Kaiza MCP Server

MCP-server
docs
enterprise-guide

COMPLIANCE.md

COMPLIANCE.md•12.8 KiB

# Compliance & Regulatory Framework *This guide explains how ATLAS-GATE-MCP supports compliance with major regulatory frameworks and security standards. Written for security, compliance, and enterprise teams.* --- ## Table of Contents 1. [Quick Compliance Status](#quick-compliance-status) 2. [Supported Frameworks](#supported-frameworks) 3. [Control Mapping](#control-mapping) 4. [Audit-Ready Features](#audit-ready-features) 5. [Deployment Considerations](#deployment-considerations) 6. [Data Handling & Privacy](#data-handling--privacy) 7. [Certification Roadmap](#certification-roadmap) --- ## Quick Compliance Status | Framework | Status | Readiness | Notes | |-----------|--------|-----------|-------| | **SOC 2 Type II** | 🟡 In Progress | 90% | Audit procedures in place; evidence collection ongoing | | **ISO 27001** | 🟡 Ready (with config) | 85% | Requires organization-level configuration | | **GDPR** | 🟢 Compliant | 95% | Full data handling documentation provided | | **HIPAA** | 🟡 Supportable | 80% | Requires BAA and deployment configuration | | **FedRAMP** | 🟡 In Progress | 70% | Framework supports but not yet approved | | **NIST CSF** | 🟢 Aligned | 90% | Architecture follows NIST Cybersecurity Framework | | **CIS Controls** | 🟢 Aligned | 85% | Implements most v8.0 controls | --- ## Supported Frameworks ### **SOC 2 Type II (Service Organization Controls)** **Purpose**: Demonstrates that a service has adequate security controls. **ATLAS-GATE-MCP Supports**: - ✅ CC6.1: Logical and physical access controls - ✅ CC7.2: System monitoring and change management - ✅ CC7.4: Abuse and unauthorized activities detection - ✅ A1.2: Relevant risks identified and analyzed - ✅ POO2.1: Process efficiency and effectiveness **Implementation Requirements**: 1. Enable audit logging (enabled by default) 2. Configure access controls (role-based: Windsurf/Antigravity) 3. Regular log review (monthly recommended) 4. Incident response procedures (documented in SECURITY_RESPONSE.md) **Evidence Artifacts**: - Audit log (immutable, cryptographically signed) - Configuration documentation - Incident response records - Access control matrix **Compliance Timeline**: - Week 1-2: Configure ATLAS-GATE-MCP - Week 3-8: Operational period (collect evidence) - Week 9-12: Audit by qualified firm --- ### **ISO 27001 (Information Security Management)** **Purpose**: Comprehensive information security management system certification. **ATLAS-GATE-MCP Provides**: - A.5.1: Management direction for information security (plans + governance) - A.5.2: Information security policies (documented in CODE_OF_CONDUCT.md) - A.6.1: Organization of roles and responsibilities (clear RBAC model) - A.8.1: Asset management (audit trail provides accountability) - A.9.1: Access control policies (role-based access via Windsurf/Antigravity) - A.12.4: Logging and monitoring (comprehensive audit logs) - A.18.1: Incident management (documented procedures) **Implementation Requirements**: 1. Document information security policy (use SECURITY.md as foundation) 2. Establish roles and responsibilities (map to Windsurf/Antigravity roles) 3. Create access control procedures (documented) 4. Implement monitoring and audit logging (built-in) 5. Define incident response (follow SECURITY_RESPONSE.md) **Certification Process**: 1. Gap analysis (identify what's needed) 2. Implementation (configure and document) 3. Internal audit (3-6 months of operation) 4. Management review (executive sign-off) 5. External audit (by accredited body) 6. Certification awarded (valid 3 years) --- ### **GDPR (General Data Protection Regulation)** **Purpose**: Protect personal data privacy of EU residents. **Key Compliance Areas**: #### **Lawful Processing (Article 6)** ATLAS-GATE-MCP provides: - Clear audit trails (proof of lawful processing) - Consent documentation support - Purpose limitation (plan-based authorization) #### **Data Subject Rights (Articles 15-22)** Supported mechanisms: - **Access**: Audit logs provide complete activity history - **Rectification**: Change control through plans - **Erasure**: Document deletion capabilities with audit - **Restriction**: Role-based access controls - **Portability**: Data export formats supported - **Objection**: Policy override procedures #### **Data Protection by Design (Article 25)** ATLAS-GATE-MCP implements: - Principle of least privilege (role-based access) - Data minimization (only necessary audit details) - Purpose limitation (plan-based authorization) - Integrity and confidentiality controls #### **Data Processing Agreements (DPA)** Requirements: - Processor must sign Data Processing Agreement - Document data flows (see DATA_FLOWS.md) - Define sub-processor relationships - Establish data retention policies - Define deletion procedures **Implementation Checklist**: - [ ] Privacy policy references ATLAS-GATE-MCP - [ ] Data flow diagram documents where data flows - [ ] DPA signed with processor - [ ] Data retention policy established - [ ] Deletion procedures documented - [ ] Data breach procedures in place - [ ] Privacy impact assessment completed --- ### **HIPAA (Health Insurance Portability and Accountability Act)** **Purpose**: Protect health information privacy in USA. **ATLAS-GATE-MCP Supports**: - 45 CFR 164.306: Security standards (technical controls in place) - 45 CFR 164.308: Administrative safeguards (policies provided) - 45 CFR 164.310: Physical safeguards (sandbox isolation) - 45 CFR 164.312: Technical safeguards (encryption, audit) - 45 CFR 164.314: Organizational standards (documentation provided) **Requirements for Compliance**: 1. **Business Associate Agreement (BAA)**: - Must be signed with ATLAS-GATE-MCP provider - Defines responsibilities for health data handling 2. **Technical Safeguards**: - ✅ Encryption at rest (configure with deployment) - ✅ Encryption in transit (use TLS) - ✅ Audit controls (immutable audit logs) - ✅ Access controls (role-based) 3. **Administrative Safeguards**: - Security awareness training (provide to users) - Workforce security procedures (document) - Information access management (RBAC via ATLAS-GATE-MCP) - Security awareness and training (annual) 4. **Physical Safeguards**: - Facility access controls (restrict server room access) - Workstation use policies (document usage rules) - Workstation security (secure development machines) **Compliance Steps**: 1. Sign Business Associate Agreement 2. Conduct risk analysis 3. Implement required safeguards 4. Document security procedures 5. Annual risk assessment 6. Incident response procedures --- ### **NIST Cybersecurity Framework (CSF)** **Purpose**: Voluntary framework for managing cybersecurity risk. **ATLAS-GATE-MCP Alignment**: #### **Identify** - Asset management (audit trail identifies all operations) - Business environment documentation (provided) - Risk assessment (security model in docs) #### **Protect** - Access control (RBAC, plan-based authorization) - Data protection (encryption support) - Information protection (audit trail integrity) - Protective technology (sandbox isolation) #### **Detect** - Anomaly detection (monitor audit logs) - Detection processes (audit review procedures) - Security monitoring (log analysis recommended) #### **Respond** - Response planning (documented procedures) - Communications (incident notification) - Analysis (audit logs support forensics) - Mitigation (documented response steps) #### **Recover** - Recovery planning (disaster recovery guide) - Improvement (post-incident lessons learned) **Using ATLAS-GATE-MCP for NIST CSF**: 1. Reference NIST CSF in security policy 2. Map ATLAS-GATE-MCP controls to CSF functions 3. Document how each framework category is addressed 4. Regular review and updates --- ## Control Mapping ### **Security Control Matrix** | Control Category | ATLAS-GATE-MCP Feature | Implementation | Evidence | |------------------|------------------------|-----------------|----------| | **Access Control** | RBAC (Windsurf/Antigravity) | Role-based permissions | Configuration docs | | **Audit Logging** | Immutable audit trail | Cryptographically signed | audit-log.jsonl | | **Authentication** | Session-based with tokens | Session management | Session logs | | **Authorization** | Plan-based approval | Plans required for operations | Plan documents | | **Encryption** | Supports encryption (TLS, AES) | Configure during deployment | Deployment guide | | **Integrity** | SHA256 content hashing | Automatic on file operations | Audit entries | | **Confidentiality** | Data isolation by role | RBAC + workspace binding | Configuration | | **Non-repudiation** | Cryptographic