Research surface — multi-sector compliance posture

How the research wizard, simulation engine, surveillance pipeline, and signed evidence bundles map onto common regulatory and industry frameworks. This is a working document — each row links to the source file or HTTP route that backs the claim.

Honest disclaimer

This matrix describes how the research surface of Maestro Midcore can support common controls when self-hosted by a covered organisation.

No claim of certification is made for the open-source distribution itself; certifications attach to specific deployments and operators.

Customers operating in regulated environments (life sciences, healthcare, federal) remain responsible for their own validation, qualification, and audit documentation.

Need a specific certification mapped to your deployment? Open an issue or contact us via /contact.

Control	Posture	Notes	Evidence
Art. 30 Records of processing activities	Partial	Per-tenant audit ledger captures research activity with hash chain; customers must still maintain their RoPA inventory.	`services/autonomy/research_audit_ledger.py`
Art. 6/7 Lawful basis & informed consent	Control present	Survey/surveillance flows persist a versioned consent payload (purpose, legal basis, retention class) with explicit withdrawal endpoint.	`services/autonomy/research_consent.py` `/api/v1/research/consent/grant` `/api/v1/research/consent/withdraw`
Art. 17 Right to erasure	Partial	Withdrawal endpoint marks consent as withdrawn; full data erasure across artifacts requires customer-driven sweeper configuration.	`services/autonomy/research_consent.py`
Art. 32 Security of processing	Control present	Ed25519-signed exports + hash-chained audit ledger + SSRF-hardened HTTP egress for reference adapters.	`services/autonomy/research_export_signing.py` `services/autonomy/research_safe_http.py` `services/autonomy/research_audit_ledger.py`

SOC 2 (TSC 2017)

Control	Posture	Notes	Evidence
CC6.1 Logical access controls	Control present	All research write routes require billable tenant membership + auth dependency.	`services/autonomy/routes.py`
CC7.2 System monitoring & anomaly detection	Control present	Audit ledger middleware records every research write with status, actor, tenant; verify_chain() exposes integrity status.	`services/autonomy/research_audit_middleware.py` `GET /api/v1/research/audit/ledger`
CC7.3 Incident response	Partial	Platform emits structured audit + Prometheus metrics; runbooks and on-call are customer-owned.	—

ISO/IEC 27001:2022

Control	Posture	Notes	Evidence
A.8.16 Monitoring activities	Control present	Hash-chained audit ledger + signed records.	`services/autonomy/research_audit_ledger.py`
A.8.32 Change management	Partial	Two-person review available via /research/sign; CI/CD configuration is customer-owned.	`services/autonomy/research_esignature.py`

FedRAMP Moderate

Control	Posture	Notes	Evidence
AU-2 Audit events	Control present	Every research mutation is captured in the signed ledger with actor, tenant, action, status.	`services/autonomy/research_audit_middleware.py`
AU-9 Protection of audit information	Control present	Ed25519 signatures + SHA-256 hash chain; tampering is detectable via verify_chain().	`services/autonomy/research_audit_ledger.py`
SC-7 Boundary protection	Partial	safe_http policy blocks SSRF egress to private IPs and non-allow-listed hosts; perimeter firewalling is customer-owned.	`services/autonomy/research_safe_http.py`
CM-3 Configuration change control	Design-only	Roadmap: emit ledger events for configuration writes; today only application writes are ledgered.	—

21 CFR Part 11

Control	Posture	Notes	Evidence
§11.10 Controls for closed systems	Partial	System validation is customer-owned; platform provides audit trails, e-signatures, access controls, and reproducibility fingerprints.	`services/autonomy/research_reproducibility.py` `services/autonomy/research_audit_ledger.py`
§11.50 Signature manifestations	Control present	Each e-signature record carries printed name, date/time, and meaning of the signature.	`services/autonomy/research_esignature.py`
§11.70 Signature/record linking	Control present	Signatures are bound to artifact_sha256_hex and signed with Ed25519; cannot be excised without invalidation.	`services/autonomy/research_esignature.py`
§11.200 Electronic signature components	Control present	Signing requires re-authentication evidence (reauth_method, reauth_at) and unique user identification.	`services/autonomy/research_esignature.py`

HIPAA Security Rule

Control	Posture	Notes	Evidence
§164.312(a) Access control	Partial	Tenant + billing + auth dependency on every research write; PHI lifecycle policies remain customer-owned.	—
§164.312(b) Audit controls	Control present	Signed, hash-chained research audit ledger.	`services/autonomy/research_audit_ledger.py`

FERPA (20 U.S.C. §1232g)

Control	Posture	Notes	Evidence
34 CFR §99.31 Permitted disclosures — studies for institutions	Partial	Tenant scoping + audit ledger record disclosures; studies-exception agreements (use, redisclosure prohibition, destruction schedule) remain customer-owned.	`services/autonomy/research_audit_ledger.py` `services/autonomy/research_consent.py`
34 CFR §99.32 Recordation of disclosures	Control present	Every research artifact disclosure (export, share, sign) is appended to the hash-chained ledger with actor, tenant, timestamp, and request/response hash.	`services/autonomy/research_audit_middleware.py`
34 CFR §99.33 Limits on redisclosure	Partial	Signed RO-Crate exports embed the lawful-basis declaration; downstream redisclosure controls remain a customer policy concern.	`services/autonomy/research_export_rocrate.py`

Pharmacovigilance (ICH E2B / GVP)

Control	Posture	Notes	Evidence
ICH E2B(R3) Individual case safety report (ICSR) integrity	Partial	Surveillance assess captures structured signal records and persists them under per-tenant audit; ICSR import/export adapters are customer-owned today.	`services/autonomy/surveillance_orchestration_engine.py` `services/autonomy/research_audit_ledger.py`
EU GVP Module VI Collection & management of safety reports	Partial	Surveillance start enforces a versioned consent block + retention class; e-signature (21 CFR §11.50/§11.70) is reused for case sign-off.	`services/autonomy/research_consent.py` `services/autonomy/research_esignature.py`
EU GVP Module III Pharmacovigilance system inspections	Control present	Hash-chained audit ledger with verify_chain CLI provides the inspection-grade trail an inspector can walk end-to-end.	`services/autonomy/research_audit_ledger.py` `services/autonomy/scripts/verify_research_bundle.py`

FAIR Data Principles

Control	Posture	Notes	Evidence
F1-F4 Findability	Control present	Every signed export is RO-Crate 1.1 with stable identifiers; sitemap + JSON-LD exposes research surfaces.	`services/autonomy/research_export_rocrate.py` `apps/web/components/public/JsonLd.tsx`
A1-A2 Accessibility	Partial	Self-hosted platform exposes RO-Crate downloads; long-term archival is customer-owned.	`services/autonomy/research_export_rocrate.py`
I1-I3 Interoperability	Control present	ORCID, ROR, DataCite, Crossref, Semantic Scholar adapters; reproducibility fingerprint as JSON Schema.	`services/autonomy/research_reference_adapters.py` `services/autonomy/schemas/research_run_inputs.json`
R1.1 Reusability — clear license	Partial	Customers must declare licence per export; platform ships license metadata in RO-Crate when supplied.	—

EU AI Act (research provisions)

Control	Posture	Notes	Evidence
Art. 2(8) Research exemption — pre-deployment	Design-only	Platform supports the recordkeeping that supports research-exemption claims; legal classification is customer-owned.	—
Annex IV Technical documentation — model cards	Control present	Reproducibility fingerprint persists Python version, lockfile SHA, model card id, git revision, platform.	`services/autonomy/research_reproducibility.py`