{ "meta": { "page": "https://atroton.com/compliance", "last_reviewed": "2026-04-22", "total_included": 38, "honesty_filter": "Entries reflect standards substantiated in shipped code, infrastructure, and certificates. Claims we cannot substantiate today are excluded.", "excluded_from_public_listing": [ "fips-140-3 (CMVP submission not filed; product itself is not a validated module)", "fips-205 / SLH-DSA (not integrated in shipped Rust code)", "nist-sp-800-171 (no SSP/POA&M; aspirational per matrix)", "nist-sp-800-193 (platform firmware resiliency — current host has no TPM/firmware attestation)", "soc2 (no auditor engaged; Type I target Q3-2026)", "eidas-2 (no QTSP partnership; aspirational)", "bsi-c5 (no audit initiated; aspirational)", "tiber-eu (TLPT not yet conducted; 2027 target)", "rfc-3161 TSA (no TSA integration in shipped code)", "rfc-9420 MLS (not implemented; prototype 2026)", "rfc-9180 HPKE (not invoked in shipped code; PM metadata only)", "rfc-3394 AES Key Wrap (not invoked anywhere in shipped code)", "chacha20-poly1305 (AEAD cipher not used in shipped code; only a ChaCha-based RNG is present)", "webauthn-l3 (no WebAuthn implementation shipped; no PublicKeyCredential in frontend)", "fido2-ctap2 (depends on WebAuthn; not shipped)", "iso-27001-2022 / iso-27701 / iso-42001 (certifications not obtained)", "sigstore (CI workflow exists but no v* tag has ever run it; no signed releases in the wild)", "sbom-cyclonedx (no SBOM-generation tool wired into the build or CI pipeline)", "slsa (no release has been cut; build provenance track has not executed)", "tpm-2 / uefi-secure-boot / luks2 (current Hetzner host is consumer-class Intel i9-13900 on legacy BIOS with plain ext4; no TPM device; confidential-computing migration tracked in docs/infrastructure-hardening-hetzner-2026-04-21.md)" ] }, "families": [ { "id": "crypto", "name": "Cryptography", "standards": [ {"id": "fips-197", "short_name": "FIPS 197", "full_name": "Advanced Encryption Standard (AES)", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/fips/197/final", "anchor": "/compliance#fips-197"}, {"id": "fips-180-4", "short_name": "FIPS 180-4", "full_name": "Secure Hash Standard (SHA-2)", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/fips/180-4/upd1/final", "anchor": "/compliance#fips-180-4"}, {"id": "fips-202", "short_name": "FIPS 202", "full_name": "SHA-3 Standard (Keccak)", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/fips/202/final", "anchor": "/compliance#fips-202"}, {"id": "fips-198-1", "short_name": "FIPS 198-1", "full_name": "HMAC", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/fips/198/-1/final", "anchor": "/compliance#fips-198-1"}, {"id": "rfc-5869", "short_name": "RFC 5869 (HKDF)", "full_name": "HKDF (HMAC-based Key Derivation)", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc5869", "anchor": "/compliance#rfc-5869"}, {"id": "fips-186-5", "short_name": "FIPS 186-5", "full_name": "Digital Signature Standard (Ed25519)", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/fips/186-5/final", "anchor": "/compliance#fips-186-5"}, {"id": "argon2id", "short_name": "Argon2id", "full_name": "Memory-Hard Passphrase KDF (RFC 9106)", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc9106", "anchor": "/compliance#argon2id"}, {"id": "sqlcipher", "short_name": "SQLCipher", "full_name": "Transparent AES-256 encryption of SQLite", "status": "comply", "official_url": "https://www.zetetic.net/sqlcipher/", "anchor": "/compliance#sqlcipher"}, {"id": "nist-sp-800-88", "short_name": "NIST SP 800-88", "full_name": "Guidelines for Media