Compliance Controls and Framework Status
Short answer
This page is the authoritative reference for ProvenanceOne's compliance posture. It distinguishes between security controls that are confirmed as implemented in the product and compliance certifications or audit statuses that have not been confirmed. Enterprise buyers should use the pre-contract checklist at the bottom of this page before signing.
Warning: This page is written for accuracy, not marketing. No compliance certification is claimed unless explicitly confirmed. Items marked "Needs product confirmation" must be verified directly with ProvenanceOne before being relied upon in vendor assessments, security questionnaires, or contractual commitments.
What customers need to know
ProvenanceOne has implemented a set of security controls consistent with enterprise compliance requirements. These controls are confirmed from the codebase and infrastructure. However, the existence of controls is not the same as a certification or third-party audit. No SOC 2 Type II report, ISO 27001 certificate, HIPAA BAA, or equivalent has been confirmed as available.
Procurement teams and CISOs should distinguish between:
- Controls — technical or process measures in the product (confirmed below)
- Certifications — third-party audits that validate those controls (not confirmed)
Section 1: Security controls implemented
The following controls are confirmed from the ProvenanceOne codebase and infrastructure. Each includes the relevant compliance framework mapping where applicable.
Audit log immutability
Every audit event is written with a mac field computed as a HMAC-SHA256 digest over the canonical event body. The MAC is stored alongside the event record. This field provides cryptographic evidence that an event has not been altered after creation.
- Framework mapping: SOC 2 Type II CC7.2 (system monitoring), B2 (logical and physical access controls evidence)
- Retention: 7-year TTL on audit event records
Role-based access control (RBAC)
Three workspace roles govern human access:
| Role | platform group | Capability summary |
|---|---|---|
admin | workspace-admins | Full workspace management, member control, billing, GDPR erasure |
editor | operators | Create and manage workflows, agents, skills, connections |
viewer | viewers | Read-only access to runs, audit log, and workspace state |
A separate approvers platform group is used for approval workflow gating.
- Framework mapping: SOC 2 Type II CC6.1 (logical access controls), CC6.2 (new user access)
API key scopes — least privilege
Workspace API keys carry one or more of 16 named permission scopes. A key can only access the resources its scopes explicitly permit. This enforces least privilege for programmatic integrations.
- Framework mapping: SOC 2 Type II CC6.3 (role-based access)
Agent and skill trust levels
Agents are assigned a trust level (low, medium, high) that governs what they are permitted to do at runtime. Skills are similarly trust-rated.
- Framework mapping: SOC 2 Type II CC6.1 (access control), CC6.6 (logical access restrictions)
Credential management via the secrets vault
All integration credentials, API keys for external services, and workspace secrets are stored in the secrets vault, not in the application database. Secrets are never returned in API responses.
- Framework mapping: SOC 2 Type II CC6.7 (restricting access to authorised personnel)
Approval workflows with SLA enforcement and audit trail
Approval steps in workflows require explicit human approval or rejection before execution continues. Each approval records: action, risk level, assignees, rationale, confidence, evidence, and an SLA deadline. SLA breaches emit audit events. All approval decisions are immutably logged.
- Framework mapping: SOC 2 Type II CC6.6 (change management), CC4.1 (monitoring)
GDPR data erasure endpoint
POST /workspace/members/{userId}/erase removes a member and replaces their personId field in all historical audit records with a tombstone value. The erasure action itself is logged as a member.erased event (risk: critical).
- Framework mapping: GDPR Article 17 (right to erasure)
Encryption in transit
All platform API endpoints operate over TLS. TLS termination is handled by the API layer with a minimum of TLS 1.2.
- Framework mapping: SOC 2 Type II CC6.7 (encryption of data in transit)
Encryption at rest
| Data category | Encryption mechanism |
|---|---|
| Object storage (datastores) | platform-managed server-side encryption at rest |
| Secrets | the secrets vault with platform-managed encryption key |
| platform database tables | encryption at rest |
| Approval task tokens | encrypted before storage |
| Audit event MAC | HMAC-SHA256 |
- Framework mapping: SOC 2 Type II CC6.7 (encryption of data at rest)
MCP Gateway DLP (input/output redaction)
The MCP Gateway proxies all tool calls from agents. Gateway policies can apply input redaction and output redaction rules — regular-expression or JSONPath-based patterns that scrub sensitive data before it is sent to or received from external tools. This is the primary runtime data loss prevention control.
