Compliance Framework Mapping
This page documents how Aleutian's audit capabilities map to specific controls, articles, and requirements across major compliance frameworks.
Feature-to-Framework Matrix
Quick reference: which Aleutian features support which frameworks?
| Aleutian Feature | SOC 2 | GDPR | HIPAA | NIST CSF | NIST 800-53 | ISO 27001 | PCI DSS |
|---|---|---|---|---|---|---|---|
| Hash chain audit trail | CC7.2 | Art. 5(1)(f) | §164.312(b),(c) | PR.DS-6 | AU-9, AU-10 | A.5.33, A.8.15 | 10.3, 10.5 |
| PII detection | CC7.1 | Art. 5(1)(c), 30 | §164.312(b) | DE.AE-2 | SI-4 | A.8.11, A.8.12 | - |
| Privacy Firewall (blocking) | CC7.1 | Art. 5(1)(c) | §164.312(c) | PR.DS-1 | SI-4 | A.8.11 | - |
| GDPR deletion + certificates | - | Art. 17 | - | - | - | A.8.10 | - |
| Retention automation | - | Art. 5(1)(e) | - | - | AU-11 | - | 10.7 |
| User activity timeline | CC7.3 | Art. 15 | §164.308 | DE.CM-3 | AU-6 | A.8.16 | 10.4.1 |
| Compliance reports | CC4.1 | Art. 5(2) | §164.308 | RS.AN-1 | AU-6 | A.8.16 | 10.4.1 |
| Verification API | CC4.1 | Art. 5(1)(f) | §164.312(c)(2) | PR.DS-6 | SI-7 | A.5.33 | 10.5 |
| Real-time alerting | CC4.2 | Art. 33 | §164.308 | DE.AE-2 | SI-4 | A.8.16 | - |
SOC 2 Trust Services Criteria
SOC 2 is the most common compliance framework for B2B SaaS companies. The following controls are addressable with Aleutian's audit trail and verification features.
| Control | Description | Aleutian Feature | Evidence Provided |
|---|---|---|---|
| CC4.1 | Ongoing monitoring and evaluation | Hash chain verification | Continuous integrity checks, verification reports |
| CC4.2 | Deficiency communication | PII alerting | Real-time notifications when sensitive data detected |
| CC5.2 | Technology controls | Hash chain | Cryptographic detective control |
| CC6.6 | Restrict logical access | Rate limiting | API rate limits prevent abuse |
| CC7.1 | Detect security events | PII detection | Automated scanning for sensitive data patterns |
| CC7.2 | Monitor system components | Audit trail | Tamper-evident logs of all AI conversations |
| CC7.3 | Evaluate security events | Audit trail review | Verification reports, user activity timeline |
| CC7.4 | Respond to incidents | Audit trail | Immutable evidence for investigation |
Evidence export:
The system generates SOC 2 CC7.2 evidence packages containing chain verification proof, sample audit entries, and control narratives suitable for auditor review.
GDPR (General Data Protection Regulation)
GDPR applies to any company processing EU residents' data. The following articles have corresponding Aleutian features.
| Article | Requirement | Aleutian Feature | Evidence Provided |
|---|---|---|---|
| Art. 5(1)(a) | Lawfulness, fairness, transparency | Audit trail | Proves what data was processed and when |
| Art. 5(1)(c) | Data minimization | PII detection | Identifies personal data in AI conversations |
| Art. 5(1)(d) | Accuracy | Immutable logs | Proves data state at any point in time |
| Art. 5(1)(e) | Storage limitation | Retention automation | Auto-delete after configurable period |
| Art. 5(1)(f) | Integrity and confidentiality | Hash chain | Cryptographic integrity guarantee |
| Art. 5(2) | Accountability | Compliance reports | Exportable verification reports |
| Art. 12 | Transparent communication | Audit logs | Complete record of processing activities |
| Art. 15 | Right of access | User query | Retrieve all data by user ID |
| Art. 17 | Right to erasure | GDPR deletion | Delete user data + cryptographic certificate |
| Art. 30 | Records of processing | Processing logs | Automated Article 30 report generation |
| Art. 32 | Security of processing | Integrity controls | Hash chain, encryption, monitoring |
| Art. 33 | Breach notification | PII alerting | Automated PII alerts support 72-hour notification window |
GDPR Deletion Flow:
- Customer receives deletion request for user X
- Call Aleutian API:
DELETE /v1/gdpr/users/{user_id} - Aleutian returns list of affected message hashes
- Aleutian deletes payloads, preserves chain structure
- Aleutian issues cryptographic deletion certificate
- Customer uses hashes to delete from their own systems
HIPAA Security Rule
HIPAA applies to healthcare organizations (Covered Entities) and their vendors (Business Associates).
