Audit Logging
Complete, immutable audit trail of all actions with automatic secret redaction.
Compliance Overview
Rack Gateway is designed with compliance in mind, providing the controls and audit capabilities needed for SOC 2, HIPAA, and other regulatory frameworks.
Compliance Features
Section titled “Compliance Features”Access Controls
Role-based access control with least privilege enforcement.
Data Protection
Encryption at rest and in transit, with optional S3 WORM storage.
SOC 2 Alignment
Controls mapped to SOC 2 Trust Services Criteria.
Compliance Architecture
Section titled “Compliance Architecture”Key Compliance Controls
Section titled “Key Compliance Controls”Authentication and Access
Section titled “Authentication and Access”| Control | Implementation | Evidence |
|---|---|---|
| Unique user identification | Google OAuth with email | User records |
| Multi-factor authentication | TOTP, WebAuthn, YubiKey | MFA enrollment records |
| Access control | RBAC with 5 roles | Role assignments |
| Session management | Configurable timeouts | Session records |
| Password policy | Delegated to Google Workspace | N/A (no local passwords) |
Audit and Monitoring
Section titled “Audit and Monitoring”| Control | Implementation | Evidence |
|---|---|---|
| Activity logging | All API requests logged | Audit log entries |
| User actions | Who did what, when | Audit trail |
| Access attempts | Successful and failed | RBAC decisions |
| Secret protection | Automatic redaction | Redacted logs |
| Log integrity | S3 WORM storage | Object Lock |
Data Protection
Section titled “Data Protection”| Control | Implementation | Evidence |
|---|---|---|
| Encryption in transit | TLS 1.2+ required | HTTPS configuration |
| Encryption at rest | AWS KMS for S3 | KMS key policy |
| Data retention | Operator-managed retention | Retention policy docs |
| Data deletion | Manual purge | Database procedures |
Compliance Checklist
Section titled “Compliance Checklist”Before Production
Section titled “Before Production”- OAuth configured with domain restriction
- MFA enabled for all privileged users
- RBAC roles assigned appropriately
- Audit logging configured and tested
- S3 WORM bucket configured (if required)
- Session timeout set appropriately
- HTTPS enabled with valid certificate
- Access review process documented
Ongoing Operations
Section titled “Ongoing Operations”- Regular access reviews (quarterly)
- Audit log review process
- Token rotation schedule
- Incident response plan
- User onboarding/offboarding process
- Change management process
Supported Frameworks
Section titled “Supported Frameworks”Rack Gateway provides controls that support compliance with:
| Framework | Alignment Level | Key Features |
|---|---|---|
| SOC 2 Type II | Strong | Full audit trail, RBAC, MFA, encryption |
| HIPAA | Partial | Access controls, audit logging, encryption |
| PCI DSS | Partial | Access controls, logging, secure configuration |
| ISO 27001 | Partial | Information security controls |
| GDPR | Partial | Access controls, audit trail |
Evidence Collection
Section titled “Evidence Collection”For compliance audits, Rack Gateway provides:
Automated Evidence
Section titled “Automated Evidence”- Audit logs: Complete activity history
- User records: All users with roles and status
- Session records: Authentication history
- Token records: API token usage and lifecycle
- Configuration: Current security settings
Manual Evidence
Section titled “Manual Evidence”- Access review documentation
- Incident response records
- Change management records
- Training records
Audit Log Queries
Section titled “Audit Log Queries”Use the admin API or direct SQL:
# API: last 7 days for a usercurl -H "Authorization: Bearer TOKEN" \ "https://gateway.example.com/api/v1/audit-logs?user=alice@example.com&range=7d"Compliance Reporting
Section titled “Compliance Reporting”User Access Report
Section titled “User Access Report”| Field | Description |
|---|---|
| User email | Unique identifier |
| Role | Current role assignment |
| Last login | Most recent authentication |
| MFA status | Enrolled methods |
| API tokens | Number of active tokens |
Activity Report
Section titled “Activity Report”| Field | Description |
|---|---|
| Date range | Reporting period |
| Total events | Number of audit entries |
| Unique users | Active users |
| Top actions | Most common operations |
| Denied requests | RBAC denials |
Next Steps
Section titled “Next Steps”- SOC 2 - SOC 2 control mapping
- Audit Trail - Detailed audit logging
- Data Retention - Retention policies