed collection	.github/workflows/staging-collections-guard.yml
Per PR	validate-secrets CI workflow — fails PR if any secret has trailing whitespace, embedded newlines, or is empty (catches the bug class that broke Resend)	.github/workflows/validate-secrets.yml
Daily 08:00 UTC	staging-cluster-drift live nightly audit of app_read_staging role privileges; opens P1 issue on drift	.github/workflows/staging-cluster-drift.yml
Quarterly	Access review of SSO assignments, Atlas users, hardware MFA status, vendor BAA expirations	../infrastructure/access-reviews/
Annually	Pen test (first report target Q4 2026)	./penetration-test-reports/
At every new vendor adoption	Vendor-register row added before contract signed; BAA / DPA collected before any production data flows	vendor-register.md
At every retirement	Vendor moved to retired section + BAA retained in docs/infrastructure/evidence/ for 6 years	vendor-register.md
At every control-relevant change	Append a row to the relevant control mapping with link to ADR / runbook / session log	soc2-control-mapping.md, hipaa-control-mapping.md, ede-control-mapping.md

---

Documented incidents (reference for IRP)

The full Incident Response Plan carries worked examples from these incidents:

• 2026-04-10 — Resend transactional email outage (literal \n in API key + DKIM mis-config). Detected via founder-side test send. Resolved by retiring Resend in favor of AWS SES (v0.33.0, 2026-04-30). Drove the validate-secrets CI workflow.
• 2026-04-10 — GET /api/waitlist route triggered real SES sends to a hardcoded recipient when crawled. ~15–25 spurious emails over 30 days before hotfix in commit 4422ca8. Drove the "no side-effects in GET handlers" engineering rule.
• 2026-04-30 — Homepage "Get early access" CTA was a no-op since v0.29.0 deploy. Anyone clicking between deploy and fix was lost (no Mongo row, no SES, no PostHog event). Drove tighter post-deploy smoke testing.
• 2026-05-06 — CMS ingest cost spike (~$2,800/mo on M60). Drove the delta-aware refresh cadence (../decisions/2026-05-09-refresh-cadence.md).
• 2026-05-09 — HubSpot GDPR-delete of taha@askflorence.health (irreversible blocklist). Drove the +alias@ convention for HubSpot test data.

---

Cross-references

Domain	Where it lives
Data classification taxonomy (Public / Internal / PII / PHI)	../infrastructure/data-classification.md
Atlas user / role / env-var matrix (authoritative)	../infrastructure/atlas-access-matrix.md
AWS organization + accounts	../infrastructure/aws-organizations.md
AWS deploy + change log	../infrastructure/change-log.md
Agent platform compliance design	../agent-platform/compliance.md
BAA evidence PDFs / screenshots	../infrastructure/evidence/
Architectural decision records	../adr/

---

Open follow-ups (referenced from policies)

• #57 — Vendor HIPAA BAA coverage (Asad-owned); Mongo Atlas signed BAA PDF
• #67 — Hardware MFA enrollment
• #71 — This compliance documentation work (ENG-214)
• #75 — PostHog Cloud removed (sub-A, 2026-05-12); replacement OpenPanel + GlitchTip self-hosted (ADR 0009 / ENG-347, build at #342)
• Atlas-for-Government migration at EDE Phase 3 cutover (see encryption-policy.md)
• Pen test vendor RFQ — July 2026 outreach for Q4 2026 report (see penetration-test-reports/)