- Framework mapping: SOC 2 Type II CC6.7 (data handling restrictions)
Section 2: Compliance framework status
Note: The table below distinguishes between "confirmed controls" and "confirmed certification/audit." Controls being present does not imply that a third-party audit has been completed or that a certification is available.
| Framework | Status | Controls implemented | Certification / audit status |
|---|---|---|---|
| SOC 2 Type II | Controls implemented; certification unconfirmed | Audit immutability (CC7.2/B2), RBAC (CC6.1), API key scopes (CC6.3), the secrets vault (CC6.7), approval workflows (CC6.6), TLS and encryption (CC6.7) | Needs product confirmation |
| ISO 27001 | Unconfirmed | — | Needs product confirmation |
| GDPR | Partial controls confirmed | Data erasure endpoint (Article 17), PersonID field erasure, audit trail | DPA availability and full GDPR compliance chain: needs product confirmation |
| HIPAA | Unconfirmed | — | BAA availability: needs product confirmation |
| PCI DSS | Unconfirmed | Stripe handles payment processing; platform is not a payment processor | PCI scope and certification: needs product confirmation |
| EU AI Act | Unconfirmed | Approval workflows and human-in-the-loop controls are architecturally relevant | Formal EU AI Act compliance posture: needs product confirmation |
| FedRAMP | Unconfirmed | government cloud not confirmed in use | FedRAMP authorization: needs product confirmation |
Needs product confirmation: SOC 2 Type II audit status and whether a SOC 2 Type II report is available (under NDA or publicly).
Needs product confirmation: ISO 27001 certification status and certificate number.
Needs product confirmation: HIPAA Business Associate Agreement (BAA) availability and scope.
Needs product confirmation: Whether a GDPR Article 28 Data Processing Agreement is available for customers to execute.
Needs product confirmation: EU AI Act compliance posture and whether ProvenanceOne has conducted an AI Act conformity assessment.
Needs product confirmation: FedRAMP authorization status.
Section 3: Security controls reference
This page is the compliance hub for the ProvenanceOne Trust Centre. The following pages provide detailed reference for each control area:
| Security domain | Reference page |
|---|---|
| Authentication and identity | SSO and Identity Management |
| RBAC and permissions | RBAC and Permissions |
| Audit log and immutability | Audit Log |
| Data handling and storage | Data Handling |
| DLP and MCP Gateway policies | Gateway Policies and DLP |
| Third-party subprocessors | Subprocessors |
| API key management | API Keys |
| GDPR erasure | GDPR Erasure |
Section 4: Pre-contract security review checklist
Enterprise buyers should complete the following before signing a ProvenanceOne contract. Items marked (confirm with ProvenanceOne) require direct engagement with the ProvenanceOne team.
Data handling and residency
- Review the Data Handling page and confirm data storage locations match your residency requirements
- Confirm which data regions your workspace data will be stored in (confirm with ProvenanceOne)
- If EEA data residency is required, confirm whether an EU region-only deployment is available (confirm with ProvenanceOne)
Third parties and subprocessors
- Request the complete, current subprocessor list from ProvenanceOne
- Review AI provider data handling policies for each provider your workflows will use (Anthropic, OpenAI, Google, Azure OpenAI)
- Confirm GDPR Article 28 DPA availability and execute if required (confirm with ProvenanceOne)
- Confirm Standard Contractual Clauses or equivalent transfer mechanisms for any EEA-to-third-country data flows (confirm with ProvenanceOne)
Audit and certification
- Request SOC 2 Type II report or confirm audit status and expected timeline (confirm with ProvenanceOne)
- Review audit log retention policy against your compliance requirements (7-year TTL is confirmed)
- Confirm whether SOC 2 or equivalent report is available under NDA (confirm with ProvenanceOne)
Identity and access
- Verify SSO and SCIM options for your identity provider (confirm with ProvenanceOne — see SSO page)
- Confirm MFA enforcement options for your workspace users (confirm with ProvenanceOne)
- Test RBAC model against your access control requirements using the permissions reference
AI model governance
- Review which AI providers will be used and confirm enterprise data handling terms directly with each provider
- Confirm whether ProvenanceOne has zero-retention or enterprise agreements with AI providers (confirm with ProvenanceOne)
- Review MCP Gateway DLP capabilities for your data redaction requirements (Gateway Policies and DLP)
- Assess agent trust level configuration against your AI governance policy (Trust Levels)
Vulnerability and incident management
- Request penetration test results or confirm penetration testing frequency and scope (confirm with ProvenanceOne)
- Request details of any bug bounty or coordinated vulnerability disclosure program (confirm with ProvenanceOne)
- Confirm incident response process and breach notification timeline (confirm with ProvenanceOne)
Regulatory and contractual
- If HIPAA applies, confirm BAA availability before processing PHI (confirm with ProvenanceOne)
- If operating under EU AI Act obligations, confirm ProvenanceOne's AI Act compliance posture (confirm with ProvenanceOne)
- If FedRAMP authorization is required, confirm authorization status and timeline (confirm with ProvenanceOne)
- Confirm data retention and deletion terms match your contractual and regulatory obligations
Auditability
ProvenanceOne's audit log covers the following compliance-relevant event categories:
- Workflow creation, deployment, and modification
- Run execution, approval decisions, and SLA breaches
- Member access changes, invitations, role changes, and removals
- GDPR erasure operations (
member.erased, risk:critical) - Secret access and rotation
- Connection credential changes
- MCP Gateway policy creation, updates, and violations
- API key creation and revocation
All events carry: event type, actor (user, agent, system, or integration), object identifier, risk classification (low, medium, high, critical), timestamp, IP address, and session ID where applicable.
