Compliance & Encryption

SOC2 Controls

Gatekeeper provides built-in controls that map to SOC2 Trust Service Criteria across security, availability, and confidentiality.

Control	Implementation	SOC2 Criteria
Audit Trail	SHA-256 hash-chained audit log with dual-tier storage (Redis Streams + Parquet). 21 structured fields per entry. 7-year retention.	CC7.2
Multi-Factor Authentication	TOTP (RFC 6238) with QR enrollment, backup codes, and per-user/per-org enforcement policies. Grace period for initial setup.	CC6.1
Password Policies	Minimum length, complexity requirements, breach database checks, Argon2id hashing. Configurable expiry and history depth.	CC6.1
Session Management	Server-side sessions with configurable absolute and idle timeout. Concurrent session limits. Immediate invalidation on password change.	CC6.1
IP Allowlisting	Per-organization IP allowlists for API access. CIDR notation support. Requests from non-allowed IPs are rejected with audit logging.	CC6.6
Encryption at Rest	Fernet (AES-128-CBC + HMAC-SHA256) for all sensitive Redis values. Key rotation without data migration. Keys stored in environment or vault.	CC6.7
Consent Records	User consent for data processing is recorded with timestamp, version, and IP. Consent can be reviewed and revoked through the API.	CC2.2

DORA Controls

The Digital Operational Resilience Act (DORA) requires financial entities to manage ICT risks, report incidents, and test resilience. Gatekeeper provides built-in tooling for these requirements.

Incident Management

Create: Structured incident records with severity levels, affected components, detection timestamp, and initial assessment.
Escalate: Configurable escalation workflows based on severity and time thresholds. Automatic notification to designated contacts.
Timeline: Append timestamped events to the incident timeline: detection, triage, containment, resolution, post-mortem. Immutable once written.
Export: Export incident reports in DORA-compliant format for regulatory submission.

Component Inventory

Automatic registration of all platform services with version, dependencies, and SLA targets.
Third-party component tracking with vendor, version, and license information.
Dependency graph visualization for impact analysis during incidents.

Resilience Metrics

SLO Compliance: Track uptime, latency, and error rate against defined Service Level Objectives.
Recovery Time: Measure actual recovery time vs. RTO (Recovery Time Objective) for each service.
Availability Reporting: Monthly and quarterly availability reports with downtime analysis and root cause categorization.

Encryption Primitives

Three cryptographic systems protect data at rest, in transit, and during authentication.

Fernet Encryption

Symmetric encryption for all sensitive data stored in Redis.

AES-128-CBC for encryption
HMAC-SHA256 for authentication
Timestamp-based token validation
Key rotation without re-encryption
Multiple active keys for seamless rotation

Argon2id Password Hashing

Memory-hard password hashing resistant to GPU and ASIC attacks.

Hybrid Argon2i + Argon2d for balanced resistance
Configurable memory cost (default: 64 MB)
Configurable time cost (default: 3 iterations)
Configurable parallelism (default: 4 threads)
Automatic rehashing on parameter changes

RS256 Token Signing

Asymmetric JWT signing for verifiable, tamper-proof tokens.

RSA 2048-bit key pairs
PKCS#1 v1.5 signature scheme
JWKS endpoint for public key distribution
Multi-key support for zero-downtime rotation
JTI-based revocation via Redis blacklist

Transport Security

TLS everywhere with modern cipher suites.

TLS 1.2+ for all external connections
Optional mTLS for inter-service communication
HSTS headers with configurable max-age
Certificate pinning support
Redirect validation to prevent open redirects

Security Properties

A comprehensive matrix of security controls implemented across Gatekeeper.

Property	Implementation	Details
Encryption at Rest	`Fernet (AES-128-CBC)`	All sensitive Redis values encrypted. Keys from environment or vault.
Password Hashing	`Argon2id`	Memory-hard, GPU-resistant. 64 MB memory, 3 iterations, 4 threads.
Token Signing	`RS256 (RSA + SHA-256)`	2048-bit keys with JWKS rotation. Multi-key support.
API Key Comparison	`Constant-time compare`	Prevents timing attacks. Uses `hmac.compare_digest()`.
Rate Limiting	`Sliding window (Redis)`	Per-IP and per-user limits. Configurable per endpoint.
CSRF Protection	`Double-submit cookie`	Stateless CSRF prevention for browser-based requests.
Session Security	`Server-side + Redis`	HttpOnly, Secure, SameSite=Lax cookies. Concurrent session limits.
Redirect Protection	`Allowlist validation`	OAuth2 redirect URIs must match registered patterns. No open redirects.
Input Validation	`Pydantic models`	Strict schema validation on all API inputs. No raw string processing.
Secret Storage	`Environment / Vault`	Secrets never stored in code or config files. Support for HashiCorp Vault.

Observability

Production-grade monitoring, logging, error tracking, and health reporting.

Prometheus Metrics

Expose metrics at /metrics in Prometheus format. Track authentication rates, token issuance, SCIM sync status, error rates, and latency histograms. Pre-built Grafana dashboards available.

Structured Logging

All log output is structured JSON with consistent fields: timestamp, level, service, trace_id, user_id, operation, duration_ms. Compatible with ELK, Datadog, CloudWatch, and any JSON log aggregator.

Sentry Integration

Automatic error capture and reporting to Sentry. Includes request context, user identity (anonymized), stack traces, and breadcrumbs. Configurable sampling rates for performance monitoring.

Health Endpoints

Kubernetes-compatible health probes at /health (liveness) and /ready (readiness). Reports Redis connectivity, key store status, SCIM sync health, and memory usage.