Vauban / Trust Center

Compliance — Vauban Trust Center

Audience: regulators + auditors + investors + DPO

Last updated:

Compliance Matrix

Vauban targets multi-régulation compliance avec timing window asymmétrique pour positioning institutional. Phase 0 done_when targets Q4 2026 = juste APRÈS EU AI Act + Colorado AI Act enforcement.

Compliance Matrix

RégulationEnforcement DateStatus VaubanCoverageEvidence
EU AI Act (Article 12 audit trail)August 2026🟡 Phase 0 in progressBrain decision chains anchored L3 sprint-483 patterneu-ai-act-readiness
Colorado AI ActJune 2026🟡 Phase 0 in progressSame audit trailcolorado-ai-act-readiness
GDPRActive since 2018🟡 Phase 0 ; DPIA per produit Phase 1+DPO contact + sub-processors documentedsub-processors + DPIA roadmap
eIDAS (EU digital identity)Phase 1+🟡 Glacis Identity Phase 1+ targetPost-quantum signatures + Glacis sub-charter Phase 1+TBD Phase 1+
DORA (Digital Operational Resilience Act)Active 2026🟡 Vauban Finance applicableDR runbooks sprint-487 sealed + multi-region failover Phase 1+DR runbooks
NIS2 (Network and Information Security 2)Active 2026🟡 Vauban Auth + Vauban Finance applicableIncident response SLA + audit trail.claude/rules/core/incident-response.md
CSPN Visa (ANSSI)Phase 0 done_when target Q4 2026🟡 Dossier in preparationPair 2 standards engagement + Rempart audit firm partnershipdocs/standards/ (Pair 2 deep RETAINED)
SOC2 Type IIPhase 2+ post-CSPN visa⏳ Planned Phase 2+Audit firm selection Phase 1+TBD Phase 2+
ISO 27001Phase 2+⏳ Planned Phase 2+Audit firm selection Phase 1+TBD Phase 2+
AFNOR commission identité numérique 2026Active 2026🟡 Standards engagement (per ADR-ECO-011)Mirror committee participationdocs/standards/
Annexe Arcom (audiovisual)TBD per produit applicable⏳ TBDPer Pair 4 legal RETAINEDdocs/legal/

Légende : 🟢 Compliant + audited · 🟡 In progress · ⏳ Planned · ❌ Gap

EU AI Act ; Article-by-Article Coverage

Article 9 Risk Management

  • Status : 🟡 Active
  • Evidence : governance/threat-model/per-product-surface.md (10 F-THREAT × 14 produits scoring) + docs/threat-model/* Pair 5 deep
  • Risk register : governance/risks/ecosystem-risk-register.md

Article 10 Data Governance

  • Status : 🟢 Active (Brain Protocol — implemented 2026-05-21)
  • Evidence :
    • .claude/rules/core/security-boundaries.md (no PII unencrypted, validate boundaries) + ZK Privacy patterns
    • PII auto-classification : Brain Protocol pre-archive hook (Microsoft Presidio + Haiku 4.5 fallback) classifies every archived entry — pii_classified_at + sensitivity_label persisted (sprint-728, ADR-ECO-018 §3)
    • Data-at-rest encryption : AES-256-GCM envelope encryption for confidential/secret entries via HKDF-SHA256 per-tenant KEK (ADR-040, sprint-729/730) — kek_id IS NOT NULL verifiable in prod DB

Article 11 Technical Documentation

  • Status : 🟢 Active
  • Evidence : governance/architecture/00-vision-framework-canonical.md + docs/architecture/ Pair 1 deep + 14 charters

Article 12 Audit Trail (Record Keeping)

  • Status : 🟢 Active
  • Evidence : Brain Protocol decision chains (986+ entries) anchored L3 Cairo MerkleAnchor mainnet (sprint-483 universal proof-layer pattern sealed 2026-04-23)

Article 13 Transparency

  • Status : 🟢 Active
  • Evidence : This Trust Center (10 pages structurées self-hosted Astro static site) + 14 charters public + 13 ADR-ECO public

Article 14 Human Oversight

  • Status : 🟢 Active
  • Evidence : governance/council/charter.md (founder-solo Phase 0 → 3-person quorum Phase 1+) + .claude/rules/ai/tiered-gates.md (T1-T4 capability tiers, T4 require founder approval + L3 anchor)

Article 15 Accuracy, Robustness, Cybersecurity

  • Status : 🟢 Active
  • Evidence : .claude/rules/core/craft-standards.md (Robust + Reusable + Resilient + Anti-fragile + Quality) + .claude/rules/security/mcp-tool-hardening.md + axiom Robuste enforcement

GDPR Coverage

Data Subject Rights

  • Right to access : DPO contact dpo@vauban.tech
  • Right to erasure (Art. 17) : 🟢 Brain Protocol — crypto-shred endpoint live (DELETE /v1/tenants/:id/shred, admin-gated, returns tombstone + ciphertext inert). Implemented sprint-728, ADR-ECO-018 §5.
  • Right to portability : Brain export + audit reports portable Markdown

Data Processing

  • Sub-processors : sub-processors
  • Data flows : per produit DPIA Phase 1+
  • Retention policies : 🟢 Brain Protocol — 2-phase retention cron active (RETENTION_CRON_ENABLED=true). Sensitivity-based TTL: PII 30j, confidential 365j, internal 730j → grace 7j → shred. Implemented sprint-728, ADR-ECO-018 §4.

Cross-references

  • EU AI Act details : governance/compliance/eu-ai-act-readiness.md
  • Colorado AI Act details : governance/compliance/colorado-ai-act-readiness.md
  • Per-product roadmap : governance/compliance/per-product-roadmap.md
  • Threat model : governance/threat-model/per-product-surface.md
  • Council process : governance/council/charter.md
  • Tiered gates : .claude/rules/ai/tiered-gates.md
  • Audit reports : audit-reports.md
  • Sub-processors : sub-processors.md