See Audit Log for the full event taxonomy.
Limitations and open questions
| Item | Status |
|---|---|
| SOC 2 Type II audit report | Needs product confirmation |
| ISO 27001 certification | Needs product confirmation |
| HIPAA BAA availability | Needs product confirmation |
| PCI DSS certification scope | Needs product confirmation |
| EU AI Act compliance posture | Needs product confirmation |
| FedRAMP authorization | Needs product confirmation |
| GDPR DPA availability | Needs product confirmation |
| Penetration test results | Needs product confirmation |
| Vulnerability disclosure program | Needs product confirmation |
| Incident response SLA and breach notification timeline | Needs product confirmation |
| Disaster recovery RTO/RPO targets | Needs product confirmation |
| Employee security training program | Needs product confirmation |
| Data residency options | Needs product confirmation |
FAQ
Is ProvenanceOne SOC 2 Type II certified?▾
ProvenanceOne has implemented controls designed to support SOC 2 Type II requirements, including audit log immutability with HMAC-SHA256 (CC7.2/B2), RBAC (CC6.1), API key scopes (CC6.3), the secrets vault (CC6.7), and approval workflows with audit trails (CC6.6). Whether a SOC 2 Type II audit has been completed and whether a report is available has not been confirmed. Contact ProvenanceOne to request audit status.
Is ProvenanceOne HIPAA compliant?▾
HIPAA BAA availability has not been confirmed. If you intend to process Protected Health Information (PHI) on ProvenanceOne, confirm BAA availability with ProvenanceOne before doing so.
Does ProvenanceOne have a GDPR Data Processing Agreement?▾
Whether a GDPR Article 28 DPA is available for customers to execute has not been confirmed from the codebase or product documentation. ProvenanceOne has implemented specific GDPR controls including a data erasure endpoint and PersonID field erasure in audit events. Request DPA availability from ProvenanceOne before relying on GDPR compliance for your obligations.
How long are audit logs retained?▾
Audit event records are retained for 7 years. This retention period is confirmed from the codebase infrastructure configuration. Whether this floor is configurable downward per workspace has not been confirmed.
Can I verify that audit logs have not been tampered with?▾
Yes. Every audit event carries a HMAC-SHA256 MAC field computed over the canonical event body at creation time. The MAC can be recomputed using the same platform key management key to verify event integrity. This is the mechanism used to provide evidence of audit log immutability.
What encryption does ProvenanceOne use?▾
Data at rest is encrypted with platform-managed keys: server-side encryption at rest for datastores, the secrets vault with platform-managed key for secrets, and encryption for platform database tables. Approval task tokens are encrypted before storage. All data in transit uses TLS 1.2 or higher via the API layer.
Does ProvenanceOne have a penetration testing program?▾
Whether ProvenanceOne conducts penetration tests, their frequency, scope, and whether results are shared with customers has not been confirmed. Request this information from ProvenanceOne as part of your vendor security assessment.
Related pages
- Subprocessors — Third parties that process data and GDPR considerations
- SSO and Identity Management — Authentication, SSO, and access control
- Data Handling — Data storage, retention, and residency
- Audit Log — Event taxonomy, immutability, and retention reference
- RBAC and Permissions — Role-to-capability matrix
- Gateway Policies and DLP — MCP Gateway data loss prevention controls
- GDPR Erasure — Right to erasure implementation