Policies & Compliance

Purpose-built compliance that stands up to regulators, auditors, and boards.
PastWipe operationalizes policy, privacy, and security controls across jurisdictions—so banking institutions, governments, and regulated enterprises can prove they meet their obligations, not just promise they do. Our patented data-envelope architecture and the optional RepSec™ protocol bind policy to data, generate verifiable evidence, and neutralize value in exfiltrated copies—on-prem, in sovereign or commercial clouds, and across vendor ecosystems.

Policies and Compliance

Global & Local

In today’s connected world, trust is defined by how data is protected. Every breach, record, or exposure leaves lasting consequences for institutions and individuals. PastWipe’s patented technology and the RepSec™ protocol neutralize stolen information and safeguard digital sovereignty, offering a level of protection far beyond reputation management.

Policies and Compliance

Governance, Policy & Risk (GRC)

What this covers

  • Enterprise policy framework aligned to leading standards (ISO/IEC 27001:2022, ISO/IEC 27701, NIST CSF 2.0, SOC 2 control families).

  • Risk management: inherent/residual risk scoring, control ownership, acceptance, and exceptions.

  • Roles & responsibilities (SoD), privileged operations, and change governance.

  • Policy lifecycle: authoring, versioning, distribution, attestation by staff and vendors.

  • Evidence management for internal audit, external audit, and regulator inspections.

How PastWipe helps

  • Unified control catalog: Map one set of controls to multiple frameworks (e.g., ISO, SOC 2, NIST, DORA). Avoid duplication and demonstrate “once—report many.”

  • Policy-bound data envelopes: Attach machine-readable policy to data classes (records, documents, telemetry). Enforcement follows the data—even off your perimeter.

  • Signed attestations & trails: Every material action (create, transform, disclose, delete) can produce a signed event, anchored in your SIEM/SOAR for integrity.

  • Risk-aware automation: Risk scores determine additional guardrails (step-up approvals, 4-eyes review, break-glass logging).

Evidence we can show

  • Master Policy Register with version history and acceptance logs.

  • Control-to-framework mappings with test procedures and status.

  • Risk registers, exceptions, and mitigations with accountable owners.

  • Immutable activity ledgers demonstrating policy distribution and training.

Data Protection & Privacy (EU & U.S.)

What this covers

  • EU: GDPR (lawful bases, RoPA, DPIA, DPO oversight), NIS2-aligned security expectations, eIDAS-aligned identity assurance, data-transfer mechanisms (SCCs/DPF as applicable), data minimization and retention.

  • U.S.: GLBA Safeguards for financial institutions, state privacy regimes (e.g., CPRA/CCPA), sectoral rules (HIPAA for health entities you interoperate with), data-breach notification and disclosure obligations.

  • Cross-border & residency: Sovereign hosting options, KMS/HSM control in-country, split-key and tenant-controlled encryption.

How PastWipe helps

  • Lawful-purpose enforcement: Tag data with declared purposes; technical use-controls prevent function creep and generate alerts if a process deviates.

  • RoPA & DPIA automation: Auto-populate Records of Processing and risk factors from actual system behavior; reduce manual survey fatigue.

  • Retention & defensible deletion: Policy timers applied at the data-class level; expiries trigger workflows to archive, anonymize, or destroy—with receipts.

  • Subject-rights operationalization (for enterprise data subjects like employees, applicants, and citizens in your custody): Discovery, scoping, and fulfillment workflows with provable timelines, approvals, and redaction handling.

  • Transfer transparency: Data-flow inventories and vendor maps reveal what crosses borders, under which legal instrument, and with which safeguards.

Evidence you can show

  • Up-to-date RoPA tied to real data flows.

  • DPIAs with risk scores and compensating controls.

  • Retention schedules plus cryptographic Deletion Receipts.

  • Purpose-use compliance reports and anomaly alerts.

  • Data-transfer registry with SCC/DPF references and KMS residency proof.

PastWipe Approach: Controls That Travel with the Record

1. Envelope the data, not just the perimeter.
PastWipe wraps records in a cryptographic envelope that carries policy, provenance, legal basis, consents, and usage rules alongside the data. Even when copied, exported, or cached by a third-party system, the envelope enforces:

  • Identity & role attestation. Strong identity (eIDAS/OIDC), role, and device posture checks before release.

  • Purpose binding. Requests must declare a permitted purpose (e.g., treatment, payment, operations; specific statutory mandate; court order) that maps to your policy matrix.

  • Data minimisation. Only the necessary fields and timeframe are released (GDPR Art. 5(1)(c)); defaults to de-identification or aggregation when possible.

  • Record-level keying. Split-scoped keys with in-country KMS/HSM options; role-based and attribute-based policies (RBAC/ABAC) to prevent “all-or-nothing” access.

