Skip to content

Compliance Mapping

AKKO provides built-in security controls that map to major compliance frameworks. This page documents how each AKKO feature aligns with SOC 2, ISO 27001, and GDPR requirements.

Not a certification

This mapping is a reference guide. Achieving formal certification requires independent auditing, policy documentation, and organizational controls beyond technical implementation.

Control Mapping Table

AKKO Feature SOC 2 Control ISO 27001 GDPR
Keycloak SSO + MFA CC6.1 Access Control A.9 Access Control Art. 32 Security
OPA Row-Level Security CC6.3 Logical Access A.9.4 System Access Art. 25 Data Protection by Design
pgaudit + logs layer CC7.2 Monitoring A.12.4 Logging Art. 30 Records of Processing
object storage Audit Webhook CC7.2 Monitoring A.12.4 Logging Art. 30 Records
Keycloak Event Log CC7.2 Monitoring A.12.4 Logging Art. 5 Accountability
Network Policies CC6.6 System Boundaries A.13 Communications Security Art. 32 Security
TLS Everywhere CC6.7 Encryption A.10 Cryptography Art. 32 Security
akko_ai_pii() Function CC8.1 Change Management A.18 Compliance Art. 17 Right to Erasure
Backup CronJobs CC7.5 Recovery A.12.3 Backup Art. 32 Security
Helm RBAC (5 roles) CC6.2 Role-Based Access A.9.2 User Access Art. 32 Security

Encryption at Rest

PVC Encryption

Kubernetes PersistentVolumeClaims (PVCs) can be encrypted at rest by configuring the underlying storage class:

  • Cloud providers (EKS/AKS/GKE): Enable encryption on the StorageClass using the provider's KMS (e.g., AWS EBS encryption with a CMK, Azure Disk SSE, GCP CMEK).
  • Bare metal / k3s: Use LUKS-encrypted volumes or a CSI driver that supports encryption (e.g., Longhorn with encryption enabled).
  • k3d (dev): Not applicable -- local development does not require encryption at rest.
# Example: AWS EBS encrypted StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: encrypted-gp3
provisioner: ebs.csi.aws.com
parameters:
  encrypted: "true"
  kmsKeyId: "arn:aws:kms:eu-west-1:123456789:key/your-key-id"
  type: gp3

PostgreSQL TDE

PostgreSQL Transparent Data Encryption (TDE) is available via:

  1. pg_tde extension (PostgreSQL 16+): Encrypts table data files at the storage level.
  2. Full-disk encryption (recommended): Encrypt the underlying PVC as described above -- this is simpler and covers WAL, temp files, and indexes.

object storage Server-Side Encryption (SSE)

object storage supports SSE with an external KMS:

# values-production.yaml
minio:
  environment:
    MINIO_KMS_KES_ENDPOINT: "https://kes.akko.local:7373"
    MINIO_KMS_KES_KEY_NAME: "akko-minio-key"

For air-gapped deployments, use object storage KES with a Vault backend or the built-in filesystem keystore.

Audit Log Immutability

Architecture

Service Logs --> log shipper --> logs layer --> S3 Backend (object storage)
                                          |
                                   Object Lock (WORM)

logs layer with S3 Object Lock

To make audit logs immutable (Write Once, Read Many):

  1. Create a locked S3 bucket:

    mc mb minio/akko-loki --with-lock
mc retention set --default COMPLIANCE 365d minio/akko-loki

  2. Configure logs layer to use the locked bucket:

    # values-production.yaml
loki:
  storage:
    type: s3
    s3:
      endpoint: minio.akko.svc:9000
      bucketnames: akko-loki
      access_key_id: "${MINIO_ROOT_USER}"
      secret_access_key: "${MINIO_ROOT_PASSWORD}"

  3. Result: Logs cannot be deleted or modified for the retention period, satisfying SOC 2 CC7.2 and ISO 27001 A.12.4.

Data Retention

Configurable Retention Policies

logs layer retention is configured via the limits_config section:

# values-production.yaml
loki:
  config:
    limits_config:
      retention_period: 365d        # Keep logs for 1 year
    compactor:
      retention_enabled: true
      retention_delete_delay: 2h
      retention_delete_worker_count: 150

Per-Stream Retention

Different log types can have different retention periods:

loki:
  config:
    limits_config:
      retention_stream:
        - selector: '{namespace="akko", app="keycloak"}'
          priority: 1
          period: 730d              # Auth logs: 2 years
        - selector: '{namespace="akko", app="trino"}'
          priority: 1
          period: 365d              # Query logs: 1 year
        - selector: '{namespace="akko", app="opa"}'
          priority: 1
          period: 730d              # Policy decision logs: 2 years

GDPR Data Subject Requests

For GDPR Art. 17 (Right to Erasure):

  • User data: Managed in PostgreSQL -- use standard DELETE statements.
  • Audit logs: If using WORM storage, logs containing PII are retained for the compliance period. Document this in your privacy policy as a lawful basis (Art. 6(1)(c) -- legal obligation).
  • PII detection: The akko_ai_pii() Trino function can scan query results for PII before export, helping enforce Art. 25 (Data Protection by Design).