Compliance Matrix
As of Q2 2026. Mapped to product behaviors and the docs anchors that prove them.
This page exists so that GRC reviewers can answer the question "where in your platform does this control live?" without reading the entire site. Every cell links to the canonical doc page that documents the behavior.
The mapping below covers the product behaviors Trinitite is responsible for. Customer-side controls (e.g. workforce training, physical security at your offices) are out of scope and remain your responsibility. Trinitite's Trust Center covers the company-side controls (subprocessors, retention, key custody, etc.).
| Status | Meaning |
|---|---|
| COVERED | The control is implemented and observable in the platform. |
| PARTIAL | The control is partially supported; the customer is responsible for the remainder. |
| SHARED | A shared-responsibility control. Trinitite provides the substrate; the customer configures it. |
SOC 2 (CC, A, C, P)
| Control | Status | Where in Trinitite |
|---|---|---|
| CC1.x — Control environment | SHARED | Trust Center — company-side governance. |
| CC2.x — Communication & info | COVERED | Glass Box Ledger, Observability. |
| CC3.x — Risk assessment | COVERED | Threat Library, Test Suites, Benchmarks. |
| CC4.x — Monitoring | COVERED | Observability (three streams), Governance Controls. |
| CC5.x — Control activities | COVERED | Governance Controls L0-L6. |
| CC6.x — Logical access | COVERED | Identity & RBAC, NHI Governance. |
| CC7.x — System operations | COVERED | Self-hosting, Governance Controls. |
| CC8.x — Change management | COVERED | Config-audit events in the Glass Box Ledger. |
| CC9.x — Risk mitigation | COVERED | Federated Defense. |
| A1 — Availability | COVERED | SLA & Limits. |
| C1 — Confidentiality | COVERED | Trust Center, TLS-in-transit, customer-managed KMS option. |
| P-series — Privacy | COVERED | PII Guardian recipe, DSR for AI. |
HIPAA
| Safeguard | Status | Where in Trinitite |
|---|---|---|
| §164.308(a)(1) — Security management | SHARED | Trinitite provides the technical substrate; customer designates roles. |
| §164.308(a)(3) — Workforce security | SHARED | RBAC. |
| §164.308(a)(4) — Information access | COVERED | RBAC, NHI Governance. |
| §164.308(a)(5) — Security awareness training | SHARED | Customer responsibility. |
| §164.310 — Physical safeguards | SHARED | Trust Center for company-side; customer for their environment. |
| §164.312(a) — Access control | COVERED | RBAC, Sessions. |
| §164.312(b) — Audit controls | COVERED | Glass Box Ledger. |
| §164.312(c) — Integrity | COVERED | Merkle-chained ledger, replay verdict taxonomy. |
| §164.312(e) — Transmission security | COVERED | TLS 1.3, mTLS optional. |
| §164.514 — De-identification | COVERED | PII Guardian recipe. |
| BAA | COVERED | Available to enterprise customers. |
GDPR
| Article | Status | Where in Trinitite |
|---|---|---|
| Art. 5 — Principles | COVERED | Purpose-limitation enforced via per-NHI scopes; minimization via PII Guardian. |
| Art. 6 — Lawful basis | SHARED | Customer determines lawful basis; Trinitite preserves it via the Glass Box Ledger. |
| Art. 15 — Right of access | COVERED | DSR-for-AI endpoint surfaces every Guardian decision touching a subject. |
| Art. 17 — Right to erasure | COVERED | Crypto-shredding of subject material; ledger receipts retained as required. |
| Art. 22 — Automated decision-making | COVERED | Every Guardian decision is reviewable + replayable; human review path documented. |
| Art. 25 — Data protection by design | COVERED | Default-on Guardian, default-on PII redaction, default-on retention. |
| Art. 30 — Records of processing | COVERED | Glass Box Ledger. |
| Art. 32 — Security of processing | COVERED | TLS, KMS, audit, breaker hierarchy. |
| Art. 35 — DPIA | COVERED | Template + supporting evidence available in the Trust Center. |
EU AI Act
| Requirement | Status | Where in Trinitite |
|---|---|---|
| Art. 9 — Risk management system | COVERED | Threat Library, Test Suites. |
| Art. 10 — Data and data governance | COVERED | Skill Vault provenance, training-data SBOM. |
| Art. 12 — Record-keeping | COVERED | Glass Box Ledger. |
| Art. 13 — Transparency to deployers | COVERED | Per-Guardian model cards (coming in roadmap). |
| Art. 14 — Human oversight | COVERED | Governance Controls L0-L6. |
| Art. 15 — Accuracy, robustness, cybersecurity | COVERED | Architecture (batch-invariant determinism), Benchmarks. |
| Art. 17 — Quality management system | COVERED | Trust Center. |
| Art. 26 — Obligations of deployers | SHARED | Trinitite enables; deployer configures. |
| Art. 50 — Transparency obligations | COVERED | Watermarking and disclosure helpers in Cookbook. |
| Regulatory change feed | COVERED | Compliance Architecture — subscribe to delegated-acts updates. |
NIST AI RMF (Govern / Map / Measure / Manage)
| Function — sub-function | Status | Where in Trinitite |
|---|---|---|
| Govern 1.x — Policies & procedures | COVERED | Policy Intelligence, Governance Controls. |
| Govern 4.x — Roles, responsibilities | COVERED | Identity & RBAC. |
| Map 1.x — Context establishment | COVERED | Per-NHI tier ladder, per-tool Guardians. |
| Map 5.x — Impact assessment | COVERED | Threat Library, Test Suites. |
| Measure 1.x — Test, evaluation, validation, verification | COVERED | Testing & Simulation, Benchmarks. |
| Measure 2.x — Performance characteristics | COVERED | Observability (RAG telemetry, replay verdict taxonomy). |
| Measure 3.x — Tracking emergent risks | COVERED | Federated Defense. |
| Manage 1.x — Risk treatment | COVERED | Governance Controls. |
| Manage 4.x — Documentation, monitoring | COVERED | Glass Box Ledger. |
What's next
→ Trust Center — company-side controls, subprocessors, key custody.
→ Compliance Architecture — how the platform structures evidence.
→ Glass Box Ledger — the substrate every audit relies on.