Compliance Patterns
The MATIH Platform is designed to support compliance with major regulatory frameworks including SOC 2, HIPAA, and GDPR. This section maps the platform's technical controls to specific compliance requirements and describes the operational patterns that organizations can use to maintain their compliance posture.
Compliance Overview
| Framework | Focus | Key Requirements | MATIH Controls |
|---|---|---|---|
| SOC 2 | Security, availability, processing integrity, confidentiality, privacy | Access controls, logging, encryption, change management | RBAC, audit trail, AES-256 encryption, CI/CD pipeline |
| HIPAA | Protected Health Information (PHI) | Access controls, audit trails, encryption, breach notification | Tenant isolation, per-tenant encryption, audit logging |
| GDPR | Personal data of EU residents | Consent management, data subject rights, data minimization, breach notification | Privacy dashboard, consent management, DSR handling |
SOC 2 Controls
SOC 2 compliance is organized around five Trust Services Criteria. The following table maps MATIH's technical controls to each criterion.
Security (Common Criteria)
| Control | SOC 2 Requirement | MATIH Implementation |
|---|---|---|
| CC6.1 | Logical and physical access controls | JWT authentication, RBAC, Kubernetes RBAC, namespace isolation |
| CC6.2 | User provisioning and deprovisioning | IAM service user lifecycle, role assignment, access revocation |
| CC6.3 | Role-based access | RbacService with hierarchical roles, PermissionEvaluator |
| CC6.6 | Encryption in transit | TLS 1.2+ on all endpoints, mTLS for service mesh |
| CC6.7 | Encryption at rest | AES-256-GCM, per-tenant keys, cloud KMS integration |
| CC6.8 | Vulnerability management | Container image scanning, dependency scanning in CI/CD |
| CC7.1 | Security monitoring | Prometheus metrics, Grafana alerting, anomaly detection |
| CC7.2 | Security incident response | Audit trail, LoginAnomalyDetector, alert escalation |
| CC7.3 | Incident communication | Notification service, webhook alerts, audit exports |
Availability
| Control | SOC 2 Requirement | MATIH Implementation |
|---|---|---|
| A1.1 | System availability commitments | Kubernetes self-healing, pod autoscaling, multi-AZ deployment |
| A1.2 | Recovery procedures | Disaster recovery scripts, database backup/restore, Velero snapshots |
| A1.3 | Recovery testing | Health check scripts, platform status monitoring |
Processing Integrity
| Control | SOC 2 Requirement | MATIH Implementation |
|---|---|---|
| PI1.1 | Processing accuracy | Input validation (InputValidation class), data quality service |
| PI1.2 | Error handling | Structured error responses, retry policies, dead letter queues |
| PI1.3 | Output completeness | Query result verification, dashboard data validation |
Confidentiality
| Control | SOC 2 Requirement | MATIH Implementation |
|---|---|---|
| C1.1 | Confidential information identification | Data classification tags, sensitivity labels |
| C1.2 | Confidential information disposal | Tenant data purge on deprovisioning, secure deletion |
Privacy
| Control | SOC 2 Requirement | MATIH Implementation |
|---|---|---|
| P1.1 | Privacy notice | Configurable privacy policies per tenant |
| P2.1 | Consent | Consent management service |
| P3.1 | Personal information collection | Data minimization policies, purpose limitation |
| P4.1 | Use of personal information | Usage tracking, purpose-based access controls |
| P6.1 | Data subject rights | GDPR DSR handling (see below) |
Audit Logging
The audit trail is the backbone of compliance monitoring. Every security-relevant action is recorded as an immutable AuditEvent.
AuditEvent Structure
public record AuditEvent(
String eventId, // Unique event identifier
String eventType, // e.g., "AUTH_LOGIN", "DATA_ACCESS", "ROLE_CHANGE"
String userId, // Who performed the action
String tenantId, // Which tenant context
String resourceType, // e.g., "dashboard", "query", "user"
String resourceId, // Specific resource identifier
String action, // e.g., "CREATE", "READ", "UPDATE", "DELETE"
String outcome, // "SUCCESS" or "FAILURE"
String ipAddress, // Client IP address
String userAgent, // Client user agent
Map<String, Object> metadata, // Additional context
Instant timestamp // When the event occurred
)Audited Events
| Event Category | Event Types | Trigger |
|---|---|---|
| Authentication | AUTH_LOGIN, AUTH_LOGOUT, AUTH_REFRESH, AUTH_MFA_VERIFY | Login, logout, token refresh, MFA verification |
| Authorization | AUTH_DENIED, PERMISSION_CHECK, ROLE_CHANGE | Access denied, permission evaluation, role assignment |
| Data Access | DATA_READ, DATA_WRITE, DATA_DELETE, QUERY_EXECUTE | Any data operation |
| Configuration | CONFIG_CHANGE, SECRET_ROTATION, POLICY_UPDATE | Settings, secrets, policy modifications |
| User Management | USER_CREATE, USER_UPDATE, USER_DELETE, USER_LOCK | User lifecycle events |
| Impersonation | IMPERSONATION_START, IMPERSONATION_END | Admin impersonation sessions |
| API Keys | API_KEY_CREATE, API_KEY_REVOKE, API_KEY_ROTATE | API key lifecycle |
Audit Logging Usage
AuditLogger auditLogger = new AuditLogger();
auditLogger.log(AuditEvent.builder()
.eventType("DATA_ACCESS")
.userId("user-123")
.tenantId("acme-corp")
.resourceType("dashboard")
.resourceId("dash-456")
.action("READ")
.outcome("SUCCESS")
.ipAddress("203.0.113.42")
.metadata(Map.of("queryCount", 5))
.build());Audit Trail Storage
| Environment | Storage | Retention |
|---|---|---|
| Development | PostgreSQL audit_events table | 30 days |
| Staging | PostgreSQL + Loki | 90 days |
| Production | PostgreSQL + Loki + Cloud Object Storage (S3/Blob) | 7 years |
Audit logs are append-only and protected against modification. In production, logs are streamed to immutable cloud storage for long-term retention.
