{"framework":{"nfadp":{"status":"compliant","ai_disclosure":"Mandatory voice disclaimer before interaction","recording_consent":"Art. 179bis SCC gate — no audio before consent","right_to_object":"Keywords trigger human transfer","right_to_erasure":"POST /api/user/delete — cascading deletion","data_portability":"POST /api/user/export — JSON export","pii_masking":"AHV, IBAN, email, phone, PLZ masked before persistence","data_retention":"Audit 365 days, audio 30 days, auto-cleanup daily"},"finma_08_2024":{"status":"aligned","element_1_governance":"3LoD model, RBAC enforced","element_2_inventory":"GET /api/registry — 8 AI components registered","element_3_risk":"Risk classification per component (Low/Medium/High)","element_4_robustness":"RAG grounding rules, semantic cache, input sanitization","element_5_transparency":"SHA-256 hash-chained audit trail, immutable","element_6_monitoring":"GET /api/health — CPU/mem/disk/sessions/cache/LLM metrics"},"iso_27001":{"status":"aligned","encryption_in_transit":"TLS 1.3, HSTS preload","access_control":"RBAC with token-based auth (admin/operator/auditor/viewer)","secrets_management":"Environment variables only, no hardcoded secrets","waf":"Nginx rate limiting + application-layer sanitization","tenant_isolation":"Logical isolation with separate data directories"},"c5":{"status":"aligned","description":"Cloud Computing Compliance Criteria Catalogue","audit_trail":"SHA-256 hash-chained, append-only logs","access_control":"RBAC with role-based endpoint restrictions","data_separation":"Tenant-isolated data directories and audit logs","incident_management":"Automated rate limiting, injection blocking, audit alerting"},"nis2":{"status":"aligned","description":"Network and Information Security Directive 2","risk_management":"AI risk registry with per-component classifications","incident_reporting":"Audit trail captures all security events with timestamps","supply_chain":"Third-party AI services registered in inventory","encryption":"TLS 1.3 in transit, HSTS enforced","access_management":"RBAC with time-limited tokens"},"dora":{"status":"aligned","description":"Digital Operational Resilience Act","ict_risk":"System health monitoring, automated watchdog, retry logic","incident_classification":"Audit events categorized by type and severity","resilience_testing":"GET /api/stress-test — throughput, integrity, masking tests","third_party_risk":"AI provider registry with risk profiles per FINMA Element 2","information_sharing":"Compliance endpoint publicly accessible for auditors"}},"audit_trail":{"total_events":70826,"log_files":47,"retention_days":365,"hash_chain":"SHA-256 linked","immutable":true},"infrastructure":{"sovereignty":"Swiss-owned","provider":"Safe Swiss Cloud / Exoscale (target)","cloud_act_exposure":"None (Mistral = EU-hosted, Ollama = self-hosted)","tenant_isolation":"1 isolated tenants","certifications_target":["ISO 27001","ISO 27017","ISO 27018","ISO 42001"]}}