Research surface — multi-sector compliance posture
How the research wizard, simulation engine, surveillance pipeline, and signed evidence bundles map onto common regulatory and industry frameworks. This is a working document — each row links to the source file or HTTP route that backs the claim.
Honest disclaimer
This matrix describes how the research surface of Maestro Midcore can support common controls when self-hosted by a covered organisation.
No claim of certification is made for the open-source distribution itself; certifications attach to specific deployments and operators.
Customers operating in regulated environments (life sciences, healthcare, federal) remain responsible for their own validation, qualification, and audit documentation.
Need a specific certification mapped to your deployment? Open an issue or contact us via /contact.
GDPR
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| Art. 30 Records of processing activities | Partial | Per-tenant audit ledger captures research activity with hash chain; customers must still maintain their RoPA inventory. |
|
| Art. 6/7 Lawful basis & informed consent | Control present | Survey/surveillance flows persist a versioned consent payload (purpose, legal basis, retention class) with explicit withdrawal endpoint. |
|
| Art. 17 Right to erasure | Partial | Withdrawal endpoint marks consent as withdrawn; full data erasure across artifacts requires customer-driven sweeper configuration. |
|
| Art. 32 Security of processing | Control present | Ed25519-signed exports + hash-chained audit ledger + SSRF-hardened HTTP egress for reference adapters. |
|
SOC 2 (TSC 2017)
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| CC6.1 Logical access controls | Control present | All research write routes require billable tenant membership + auth dependency. |
|
| CC7.2 System monitoring & anomaly detection | Control present | Audit ledger middleware records every research write with status, actor, tenant; verify_chain() exposes integrity status. |
|
| CC7.3 Incident response | Partial | Platform emits structured audit + Prometheus metrics; runbooks and on-call are customer-owned. | — |
ISO/IEC 27001:2022
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| A.8.16 Monitoring activities | Control present | Hash-chained audit ledger + signed records. |
|
| A.8.32 Change management | Partial | Two-person review available via /research/sign; CI/CD configuration is customer-owned. |
|
FedRAMP Moderate
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| AU-2 Audit events | Control present | Every research mutation is captured in the signed ledger with actor, tenant, action, status. |
|
| AU-9 Protection of audit information | Control present | Ed25519 signatures + SHA-256 hash chain; tampering is detectable via verify_chain(). |
|
| SC-7 Boundary protection | Partial | safe_http policy blocks SSRF egress to private IPs and non-allow-listed hosts; perimeter firewalling is customer-owned. |
|
| CM-3 Configuration change control | Design-only | Roadmap: emit ledger events for configuration writes; today only application writes are ledgered. | — |
21 CFR Part 11
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| §11.10 Controls for closed systems | Partial | System validation is customer-owned; platform provides audit trails, e-signatures, access controls, and reproducibility fingerprints. |
|
| §11.50 Signature manifestations | Control present | Each e-signature record carries printed name, date/time, and meaning of the signature. |
|
| §11.70 Signature/record linking | Control present | Signatures are bound to artifact_sha256_hex and signed with Ed25519; cannot be excised without invalidation. |
|
| §11.200 Electronic signature components | Control present | Signing requires re-authentication evidence (reauth_method, reauth_at) and unique user identification. |
|
HIPAA Security Rule
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| §164.312(a) Access control | Partial | Tenant + billing + auth dependency on every research write; PHI lifecycle policies remain customer-owned. | — |
| §164.312(b) Audit controls | Control present | Signed, hash-chained research audit ledger. |
|
FERPA (20 U.S.C. §1232g)
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| 34 CFR §99.31 Permitted disclosures — studies for institutions | Partial | Tenant scoping + audit ledger record disclosures; studies-exception agreements (use, redisclosure prohibition, destruction schedule) remain customer-owned. |
|
| 34 CFR §99.32 Recordation of disclosures | Control present | Every research artifact disclosure (export, share, sign) is appended to the hash-chained ledger with actor, tenant, timestamp, and request/response hash. |
|
| 34 CFR §99.33 Limits on redisclosure | Partial | Signed RO-Crate exports embed the lawful-basis declaration; downstream redisclosure controls remain a customer policy concern. |
|
Pharmacovigilance (ICH E2B / GVP)
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| ICH E2B(R3) Individual case safety report (ICSR) integrity | Partial | Surveillance assess captures structured signal records and persists them under per-tenant audit; ICSR import/export adapters are customer-owned today. |
|
| EU GVP Module VI Collection & management of safety reports | Partial | Surveillance start enforces a versioned consent block + retention class; e-signature (21 CFR §11.50/§11.70) is reused for case sign-off. |
|
| EU GVP Module III Pharmacovigilance system inspections | Control present | Hash-chained audit ledger with verify_chain CLI provides the inspection-grade trail an inspector can walk end-to-end. |
|
FAIR Data Principles
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| F1-F4 Findability | Control present | Every signed export is RO-Crate 1.1 with stable identifiers; sitemap + JSON-LD exposes research surfaces. |
|
| A1-A2 Accessibility | Partial | Self-hosted platform exposes RO-Crate downloads; long-term archival is customer-owned. |
|
| I1-I3 Interoperability | Control present | ORCID, ROR, DataCite, Crossref, Semantic Scholar adapters; reproducibility fingerprint as JSON Schema. |
|
| R1.1 Reusability — clear license | Partial | Customers must declare licence per export; platform ships license metadata in RO-Crate when supplied. | — |
EU AI Act (research provisions)
| Control | Posture | Notes | Evidence |
|---|---|---|---|
| Art. 2(8) Research exemption — pre-deployment | Design-only | Platform supports the recordkeeping that supports research-exemption claims; legal classification is customer-owned. | — |
| Annex IV Technical documentation — model cards | Control present | Reproducibility fingerprint persists Python version, lockfile SHA, model card id, git revision, platform. |
|