2. Breach-Triggered Neutralisation (BTN).
If the envelope detects policy violations (e.g., exfil path, missing attestation, abnormal geography, revoked purpose), it revokes cryptographic material and switches payloads to a non-reusable state. Stolen CSVs or database dumps lose operational value.

3. Evidence by design.
Every permitted access emits a signed, immutable event suitable for SIEM/SOAR ingestion and auditor-grade reports: who, what, when, why, where—plus the minimal released subset. This yields:

  • Attestation trails for regulators and data protection authorities.

  • Cross-party accountability: vendors and agencies can’t dispute what their systems did.

  • Rapid incident scoping: know exactly which minimal slices were exposed.

4. Interoperable with existing health & records stacks.
We integrate at logical choke points—EHRs/EMRs, LIS/PACS, HIEs, health insurers/TPAs, registries (civil, land, tax), case management, and document management:

  • FHIR ($export, consent, provenance, audit-event), IHE (XDS/XCA/XUA), DICOM for imaging, OpenID Connect for identity, OAuth 2.0 for delegated access, SAML where needed.

  • Event wiring into your SIEM (e.g., Splunk, Elastic, Microsoft Sentinel) and SOAR runbooks.

  • Cloud/on-prem/hybrid deployments, with in-country HSM/KMS and “separation of duties” to satisfy sovereignty requirements.

5. RepSec-ready (optional).
RepSec™ is an optional protocol layer that standardises BTN, purpose semantics, and attestation formats across organisations—so the same record can move from hospital to regulator to research partner without losing its guardrails or auditability. You can adopt PastWipe without RepSec, and add RepSec later for inter-org portability.

Key advantages for health & government custodians

  • Reduce breach blast radius: exfiltrated data becomes non-reusable.

  • Limit insider misuse: purpose checks + minimal slices + signed events.

  • Accelerate lawful sharing: faster responses to statutory requests with automatic scoping and proofs.

  • Shrink audit cycles: regulators can verify controls via evidence, not promises.

  • Defensible posture: policy-to-proof alignment across systems and vendors.

Security Controls & Zero-Trust Operations

What this covers

  • Identity-first security and least-privilege access across human and workload identities.

  • Encryption at rest/in transit; optional FIPS-validated crypto modules and HSM/KMS strategies (customer-managed keys, BYOK/HYOK).

  • Secure SDLC, SBOM visibility, supply-chain controls, and vulnerability management.

  • Logging, telemetry integrity, and time-synced event correlation for forensics (SIEM/SOAR).

  • Business continuity (BCP), disaster recovery (DR), RTO/RPO targets, tabletop testing.

  • Endpoint and server hardening, secret management, segregation of duties, key-rotation policy.

How PastWipe helps

  • Policy-attached cryptography: Data envelopes specify cipher suites, key hierarchies, and residency; enforcement is validated at point-of-use.

  • Machine-verifiable logs: Every envelope action produces tamper-evident events; integrity can be anchored to hardware trust or ledgered checkpoints.

  • Segregated duties by design: Admins cannot read tenant data; break-glass flows are pre-approved, monitored, and fully auditable.

  • SDLC guardrails: Build-time checks (linting, IaC policy as code), SBOM generation, dependency risk scoring, and signed artifact promotion.

Evidence we can show

  • Key-management diagrams with residency and rotation cadence.

  • SIEM-ingested, signed event streams with correlation dashboards.

  • DR playbooks with last test date, outcomes, and corrective actions.

  • SBOMs with vulnerability SLAs and remediation timelines.

Financial Services & Banking Compliance

What this covers

  • EU: DORA (ICT risk management, incident reporting, testing, third-party risk), PSD2-adjacent data-sharing controls, NIS2 expectations for essential entities.

  • U.S.: GLBA Safeguards Rule, FFIEC expectations, NYDFS 23 NYCRR 500, SOC 2 reporting to counterparties, SEC cybersecurity disclosure obligations for listed entities.

  • Global: PCI DSS 4.0 for cardholder data environments; fraud-risk interfaces (KYC/AML data sharing, purpose-bound analytics).

How PastWipe helps

  • DORA-ready evidence: ICT risk dashboarding, incident taxonomy, and reporting packages; continuous testing hooks (purple-team, tabletop, red-team tracking).

  • Third-party (TPSP) oversight: Vendor inventories, data-sharing envelopes, right-to-audit clauses backed by telemetry proofs; auto-collect SOC/ISO attestations.

  • PCI segregation: If you process cardholder data with connected systems, data envelopes enforce scoping boundaries, tokenization, and encryption requirements.

  • Breach-triggered non-reusability: The Optional RepSec™ protocol can render exfiltrated copies non-reusable, materially reducing downstream fraud exposure and demonstrating strong post-compromise controls.

