Trust & Compliance
NIS2, DORA, CRA, GDPR — mapped to the control that satisfies each.
Chainsaw is an install-path firewall sitting in front of 16 package registries. Same Rego at PR, install, K8s admission, runtime. SaaS, VPC, air-gapped — one binary. Below: every regime article mapped to a Chainsaw artifact your legal team can forward.
Compliance mapping
Regime, article, and the Chainsaw artifact that satisfies it.
Generic "GDPR compliant" claims fail GRC review. Below: article-level mapping to the signed artifact, configuration, or export that demonstrates the control. "In progress" and "target" used honestly where the claim isn't yet contractually backed. Each row is deep-linkable — legal can forward a URL straight to the control.
| Regime | Article / Control | Chainsaw evidence |
|---|---|---|
| NIS2 | Art. 21(2)(a) — risk analysis & information system security policies # | Signed policy bundle (Sigstore-verified OPA). Same Rego at PR, install, K8s admission, runtime. Bundle digest exported with every decision. held |
| NIS2 | Art. 21(2)(b) — incident handling # | Signed audit row per decision. Tamper-evident chain. Export to SIEM (Splunk, Elastic, Datadog) via webhook or JSONL. held |
| NIS2 | Art. 21(2)(c) — business continuity, backup, crisis management # | Air-gapped tier runs offline. Signed binary keeps enforcing after license expiry. Cache-only fallback per policy. DR tabletop exercises run on a quarterly cadence. The most recent exercise report is available under NDA on request. held |
| NIS2 | Art. 21(2)(d) — supply chain security # | This is the product. Refuses malicious installs on the path across 16 registries. SBOM-of-Chainsaw published per release. held |
| NIS2 | Art. 21(2)(e) — security in acquisition, development, maintenance # | Signed commits. SBOM-of-Chainsaw. Dependencies enforced by Chainsaw against Chainsaw's own policy bundle. held |
| NIS2 | Art. 21(2)(f) — policies on effectiveness of risk-management measures # | Per-decision audit row + policy bundle digest = reconstructable control state at any point in time. held |
| NIS2 | Art. 21(2)(g) — cyber hygiene & training # | Customer responsibility. Chainsaw provides enforcement; customer provides program. held |
| NIS2 | Art. 21(2)(h) — cryptography # | TLS 1.2+ in transit. AES-256 at rest. Sigstore/cosign attestation chain for bundles. CMEK/BYOK on Unlimited (target Q3). target |
| NIS2 | Art. 21(2)(i) — human resources, access control, asset management # | SAML/OIDC (Okta, Entra ID), SCIM 2.0, RBAC, JIT break-glass with auto-expiry, identity audit log separate from policy audit log. held |
| DORA | Art. 6 — ICT risk management framework # | Policy-as-code lifecycle: signed bundle → cosign verify → OPA eval → signed audit row. Reproducible from artifact. held |
| DORA | Art. 28 — third-party ICT risk (subcontracting chain) # | Subprocessor table below. SCCs in place where applicable. Customer-region for VPC tier; customer-residency for air-gapped tier. held |
| CRA | Annex I §1 — security properties # | Signed releases, signature verification on by default (CHAINSAW_REQUIRE_SIGNATURE=1). Strict JWT secret defaults. Multi-tenant isolation enforced at query layer. held |
| CRA | Annex I §2 — vulnerability handling # | Coordinated disclosure via security@chain305.com + security.txt. CVE SLA: triage 1 business day, critical patch 7 days (target). Bug bounty: planned. target |
| GDPR | Art. 5(1)(c) — data minimisation # | Zero application source code processed. Zero developer secrets at rest. Metadata captured = package name, version, who-installed, when, decision rationale. held |
| GDPR | Art. 28 — processor obligations # | DPA available (download below). SCCs Module 2/3 in standard form. Subprocessor list maintained + 30-day change notice. held |
| GDPR | Art. 30 — records of processing # | Per-decision signed audit row IS the record of processing for policy events. Exportable in JSONL + CSV. held |
