Compliance mapping
Read this first — what a library can and can't do
No software package is "SOC 2 certified" or "ISO 27001 certified." Those
certify an organization's management system and a service's operation — people,
process, and evidence over time — not source code. HIPAA and PCI-DSS likewise apply
to entities handling PHI or cardholder data, not to a dependency.
What Cbox ID does is provide the technical controls those frameworks require,
implemented correctly and testably, plus the evidence artifacts (audit logs, an
SBOM, a conformance matrix, a threat model) an auditor asks for. It moves a large
part of the control burden off your plate — but you, the operator, still own the
organizational controls (policies, training, vendor management, retention
schedules, incident response, a DPIA, and an actual audit).
So the honest framing: adopting Cbox ID puts the identity-and-access,
cryptography, and audit-logging controls of these frameworks "in scope and
satisfied" at the technical layer. The tables below map each framework's relevant
requirements to the feature that addresses it, and end with what remains yours.
SOC 2 (Trust Services Criteria)
| TSC |
Requirement |
Cbox ID control |
| CC6.1 |
Logical access controls |
RBAC, relationship/entitlement authorization, deny-by-default tenant isolation |
| CC6.1 |
Encryption of credentials/keys at rest |
XChaCha20-Poly1305 AEAD for all secrets; signing keys sealed |
| CC6.2 |
Registration & authorization of users |
Explicit provisioning, SCIM, invitation flow; no silent account merge |
| CC6.3 |
Least privilege / role changes |
Roles + permissions, org-scoped, cross-tenant write guard |
| CC6.6 |
Authentication (MFA) |
Passwords (breach-screened), TOTP (replay-safe), WebAuthn/passkeys (UV-enforced), step-up |
| CC6.7 |
Transmission protection |
Bearer over TLS; HSTS; SSRF-guarded webhooks; SAML/OIDC signature verification |
| CC6.8 |
Prevent unauthorized software |
SBOM, dependency audit, license gate in CI |
| CC7.1–7.2 |
Monitoring / anomaly detection |
Hash-chained audit log (framework); request risk-scoring is an app-layer add-on (e.g. cboxdk/laravel-risk, shipped by the host app — not this package) |
| CC7.2 |
Security event logging |
Audit trail of auth, provisioning, key, and admin events |
| CC8.1 |
Change management |
Signed commits, CI gates, conventional commits, CHANGELOG |
ISO/IEC 27001:2022 (Annex A controls)
| Annex A |
Control |
Cbox ID |
| A.5.15–5.18 |
Access control, identity, authentication |
RBAC, provisioning, MFA, session management |
| A.8.2 / A.8.3 |
Privileged & information access rights |
Owner/admin roles, step-up ("sudo") re-auth, org scoping |
| A.8.5 |
Secure authentication |
Passkeys (phishing-resistant), TOTP, breach-screened passwords |
| A.8.24 |
Use of cryptography |
Crypto kernel: alg allow-list (RFC 8725), AEAD at rest, key rotation |
| A.8.15 |
Logging |
Tamper-evident, hash-chained audit log with signed checkpoints |
| A.8.16 |
Monitoring activities |
Auditable security events (framework); risk-scoring pipeline at the app layer (add-on) |
| A.5.23 |
Cloud service security |
Self-hostable; no data leaves your infrastructure |
| A.8.8 |
Management of technical vulnerabilities |
composer audit, Dependabot, SAST, SBOM in CI |
| A.8.28 |
Secure coding |
PHPStan max, Pint, tests against real vectors, honest-crypto stance |
NIS2 Directive (Art. 21 measures)
| Art. 21(2) measure |
Cbox ID |
| (a) risk analysis & security policies |
threat model + this mapping give the technical basis |
| (d) supply-chain security |
SBOM (CycloneDX), pinned deps, license + vuln gates |
| (g) basic cyber hygiene / access control |
MFA, RBAC, least privilege, step-up |
| (h) cryptography |
Crypto kernel, key rotation, sealed secrets |
| (i) HR security / access control |
provisioning + immediate deprovision (SCIM revokes sessions) |
| (j) MFA & secured comms |
passkeys/TOTP; signed/verified federation; HSTS |
| incident handling / reporting |
audit trail + security event log as forensic evidence |
GDPR (data protection by design)
| Article |
Requirement |
Cbox ID |
| Art. 25 |
Data protection by design & default |
deny-by-default tenancy, minimal token claims, self-hosted |
| Art. 32 |
Security of processing |
AEAD at rest, MFA, alg allow-list, audit log, SSRF/rate-limit defenses |
| Art. 30 |
Records of processing |
audit trail of identity/access events |
| Art. 33 |
Breach detection & notification |
tamper-evident log surfaces anomalies for your 72h clock (plus app-layer risk-scoring, if added) |
| Art. 22 |
Automated decisions |
applies at the app layer, not this framework — if the host adds risk-scoring (e.g. cboxdk/laravel-risk) it is explainable (reasons breakdown) and ships in monitor mode; see that package's docs |
| Art. 17 |
Right to erasure |
opaque subject model — the platform holds no PII it can't delete via your resolver |
HIPAA Security Rule (§164.312 technical safeguards)
| Safeguard |
Cbox ID |
| §164.312(a)(1) Access control |
RBAC, unique user identity, tenant isolation |
| §164.312(a)(2)(i) Unique user ID |
opaque per-subject id |
| §164.312(a)(2)(iii) Automatic logoff |
absolute + idle session timeout |
| §164.312(b) Audit controls |
hash-chained audit log |
| §164.312(c) Integrity |
signed checkpoints detect tampering; JWT signature verification |
| §164.312(d) Person/entity authentication |
MFA, passkeys, breach-screened passwords |
| §164.312(e) Transmission security |
TLS bearer, HSTS, signed federation assertions |
PCI-DSS v4.0 (relevant requirements)
| Requirement |
Cbox ID |
| Req 3/4 — protect & encrypt data |
AEAD-sealed secrets; TLS transmission; no secret ever logged |
| Req 6 — secure development |
CI gates, SAST, dependency scanning, SBOM |
| Req 7 — restrict access by need-to-know |
RBAC, least privilege, deny-by-default |
| Req 8 — identify & authenticate |
unique IDs, MFA (8.4), strong password + breach screen (8.3), session mgmt |
| Req 8.3.6 |
password length/complexity |
| Req 10 — log & monitor |
tamper-evident audit log of all access to auth systems |
| Req 11 — test security |
tests vs real vectors; pen-test cadence is the operator's to schedule |
What remains yours (the organizational controls)
The package cannot supply these — they are process, not code:
- Policies & governance: infosec policy, access-review cadence, onboarding/offboarding, vendor management.
- Data retention & DPIA: define retention for audit logs (and risk data, if you add app-layer risk-scoring); run a Legitimate Interest Assessment / DPIA (GDPR).
- Incident response: a documented plan, breach-notification workflow, and the NIS2/GDPR reporting timelines.
- Independent assurance: a SOC 2 audit, ISO 27001 certification, HIPAA risk assessment, or PCI ROC/SAQ — performed by an assessor against your running system.
- Penetration testing: schedule and act on a recurring third-party test.
- Physical & network controls: hosting, egress control (the complete SSRF answer), backups, key custody of the crypto master key.
Evidence Cbox ID hands your auditor
- This mapping and the standards conformance matrix.
- The security model and threat model.
- A machine-readable CycloneDX SBOM and a passing dependency/license/vuln gate.
- A tamper-evident audit trail exportable as forensic evidence.
- Config that is secure by default (MFA available, breach screen on, deny-by-default).