Sanitization", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/sp/800/88/r1/final", "anchor": "/compliance#nist-sp-800-88"} ] }, { "id": "pq", "name": "Post-Quantum Readiness", "standards": [ {"id": "crystals-kyber-r3", "short_name": "CRYSTALS-Kyber (r3)", "full_name": "NIST PQC Round-3 Kyber-1024 (ancestor of FIPS 203 ML-KEM)", "status": "comply", "official_url": "https://pq-crystals.org/kyber/", "anchor": "/compliance#crystals-kyber-r3"}, {"id": "crystals-dilithium-r3", "short_name": "CRYSTALS-Dilithium (r3)","full_name": "NIST PQC Round-3 Dilithium3 (ancestor of FIPS 204 ML-DSA)", "status": "comply", "official_url": "https://pq-crystals.org/dilithium/", "anchor": "/compliance#crystals-dilithium-r3"}, {"id": "rfc-7748", "short_name": "RFC 7748", "full_name": "Curve25519 / X25519 Key Agreement", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc7748", "anchor": "/compliance#rfc-7748"} ] }, { "id": "transport", "name": "Transport Security", "standards": [ {"id": "rfc-8446", "short_name": "RFC 8446", "full_name": "TLS 1.3", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc8446", "anchor": "/compliance#rfc-8446"}, {"id": "rfc-8996", "short_name": "RFC 8996", "full_name": "Deprecating TLS 1.0 and TLS 1.1", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc8996", "anchor": "/compliance#rfc-8996"}, {"id": "nist-sp-800-52", "short_name": "NIST SP 800-52 Rev 2","full_name": "Guidelines for TLS Implementations", "status": "comply-selective", "official_url": "https://csrc.nist.gov/pubs/sp/800/52/r2/final", "anchor": "/compliance#nist-sp-800-52"}, {"id": "rfc-5280", "short_name": "RFC 5280", "full_name": "X.509 Public-Key Infrastructure", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc5280", "anchor": "/compliance#rfc-5280"}, {"id": "rfc-8032", "short_name": "RFC 8032 (EdDSA)", "full_name": "Ed25519 signatures", "status": "comply", "official_url": "https://www.rfc-editor.org/rfc/rfc8032", "anchor": "/compliance#rfc-8032"} ] }, { "id": "auth", "name": "Authentication & Identity", "standards": [ {"id": "nist-sp-800-63b","short_name": "NIST SP 800-63B", "full_name": "Digital Identity — Authentication (AAL2)", "status": "comply", "official_url": "https://pages.nist.gov/800-63-4/sp800-63b.html", "anchor": "/compliance#nist-sp-800-63b"} ] }, { "id": "privacy", "name": "Privacy & Data Protection", "standards": [ {"id": "gdpr-art-25", "short_name": "GDPR Art. 25", "full_name": "Data Protection by Design and by Default", "status": "comply → exceed", "official_url": "https://gdpr.eu/article-25-data-protection-by-design/", "anchor": "/compliance#gdpr-art-25"}, {"id": "gdpr-art-32", "short_name": "GDPR Art. 32", "full_name": "Security of Processing", "status": "comply → exceed", "official_url": "https://gdpr.eu/article-32-security-of-processing/", "anchor": "/compliance#gdpr-art-32"}, {"id": "gdpr-art-17", "short_name": "GDPR Art. 17", "full_name": "Right to Erasure", "status": "comply", "official_url": "https://gdpr.eu/article-17-right-to-be-forgotten/", "anchor": "/compliance#gdpr-art-17"}, {"id": "gdpr-art-30", "short_name": "GDPR Art. 30", "full_name": "Records of Processing Activities", "status": "comply", "official_url": "https://gdpr.eu/article-30-records-of-processing-activities/", "anchor": "/compliance#gdpr-art-30"}, {"id": "iso-27018", "short_name": "ISO/IEC 27018", "full_name": "PII Protection in Public Clouds", "status": "comply → exceed", "official_url": "https://www.iso.org/standard/76559.html", "anchor": "/compliance#iso-27018"} ] }, { "id": "governance", "name": "Governance, Risk & Frameworks", "standards": [ {"id": "nist-csf-2", "short_name": "NIST CSF 2.0", "full_name": "NIST Cybersecurity Framework 2.0", "status": "comply", "official_url": "https://www.nist.gov/cyberframework", "anchor": "/compliance#nist-csf-2"}, {"id": "nist-sp-800-53", "short_name": "NIST SP 800-53", "full_name": "Security and Privacy Controls (Rev 5)", "status": "comply-selective", "official_url": "https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final", "anchor": "/compliance#nist-sp-800-53"}, {"id": "nist-sp-800-207","short_name": "NIST SP 800-207", "full_name": "Zero-Trust Architecture", "status": "exceed", "official_url": "https://csrc.nist.gov/pubs/sp/800/207/final", "anchor": "/compliance#nist-sp-800-207"}, {"id": "nist-sp-800-218","short_name": "NIST SP 800-218", "full_name": "Secure Software Development Framework v1.1", "status": "comply", "official_url": "https://csrc.nist.gov/pubs/sp/800/218/final", "anchor": "/compliance#nist-sp-800-218"}, {"id": "cis-controls", "short_name": "CIS Controls v8.1", "full_name": "CIS Critical Security Controls", "status": "comply", "official_url": "https://www.cisecurity.org/controls", "anchor": "/compliance#cis-controls"}, {"id": "mitre-attack", "short_name": "MITRE ATT&CK", "full_name": "Adversary Tactics, Techniques & Common Knowledge", "status": "comply", "official_url": "https://attack.mitre.org/", "anchor": "/compliance#mitre-attack"}, {"id": "cisa-kev", "short_name": "CISA KEV Catalog", "full_name": "Known-Exploited Vulnerabilities Catalog", "status": "comply", "official_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "anchor": "/compliance#cisa-kev"}, {"id": "hipaa", "short_name": "HIPAA", "full_name": "HIPAA Security Rule (45 CFR Part 164)", "status": "comply → exceed", "official_url": "https://www.hhs.gov/hipaa/index.html", "anchor": "/compliance#hipaa"}, {"id": "iso-27002-2022", "short_name": "ISO/IEC 27002:2022", "full_name": "Information Security Controls — Reference", "status": "comply-selective", "official_url": "https://www.iso.org/standard/75652.html", "anchor": "/compliance#iso-27002-2022"}, {"id": "iso-27017", "short_name": "ISO/IEC 27017", "full_name": "Information Security Controls for Cloud", "status": "comply-selective", "official_url": "https://www.iso.org/standard/43757.html", "anchor": "/compliance#iso-27017"}, {"id": "eu-nis2", "short_name": "EU NIS2", "full_name": "NIS2 Directive (EU 2022/2555)", "status": "comply-selective", "official_url": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "anchor": "/compliance#eu-nis2"}, {"id": "eu-dora", "short_name": "EU DORA", "full_name": "Digital Operational Resilience Act", "status": "comply-selective", "official_url": "https://www.eiopa.europa.eu/browse/regulation-and-policy/digital-operational-resilience-act-dora_en", "anchor": "/compliance#eu-dora"}, {"id": "eu-ai-act", "short_name": "EU AI Act", "full_name": "Regulation (EU) 2024/1689 on AI", "status": "comply-selective", "official_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj", "anchor": "/compliance#eu-ai-act"} ] }, { "id": "appsec", "name": "Application Security", "standards": [ {"id": "owasp-asvs-v5", "short_name": "OWASP ASVS v5", "full_name": "Application Security Verification Standard", "status": "comply", "official_url": "https://owasp.org/www-project-application-security-verification-standard/", "anchor": "/compliance#owasp-asvs-v5"}, {"id": "owasp-top-10", "short_name": "OWASP Top 10", "full_name": "Top 10 Web Application Security Risks", "status": "comply", "official_url": "https://owasp.org/www-project-top-ten/", "anchor": "/compliance#owasp-top-10"} ] } ] }