Compliance Overview¶
GE's compliance posture. Compliance is built in by design, not retrofitted.
GDPR¶
- Data sovereignty: All data stored in EU (Frankfurt primary, Amsterdam DR)
- Infrastructure: UpCloud (Finnish company, EU-only data centers)
- CDN: Bunny.net (Slovenian company, EU-based)
- By design: Data residency is architectural, not policy-based
- Per-project: Julian handles GDPR compliance checks per client project
Security Certifications¶
| Standard | Status | Target |
|---|---|---|
| ISO 27001 | Not yet certified | In progress |
| SOC 2 Type II | Not yet certified | Planned |
These are targets — GE is building to these standards but formal certification is pending.
Secrets Management¶
- HashiCorp Vault for all secrets and API keys
- Vault auto-unseals via CronJob (every 2 minutes)
- AppRole authentication for service-to-service access
- No secrets in environment variables, git, or config files
- Vault unseal keys at
/home/claude/ge-bootstrap/vault.keys(host file, never committed)
See Vault patterns for security patterns.
Accessibility¶
- WCAG compliance built by default in all client projects
- Floris/Floor (frontend developers) enforce accessibility standards
- Automated testing in CI pipeline
Infrastructure Security¶
- k3s with network policies between namespaces
- TLS everywhere (Let's Encrypt via cert-manager)
- Traefik ingress with security headers
- Container security policies per agent (
config/agent-container-policy.yaml)
Agent Security¶
- Cost gates: $5/session, $10/agent/hr, $100/day system limits
- Trust policy:
config/trust-policy.yamldefines agent permissions - Hook isolation: Monitoring agents cannot trigger each other
- HALT system: Emergency stop for all agent activity
Compliance Agents¶
| Agent | Responsibility |
|---|---|
| Julian | GDPR/compliance per project |
| Victoria | Security scanning |
| Piotr | Secrets management (Vault) |
| Pol | Penetration testing |
| Ron | Constitution enforcement |