| GDPR | Art. 32 — security of processing # | Encryption in transit + at rest. bcrypt LRU+TTL auth cache. httpOnly cookie sessions. JWT strict-by-default. Pseudonymisation where applicable. held |
| SOC 2 | CC6 — logical & physical access # | SAML/OIDC, SCIM 2.0, WebAuthn + Passkeys, TOTP, RBAC, JIT break-glass. SOC 2 Type II — readiness phase, auditor selection in progress. in progress |
| SOC 2 | CC7 — system operations / monitoring # | Signed audit row → SIEM export. Status page (planned). Incident runbook (in progress). in progress |
| SOC 2 | CC8 — change management # | Signed commits, signed release artifacts, signed policy bundles. Bundle promotion gated by cosign verification. held |
| ISO 27001 | A.5 / A.8 / A.12 / A.14 — policies, asset mgmt, ops security, secure dev # | ISO 27001 certification: planned (target 2027). Control coverage mapped against SOC 2 CC6/CC7/CC8 above pending audit. target |
| ISO 27017 | Cloud-specific controls # | Mapped against AWS SOC 2 / ISO 27017 inheritance. Customer-region pinning available (VPC, air-gapped). held |
| ISO 27018 | PII in public cloud # | PII surface limited to signup + billing (name, work email, org slug). No PII from package contents. EU residency for SaaS tier. held |
Data flows & PII surface
Exactly what touches the proxy
Chainsaw inspects install-time traffic to package registries. Zero application source code is processed. Zero developer secrets at rest — the proxy detects install-script exfiltration attempts against ephemeral install traffic; it does not store secrets it observes.
Metadata captured per decision: package name, version, ecosystem, upstream URL, requesting identity (user or service account), timestamp, policy bundle digest, decision (allow / refuse / quarantine), and decision rationale (which Rego rule fired).
PII surface (GDPR Art. 5(1)(c) data minimisation): signup and billing only — name, work email, org slug. No PII extracted from package contents. Audit rows identify the requesting principal by stable internal ID; the mapping to a natural person lives in the identity provider, not in the audit log.
EU data residency
Frankfurt for SaaS. Customer-region for VPC. Customer-residency for air-gapped.
SaaS tier is pinned to AWS eu-central-1 (Frankfurt). No cross-region replication. Backups remain in-region. This satisfies GDPR Chapter V (no third-country transfer required) and DORA cross-border ICT risk obligations for EU-resident controllers.
VPC tier deploys into the customer's own region. Air-gapped tier runs entirely within customer-controlled infrastructure with no Chainsaw-operated egress. The CLI's server URL can be baked into the binary so engineers never reach a public origin.
Subprocessors
Subprocessor list
30-day notice of change. SCCs Module 2 or adequacy decision in place for every active subprocessor. Air-gapped tier uses zero Chainsaw-side subprocessors.
| Subprocessor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| AWS (eu-central-1, Frankfurt) | SaaS hosting, object storage, KMS | EU (Germany) | Adequacy (intra-EU) + AWS DPA |
| Cloudflare | Edge TLS termination, Turnstile bot defense | Global anycast; EU-resident logs | SCCs Module 2 + Cloudflare DPA |
| Stripe | Billing, payment processing | EU (Ireland) for EU customers | SCCs Module 2 + Stripe DPA |
| Sigstore (public good) | Transparency log for signed bundles | Public log (verifiable, no PII) | Public infrastructure; no personal data submitted |
| Resend | Transactional email | EU (Frankfurt) | SCCs Module 2 + Resend DPA |
| PostHog (self-hosted EU) | Product analytics | EU (Frankfurt) | Self-hosted; no transfer |
| TODO: SIEM/observability vendor | Internal log aggregation | TODO | TODO |
| TODO: Customer-support tooling | Inbound ticketing | TODO | TODO |
Encryption
In transit, at rest, and the attestation chain
In transit: TLS 1.2+ on every ingress. Cipher policy restricted to AEAD suites (AES-GCM, ChaCha20-Poly1305). HSTS on the SaaS edge.