HIPAA Compliance Patterns
For organizations handling Protected Health Information (PHI), MATIH provides additional safeguards.
Technical Safeguards
| HIPAA Requirement | MATIH Implementation |
|---|---|
| Access control (164.312(a)(1)) | RBAC with minimum necessary access, per-tenant isolation |
| Audit controls (164.312(b)) | Comprehensive audit trail with 7-year retention |
| Integrity controls (164.312(c)(1)) | AES-256-GCM authenticated encryption, data checksums |
| Transmission security (164.312(e)(1)) | TLS 1.2+ on all communications |
| Authentication (164.312(d)) | JWT + MFA, API key authentication |
Administrative Safeguards
| HIPAA Requirement | Platform Support |
|---|---|
| Security officer designation | Role: security_officer with audit read access |
| Workforce training | Audit trail of user activity for training verification |
| Access management | Automated provisioning/deprovisioning, access request workflow |
| Incident procedures | Anomaly detection, alert routing, audit trail for investigation |
Physical Safeguards
| HIPAA Requirement | Platform Support |
|---|---|
| Facility access | Kubernetes on cloud infrastructure (provider responsibility) |
| Workstation security | Pod security policies, read-only filesystems |
| Device and media controls | Encrypted persistent volumes, secure volume deletion |
Business Associate Agreements
When MATIH processes PHI on behalf of a covered entity, Business Associate Agreements (BAAs) must be established with:
- Cloud infrastructure providers (Azure, AWS, GCP)
- Managed database services
- Third-party AI/ML services (OpenAI, etc.)
The platform's configuration supports BAA-compliant deployment through dedicated infrastructure options and data residency controls.
GDPR Compliance Patterns
Data Subject Rights
MATIH provides built-in support for GDPR data subject rights through the privacy dashboard and consent management services:
| Right | GDPR Article | Implementation |
|---|---|---|
| Right of access | Art. 15 | Data export endpoint, privacy dashboard |
| Right to rectification | Art. 16 | User profile update APIs |
| Right to erasure | Art. 17 | Tenant data purge, user data deletion |
| Right to restriction | Art. 18 | Data processing flags, consent withdrawal |
| Right to portability | Art. 20 | Data export in standard formats (JSON, CSV) |
| Right to object | Art. 21 | Processing opt-out mechanisms |
Data Subject Request (DSR) Handling
Data Subject submits request
|
v
[Privacy Dashboard] -- Log DSR in audit trail
|
v
[Identity Verification] -- Verify requester identity
|
v
[DSR Processing] -- Execute the requested action
|
v
[Confirmation] -- Notify data subject of completion
|
v
[Audit Record] -- Record DSR completion for complianceConsent Management
The consent management service tracks user consent for data processing activities:
{
"userId": "user-123",
"tenantId": "acme-corp",
"consents": [
{
"purpose": "analytics",
"granted": true,
"grantedAt": "2026-01-15T10:00:00Z",
"expiresAt": "2027-01-15T10:00:00Z",
"version": "v2.1"
},
{
"purpose": "marketing",
"granted": false,
"withdrawnAt": "2026-02-01T08:30:00Z"
}
]
}Data Classification
MATIH supports data classification tagging for GDPR compliance:
| Classification | Description | Processing Rules |
|---|---|---|
PERSONAL | Personally identifiable information (PII) | Subject to GDPR, consent required |
SENSITIVE | Special categories (Art. 9) | Explicit consent, additional safeguards |
ANONYMIZED | Irreversibly anonymized data | Not subject to GDPR |
PSEUDONYMIZED | Pseudonymized data | Still subject to GDPR, reduced risk |
Data Processing Records
The platform maintains records of processing activities as required by GDPR Article 30:
| Field | Description |
|---|---|
| Processing purpose | Why the data is processed |
| Data categories | Types of personal data involved |
| Data subjects | Categories of individuals |
| Recipients | Who receives the data |
| Transfer safeguards | Protections for cross-border transfers |
| Retention period | How long data is kept |
| Security measures | Technical and organizational measures |
Compliance Monitoring Dashboard
The platform provides a compliance monitoring dashboard that aggregates security metrics:
| Metric | Description | Alert Threshold |
|---|---|---|
| Failed login attempts | Per user, per tenant | More than 5 in 10 minutes |
| Authorization denials | Unexpected access attempts | Spike above baseline |
| Secret rotations pending | Keys past rotation date | Any key past rotation date |
| MFA adoption rate | Percentage of users with MFA | Below 90% for production tenants |
| Audit log gaps | Missing or delayed audit events | Any gap longer than 5 minutes |
| Certificate expiration | TLS certificates nearing expiry | Within 30 days of expiration |
| Data subject requests | Pending DSR requests | Any request older than 30 days |
Compliance Certifications Roadmap
| Certification | Status | Target |
|---|---|---|
| SOC 2 Type I | Controls designed | Q2 2026 |
| SOC 2 Type II | Controls operating | Q4 2026 |
| HIPAA | BAA-ready deployment | Q3 2026 |
| GDPR | Privacy controls implemented | Current |
| ISO 27001 | Planned | 2027 |
| FedRAMP | Under evaluation | 2027 |
Next Steps
This concludes the Security and Multi-Tenancy chapter. Continue to Chapter 4: Installation and Setup to learn how to deploy the MATIH Platform in your environment.