Note: HIPAA customers require a Business Associate Agreement (BAA), available in Enterprise tier.
| Section | Requirement | Aleutian Feature | Evidence Provided |
|---|---|---|---|
| §164.312(a)(2)(i) | Unique user identification | User ID tracking | Every request tagged with user ID |
| §164.312(b) | Audit controls | Audit trail | Immutable log of all PHI access |
| §164.312(c)(1) | Integrity | Hash chain | Cryptographic proof data wasn't altered |
| §164.312(c)(2) | Mechanism to authenticate ePHI | Verification API | Prove authenticity of any record |
| §164.312(d) | Person or entity authentication | User attribution | User ID in every log entry |
| §164.312(e)(1) | Transmission security | TLS + hashing | Encrypted transport, integrity verification |
| §164.312(e)(2)(i) | Integrity controls | Per-message hash | Each message has integrity proof |
| §164.308(a)(1)(ii)(D) | Information system activity review | Dashboard | Visual review of all activity |
| §164.308(a)(5)(ii)(C) | Log-in monitoring | User timeline | Track all user access patterns |
NIST Cybersecurity Framework (CSF)
NIST CSF is widely adopted across industries, especially in government and critical infrastructure.
| Function | Category | Subcategory | Aleutian Feature |
|---|---|---|---|
| Identify | ID.AM-3 | Data flows mapped | Audit trail records all AI data flows |
| Identify | ID.AM-5 | Resources prioritized | PII detection identifies sensitive data |
| Protect | PR.AC-1 | Identities managed | User ID tracking |
| Protect | PR.DS-1 | Data-at-rest protected | Encrypted storage with integrity hash |
| Protect | PR.DS-2 | Data-in-transit protected | TLS + per-message hashing |
| Protect | PR.DS-6 | Integrity checking | Hash chain verification |
| Protect | PR.IP-1 | Configuration managed | Immutable audit of system state |
| Detect | DE.AE-2 | Events analyzed | PII detection, anomaly alerting |
| Detect | DE.AE-3 | Event data collected | Full conversation capture (browser, API, code tools) |
| Detect | DE.CM-1 | Network monitored | All AI conversations logged |
| Detect | DE.CM-3 | Personnel activity monitored | User activity timeline |
| Detect | DE.CM-7 | Unauthorized activity detected | Activity anomaly detection |
| Respond | RS.AN-1 | Notifications investigated | Forensic timeline for incidents |
| Respond | RS.AN-3 | Forensics performed | Immutable chain of custody |
NIST 800-53 (Security Controls)
NIST 800-53 is required for federal systems (FedRAMP) and widely used as a security baseline.
| Control | Name | Aleutian Feature | Evidence Provided |
|---|---|---|---|
| AU-2 | Audit Events | Audit trail | Captures all AI conversation events |
| AU-3 | Content of Audit Records | Full logging | Request, response, timestamp, user ID, model |
| AU-6 | Audit Review, Analysis, Reporting | Dashboard + reports | Visual review, exportable reports |
| AU-9 | Protection of Audit Information | Hash chain | Tampering is cryptographically detectable |
| AU-10 | Non-repudiation | Verification API | Cryptographic proof of events |
| AU-11 | Audit Record Retention | Retention automation | Configurable retention periods |
| AU-12 | Audit Generation | Automatic logging | All requests logged automatically |
| SI-4 | System Monitoring | PII detection | Continuous monitoring for sensitive data |
| SI-7 | Integrity Verification | Hash chain | Verify integrity of any record |
| PM-5 | System Inventory | PII detection | Data inventory via scanning |
ISO 27001:2022
ISO 27001 is the international standard for information security management systems (ISMS).
| Control | Name | Aleutian Feature | Evidence Provided |
|---|---|---|---|
| A.5.33 | Protection of records | Hash chain | Tamper-evident audit logs |
| A.8.10 | Information deletion | GDPR deletion | Secure deletion with certificates |
| A.8.11 | Data masking | Privacy Firewall | Optional PII redaction |
| A.8.12 | Data leakage prevention | PII detection | Detects sensitive data in AI conversations |
| A.8.15 | Logging | Audit trail | Full conversation logging across capture sources |
| A.8.16 | Monitoring activities | Dashboard + alerting | Real-time monitoring and alerts |
| A.8.17 | Clock synchronization | Timestamps | UTC timestamps on all entries |
PCI DSS v4.0
PCI DSS applies if you process, store, or transmit payment card data.
| Requirement | Name | Aleutian Feature | Evidence Provided |
|---|---|---|---|
| 10.2 | Audit logs enabled | Audit trail | Automatic logging of all events |
| 10.2.1 | Log user access | User tracking | User ID on every request |
| 10.3 | Audit logs protected | Hash chain | Cryptographic integrity protection |
| 10.4.1 | Audit logs reviewed | Dashboard | Visual log review capability |
| 10.5 | Audit log integrity | Hash chain | Tamper-evident via cryptographic linking |
| 10.7 | Audit log retention | Retention automation | Configurable retention periods |
| 12.10.5 | Incident response | Audit trail review | Complete timeline for investigations |
CCPA / CPRA (California Privacy)
California's privacy laws grant consumers rights similar to GDPR.
| Right | Aleutian Feature | How It Helps |
|---|---|---|
| Right to Know | User query API | Retrieve all data associated with a user |
| Right to Delete | GDPR deletion flow | Same deletion mechanism works for CCPA |
| Right to Opt-Out | Audit trail | Proves data handling practices |
| Data Inventory | PII detection | Shows what personal data is collected |
EU AI Act
The EU AI Act introduces logging and transparency requirements for AI systems. The following articles are relevant to AI conversation auditing.
| Article | Requirement | Aleutian Feature | How It Helps |
|---|---|---|---|
| Art. 12 | Record-keeping | Audit trail | Comprehensive logs of AI inputs/outputs |
| Art. 13 | Transparency | Audit logs | Shows what AI systems processed |
| Art. 14 | Human oversight | Dashboard | Enables human review of AI activity |
| Art. 17 | Quality management | Verification | Integrity verification of records |
Framework-specific evidence packages
Aleutian exports audit evidence formatted for SOC 2, GDPR, HIPAA, and other frameworks listed above. See the pricing page for tier details.
View pricing