At rest: AES-256 with AWS KMS-managed keys on SaaS. CMEK / BYOK on Unlimited tier (target Q3). Per-org encryption of upstream registry credentials with on-demand rotation. KMS key rotation: annual automatic, on-demand on request.
Attestation chain for policy bundles: Sigstore transparency log → cosign signature → OPA verification at load time. A tampered bundle refuses to load. A tampered release binary refuses to run (CHAINSAW_REQUIRE_SIGNATURE=1 by default).
Identity & access
SAML, SCIM, Passkeys, and a separate audit log for identity events
SAML 2.0 and OIDC against Okta and Entra ID. SCIM 2.0 for user lifecycle. WebAuthn + Passkeys and TOTP for second factor. OS keyring (macOS Keychain, Windows Credential Manager, libsecret) for CLI credential storage — never plaintext on disk.
RBAC at org / workspace / policy / registry granularity. JIT break-glass roles with auto-expiry (default 4 hours, configurable). Identity events (login, role grant, key issuance) write to a separate audit stream from policy decision events — your IAM team and your AppSec team don't have to share a query.
Session model: short-lived JWT, httpOnly cookie, revocable. JWT strict-by-default — Chainsaw refuses to boot without an explicit CHAINSAW_JWT_SECRET or persistent secret store. bcrypt with LRU+TTL auth cache to bound the credential-check surface.
Vulnerability & secure development
Disclosure, SLA, and SDLC
Disclosure: security@chain305.com and /.well-known/security.txt.
Acknowledgement within 1 business day. Safe-harbor for good-faith research. Bug bounty:
planned (target H2 2026).
Pen-test cadence: annual third-party engagement. Summary letter shared under NDA via the trust packet form.
CVE response SLA (target): triage within 1 business day, critical patch within 7 days, high within 30 days, medium within 90 days.
SDLC: signed commits required on protected branches. SBOM-of-Chainsaw published per release. Chainsaw's own dependencies are enforced by a Chainsaw policy bundle — the proxy eats its own dog food on the supply chain.
Operational resilience
Uptime, RPO/RTO, and what happens when Chainsaw is down
Uptime target: 99.95% (target; not contractual; negotiated in MSA on Unlimited tier). RPO target: 1 hour. RTO target: 4 hours. DR tabletop exercises run on a quarterly cadence. The most recent exercise report is available under NDA on request.
Failure mode: in monitor mode, Chainsaw fails open with an audit row. In enforce mode, default is fail-closed; cache-only fallback configurable per policy. Status page: planned.
Business continuity & escape hatch
What happens at termination
Data export: JSONL + CSV of audit rows, policy bundles as signed archives, configuration as YAML. Available throughout contract and for 90 days after termination. After 90 days, hard-delete.
Signed binary keeps running offline. License expiry does not brick the install-path firewall. Enforcement continues against the last-signed policy bundle. New bundles require renewal; existing bundles keep enforcing.
Source-available enforcement bundle clause: if Chain305 ceases operations, the enforcement core is released under a source-available license per the Unlimited tier MSA escrow clause.
Trust packet
Forward this to legal today
One PDF bundle: SOC 2 Type II readiness materials (auditor selection in progress), pen-test summary, DPA + SCCs, subprocessor list, NIS2 Art. 21(2) mapping, DORA Art. 6 + 28 mapping, GDPR Art. 32 + 28 + 30 mapping. Gated form — email, role, company.
Still have questions?
Talk to security engineering
Not sales. The engineer who wrote the signed-bundle verifier, the multi-tenant isolation tests, or the JWT strict-default. Pick the topic; routing follows.