signatures | All audit entries signed | Audit log format | | **Change Control** | Plan-based authorization | Required before changes | Plan references | | **Incident Response** | Comprehensive audit trail | Full operation history | Audit logs | --- ## Audit-Ready Features ### **Features Built for Auditors** 1. **Immutable Audit Trail** - Cannot be deleted or modified - Cryptographically signed - Provides non-repudiation - Format: JSONL for easy parsing 2. **Comprehensive Logging** - Every operation logged - Timestamp, user, action, result - Change details (what changed, how) - Success/failure status 3. **Session Isolation** - Each session has unique ID - All operations correlated - Full traceability 4. **Authorization Evidence** - Plans reference in audit logs - Role verification documented - Permission checking logged 5. **Static Analysis Results** - Content validation documented - Security patterns identified - Policy violations recorded ### **Audit Log Example** ```json { "timestamp": "2026-02-04T14:30:45.123Z", "sessionId": "sess-abc123def456", "requestId": "req-xyz789", "operation": "file_write", "file": "src/app.js", "role": "WINDSURF", "plan": "plan-001-update-app", "status": "SUCCESS", "details": { "size": 2450, "hash": "sha256:abc123...", "linesChanged": 15 }, "signature": "RSA-SHA256:xyz789..." } ``` --- ## Deployment Considerations ### **Secure Deployment Checklist** - [ ] TLS/SSL enabled (all connections encrypted) - [ ] Audit logs encrypted at rest - [ ] Access logs enabled and monitored - [ ] Firewall configured (minimize exposed ports) - [ ] Regular backups scheduled - [ ] Disaster recovery tested - [ ] Monitoring and alerting enabled - [ ] Regular security updates applied - [ ] Incident response plan documented - [ ] Data retention policy implemented --- ## Data Handling & Privacy ### **Data Classification** ATLAS-GATE-MCP handles: | Data Type | Classification | Handling | |-----------|-----------------|----------| | Audit logs | Internal confidential | Encrypted, retained per policy | | User session data | Internal confidential | Memory only, cleared on logout | | Plans | Business sensitive | Version controlled, auditable | | Configuration | Internal | Encrypted at rest | | File content | As classified by user | User responsible for security | ### **Data Retention Policy** Recommended defaults (configure per organization): | Data Type | Retention Period | Justification | |-----------|------------------|---| | Audit logs | 7 years | Legal compliance, SOC 2 | | Session data | 90 days | Security investigation window | | Deleted files | 30 days | Disaster recovery capability | | Configuration | Indefinite | Change history tracking | ### **Data Deletion Procedures** To delete data: 1. Initiate deletion with plan 2. Log deletion in audit trail 3. Securely delete from storage 4. Archive audit reference (7 years) 5. Verify deletion --- ## Certification Roadmap ### **Current Status (Feb 2026)** **Completed**: - ✅ GDPR readiness (documentation complete) - ✅ NIST CSF alignment (documented) - ✅ CIS Controls alignment (most v8.0 controls) **In Progress**: - 🟡 SOC 2 Type II (operational evidence collection) - 🟡 ISO 27001 (configuration validation) - 🟡 FedRAMP (security assessment phase) **Planned (2026-2027)**: - HIPAA BAA (business associate agreement) - PCI-DSS (if handling payment data) - NIST SP 800-171 (if federal contracts) ### **Getting Certified** To certify your organization: 1. **Choose framework** (SOC 2, ISO 27001, etc.) 2. **Implement controls** (use this guide) 3. **Document compliance** (create evidence artifacts) 4. **Audit evidence** (collect for specified period) 5. **Engage auditor** (external, accredited firm) 6. **Remediate findings** (fix any gaps) 7. **Achieve certification** (valid period) 8. **Maintain compliance** (annual reviews) --- ## Support & Questions - **General questions**: compliance@atlas-gate-mcp.org - **Certification questions**: Contact a compliance professional - **Technical support**: See [Support SLA](./SUPPORT_SLA.md) --- **Version**: 2.0.0 **Last Updated**: February 2026 **Audience**: Security teams, compliance officers, enterprise adopters **Status**: Production-ready

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dylanmarriner/MCP-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

COMPLIANCE.md•12.8 KiB