Shielda — Compliance & Data Handling

_Last updated: 2026-04-18 (FIX-18 baseline)_

Last updated: 2026-04-18 (FIX-18 baseline)

This document summarises where Shielda stands on the major compliance frameworks, what data we handle, and how we isolate customer environments from one another.

📋 Framework Status

Framework Status Target --------------------- -------------------------- ------------- SOC 2 Type I In-progress (evidence ~70%) Q3 2026 SOC 2 Type II Planned (6-month window) Q1 2027 ISO 27001 Gap-analysis complete 2027 GDPR (EU data) DPA available on request ✅ live HIPAA Supported via BAA add-on On request PCI-DSS Out of scope (we do not — store cardholder data)

Live status + evidence artifacts: see https://trust.shielda.io (provisioned in infra/STATUS.md).

🗄️ Data We Store (Control Plane)

Category Purpose Retention ------------------------- --------------------------------------- --------------- User identity (Auth0 sub) Authentication Life of account Org / billing metadata Tenancy, invoicing 7 years (tax) Findings (normalized) Core product Customer-set Scan telemetry Trend lines, dashboards 90 days default Audit log Compliance evidence 400 days LLM prompts/responses Opt-in, encrypted, 30-day TTL 30 days

🚫 Data We Do Not Store

Raw tool output: scanners run in customer environments; only normalized findings traverse our API (see agent/internal/cpapi redaction — FIX-19). Customer source code: the agent analyses in place. Secrets / credentials: BYOK LLM keys are stored in Vault (see contract 11-vault.json) and never logged. Cardholder data: billing is Stripe-hosted; we receive only tokens.

🧱 Tenant Isolation

Control plane: every query is scoped by orgid; see contract 18-tenant-provisioning.json. Database: logical isolation via Drizzle + org-scoped queries; no raw SQL in application code. Agent ↔ control plane: per-tenant bearer tokens with crypto.timingSafeEqual comparison + hashed storage. LLM calls: sanitizer pipeline (FIX-14) strips prompt-injection patterns before any provider call; provider is selected per-tenant (BYOK).

🛠 Customer Controls

Data export: /api/v1/billing/export-data returns a CSV snapshot of a customer's org within 72 h of request. Data deletion: on account closure, all tenant rows are soft-deleted immediately and hard-deleted within 30 days; audit-log entries are retained per regulatory requirement. Region pinning: enterprise customers can request EU-only residency (separate deployment cluster).

🔗 Related

SECURITY.md — vulnerability disclosure. TELEMETRYPOLICY.md — exactly what we transmit. DISASTERRECOVERY.md — RTO/RPO. ARCHITECTURE.md — system design.