Compliance Overview¶
GE's compliance posture. Compliance is built in by construction, not retrofitted. Evidence is produced as a byproduct of how we build software — every CI check IS a compliance control.
Master reference: development/standards/compliance-framework.md — full technical details on the YAML catalog system, 5-tier classification, and evidence chain.
GDPR¶
- Data sovereignty: All data stored in EU (Frankfurt primary, Amsterdam DR)
- Infrastructure: UpCloud (Finnish company, EU-only data centers)
- CDN: Bunny.net (Slovenian company, EU-based)
- By design: Data residency is architectural, not policy-based
- Per-project: Julian handles GDPR compliance checks per client project
Framework Coverage¶
GE maintains 34 compliance framework catalogs in config/compliance-catalogs/. Tier 1 frameworks (GDPR, EU AI Act, CRA) are always in scope for EU projects.
| Standard | Status | Tier |
|---|---|---|
| GDPR | Operational | 1 (always) |
| EU AI Act | Operational (Phase 1 done, full Aug 2026) | 1 (always) |
| CRA | In progress | 1 (always) |
| ISO 27001 | Documentation complete, ready for Stage 1 audit | 3 (cert) |
| ISO 42001 | Documentation in progress | 3 (cert) |
| SOC 2 Type II | Documentation prepared, observation period ready | 3 (cert) |
| NIS2 | Ready (sector-triggered) | 2 (sector) |
| DORA | Ready (sector-triggered) | 2 (sector) |
| + 26 more | Catalogs ready, activated per project | 2-5 |
Secrets Management¶
- HashiCorp Vault for all secrets and API keys
- Vault auto-unseals via CronJob (every 2 minutes)
- AppRole authentication for service-to-service access
- No secrets in environment variables, git, or config files
- Vault unseal keys at
/home/claude/ge-bootstrap/vault.keys(host file, never committed)
See Vault patterns for security patterns.
Accessibility¶
- WCAG compliance built by default in all client projects
- Floris/Floor (frontend developers) enforce accessibility standards
- Automated testing in CI pipeline
Infrastructure Security¶
- k3s with network policies between namespaces
- TLS everywhere (Let's Encrypt via cert-manager)
- Traefik ingress with security headers
- Container security policies per agent (
config/agent-container-policy.yaml)
Agent Security¶
- Cost gates: $5/session, $10/agent/hr, $100/day system limits
- Trust policy:
config/trust-policy.yamldefines agent permissions - Hook isolation: Monitoring agents cannot trigger each other
- HALT system: Emergency stop for all agent activity
Compliance Agents¶
| Agent | Responsibility |
|---|---|
| Julian | GDPR/compliance per project |
| Victoria | Security scanning |
| Piotr | Secrets management (Vault) |
| Pol | Penetration testing |
| Ron | Constitution enforcement |