Evidence we can show

  • DORA control matrix with testing cadence and outcomes.

  • TPSP due-diligence packs (security questionnaires, SOC 2/ISO mappings, pen-test letters) with renewal alerts.

  • PCI DSS scope diagrams, tokenization receipts, and quarterly scan results.

  • Incident response dossiers with regulator-ready timelines and artifacts.

Government & Public Sector Compliance

What this covers

  • EU/EEA: NIS2-aligned security posture for essential/important entities, eIDAS-aligned identity assurance, data-sovereignty and procurement requirements, cross-border public-sector data exchange.

  • U.S. (federal/state/local): FISMA/NIST SP 800-53 control families, FedRAMP-aligned cloud postures, CJIS Security Policy controls for justice data, IRS 1075 for tax information, and Section 508 accessibility in delivered interfaces where applicable.

  • Sovereignty & lawful handling: Classification handling, CUI considerations, legal holds, evidentiary chains, and public-records obligations.

How PastWipe helps

  • Deployment neutrality: On-prem, sovereign cloud, or hybrid; customer-managed KMS/HSM for in-country separation.

  • Justice/tax handling patterns: Policy packs for CJIS-like logging, personnel screening flags, and DOJ/IRS-style retention and audit.

  • Public-records readiness: Immutable trails with export tooling for FOIA/PRR processes without exposing secrets.

  • Legal hold controls: Freeze retention timers, lock deletion paths, and record chain-of-custody with cryptographic receipts.

Evidence we can show

  • Control implementation statements mapped to NIST 800-53 families.

  • Sovereign hosting/KMS attestations and key-custody chain.

  • CJIS/IRS-style logging reports with access justifications.

  • Legal-hold manifests and export logs for records officers.

Assurance, Audit & Continuous Compliance

What this covers

  • Internal audit readiness, external audit coordination, and regulator inspections.

  • Continuous control monitoring, control testing, and corrective action tracking.

  • Incident response governance (classification, materiality, disclosure timelines).

  • Metrics & reporting to execs and boards.

How PastWipe helps

  • Evidence on demand: One-click export of control narratives, procedures, and Proof Bundles (signed logs, config snapshots, screenshots/video captures of tests).

  • Control health & drift detection: Detect configuration drift against a golden baseline; auto-open tickets and verify remediation with technical tests.

  • Material incident playbooks: Timer-based workflows for notifications (regulators, supervisory authorities, customers), with approver trails and message templates.

  • Board-ready reports: KPIs/KRIs for policy coverage, incident MTTR, control pass-rates, vendor posture, and trend lines over quarters.

Evidence we can show

  • Proof Bundles per control with cryptographic integrity checks.

  • Control health dashboards and remediation SLAs.

  • Incident files with who-did-what-when, including counsel-view.

  • Quarterly board decks with trend analytics and planned improvements.


How We Operationalize Compliance (Design Principles)

  • Policy as Code: Policies are expressed in machine-readable form and evaluated at runtime. If a process or user deviates, the system can block, quarantine, or require step-up approvals.

  • Data Neutralization: Optional RepSec™ enforces purpose and time bounds and can render stolen copies non-reusable—dramatically reducing regulatory and fraud impact.

  • Separation of Duties: Admins cannot quietly bypass controls. Break-glass paths are explicit, time-boxed, logged, and reviewed.

  • Customer-Controlled Keys: You pick where keys live (on-prem HSM, sovereign cloud KMS). Our services see ciphertext; you hold the last mile of trust.

  • Immutable Evidence: Every meaningful action produces signed, time-synced events; integrity can be anchored to hardware trust or ledgered checkpoints to combat repudiation.

  • No “Compliance Theater”: Focus on evidence that is ready, complete, and verifiable.


Typical Artifacts Delivered

  • Master Policy Register & Control Catalog with multi-framework mappings.

  • RoPA, DPIA, and data-transfer registry with purpose tags and safeguards.

  • Retention schedules with Deletion/Anonymization Receipts.

  • Key-management & sovereignty diagrams (BYOK/HYOK, HSM/KMS setup).

  • Incident Response dossiers (root cause, timeline, notification evidence).

  • Third-Party/Vendor due-diligence packs, renewal alerts, and risk scores.

  • Quarterly executive/board reports and audit-ready Proof Bundles.


Scope Notes & Guardrails

  • PastWipe is a privacy and security infrastructure platform; certifications (e.g., ISO, SOC 2, PCI RoC) are held by the customer organization and/or hosting environments. The platform accelerates and substantiates audits with strong technical evidence and process discipline.

  • Regulatory references above are for operational alignment and scoping; counsel defines the authoritative obligations for each entity and jurisdiction.

  • RepSec™ is optional; when deployed, it enhances policy enforcement and post-exfiltration controls but is not a prerequisite for the platform.