{
  "@context": {
    "schema": "http://schema.org/",
    "xsd": "http://www.w3.org/2001/XMLSchema#"
  },
  "generated_at": "2026-05-24T12:00:00Z",
  "entries": [
    {
      "compliance_id": "PCI-DSS-4.2.1",
      "framework": "PCI-DSS v4.0",
      "control_id": "4.2.1",
      "control_title": "Cryptographic controls for cardholder data",
      "technical_feature": "mTLS encryption on control-plane paths",
      "security_property": "encryption-in-transit",
      "relationship": "supports",
      "claim_status": "supports",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/SECURITY.md",
        "zen-platform:docs/20-OPERATIONS/COMPLIANCE.md"
      ],
      "notes": "Supports PCI-DSS control 4.2.1 cryptographic controls — not a PCI compliance certification.",
      "disclaimer": "Supports PCI-DSS control 4.2.1 cryptographic controls — not a PCI compliance certification."
    },
    {
      "compliance_id": "PCI-DSS-7.2.1",
      "framework": "PCI-DSS v4.0",
      "control_id": "7.2.1",
      "control_title": "Access control system for cardholder data",
      "technical_feature": "SPIFFE identity and policy-based authorization",
      "security_property": "access-control",
      "relationship": "maps_to",
      "claim_status": "maps_to",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/SECURITY.md"
      ],
      "notes": "Maps to PCI-DSS access control requirements — not a PCI compliance certification.",
      "disclaimer": "Maps to PCI-DSS access control requirements — not a PCI compliance certification."
    },
    {
      "compliance_id": "NIST-AC-3",
      "framework": "NIST SP 800-53 Rev5",
      "control_id": "AC-3",
      "control_title": "Access Enforcement",
      "technical_feature": "Policy-based authorization with SPIFFE identity",
      "security_property": "access-control",
      "relationship": "maps_to",
      "claim_status": "maps_to",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/COMMITMENTS.md"
      ],
      "notes": "Maps to NIST AC-3 access enforcement — not a FedRAMP authorization claim.",
      "disclaimer": "Maps to NIST AC-3 access enforcement — not a FedRAMP authorization claim."
    },
    {
      "compliance_id": "NIST-SC-8",
      "framework": "NIST SP 800-53 Rev5",
      "control_id": "SC-8",
      "control_title": "Transmission Confidentiality and Integrity",
      "technical_feature": "mTLS with SPIFFE identity on control-plane",
      "security_property": "encryption-in-transit",
      "relationship": "supports",
      "claim_status": "supports",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/SECURITY.md"
      ],
      "notes": "Supports NIST SC-8 transmission confidentiality and integrity — not a FedRAMP authorization claim.",
      "disclaimer": "Supports NIST SC-8 transmission confidentiality and integrity — not a FedRAMP authorization claim."
    },
    {
      "compliance_id": "NIST-SI-7",
      "framework": "NIST SP 800-53 Rev5",
      "control_id": "SI-7",
      "control_title": "Software, Firmware, and Information Integrity",
      "technical_feature": "Merkle evidence hash chain for integrity verification",
      "security_property": "integrity",
      "relationship": "supports",
      "claim_status": "supports",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/RUNTIME_GUARANTEES_CONTRACT.md"
      ],
      "notes": "Supports NIST SI-7 information integrity — Merkle chain provides evidence integrity, not comprehensive SI-7 coverage.",
      "disclaimer": "Supports NIST SI-7 information integrity — Merkle chain provides evidence integrity, not comprehensive SI-7 coverage."
    },
    {
      "compliance_id": "SOC2-CC6.1",
      "framework": "SOC2 TSC 2023",
      "control_id": "CC6.1",
      "control_title": "Logical and Physical Access Controls",
      "technical_feature": "SPIFFE identity and mTLS for workload authentication",
      "security_property": "access-control",
      "relationship": "maps_to",
      "claim_status": "maps_to",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/COMMITMENTS.md",
        "zen-platform:docs/20-OPERATIONS/COMPLIANCE.md"
      ],
      "notes": "Maps to SOC2 CC6.1 logical access controls — not a SOC2 certification.",
      "disclaimer": "Maps to SOC2 CC6.1 logical access controls — not a SOC2 certification."
    },
    {
      "compliance_id": "SOC2-CC7.1",
      "framework": "SOC2 TSC 2023",
      "control_id": "CC7.1",
      "control_title": "System Monitoring and Incident Response",
      "technical_feature": "Operational truth evidence buffer with ordered delivery records",
      "security_property": "monitoring",
      "relationship": "maps_to",
      "claim_status": "maps_to",
      "evidence_refs": [
        "zen-platform:docs/80-EVIDENCE/runtime/evidence_buffer_flush_execution.json"
      ],
      "notes": "Maps to SOC2 CC7.1 system monitoring — not a SOC2 certification.",
      "disclaimer": "Maps to SOC2 CC7.1 system monitoring — not a SOC2 certification."
    },
    {
      "compliance_id": "ISO-27001-A.8.1",
      "framework": "ISO/IEC 27001:2022",
      "control_id": "A.8.1",
      "control_title": "User endpoint devices",
      "technical_feature": "SPIFFE-based workload identity and mTLS",
      "security_property": "identity-and-access",
      "relationship": "maps_to",
      "claim_status": "maps_to",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/SECURITY.md"
      ],
      "notes": "Maps to ISO 27001 A.8.1 user endpoint device controls — not an ISO 27001 certification.",
      "disclaimer": "Maps to ISO 27001 A.8.1 user endpoint device controls — not an ISO 27001 certification."
    },
    {
      "compliance_id": "ISO-27001-A.8.12",
      "framework": "ISO/IEC 27001:2022",
      "control_id": "A.8.12",
      "control_title": "Information disposal",
      "technical_feature": "Merkle-hashed evidence artifacts with ordered buffer flush",
      "security_property": "data-lifecycle",
      "relationship": "supports",
      "claim_status": "supports",
      "evidence_refs": [
        "zen-platform:docs/80-EVIDENCE/runtime/evidence_buffer_flush_execution.json"
      ],
      "notes": "Supports ISO 27001 A.8.12 information disposal controls — not an ISO 27001 certification.",
      "disclaimer": "Supports ISO 27001 A.8.12 information disposal controls — not an ISO 27001 certification."
    },
    {
      "compliance_id": "HIPAA-164.312",
      "framework": "HIPAA Security Rule",
      "control_id": "164.312(a)(1)",
      "control_title": "Access Control (e-PHI)",
      "technical_feature": "SPIFFE identity for workload authentication, policy-based authorization",
      "security_property": "access-control",
      "relationship": "maps_to",
      "claim_status": "maps_to",
      "evidence_refs": [
        "zen-platform:docs/10-ARCHITECTURE/SECURITY.md"
      ],
      "notes": "Maps to HIPAA 164.312(a)(1) access control for e-PHI — not a HIPAA business associate agreement claim.",
      "disclaimer": "Maps to HIPAA 164.312(a)(1) access control for e-PHI — not a HIPAA business associate agreement claim."
    }
  ]
}