© 2026 LyDos · Stop prompting. Start orchestrating.
Trust Center · Compliance posture
The 14 compliance frameworks LYDOS positions itself against. Each one is rendered with its honeststatus — including the ones we’ve declined to pursue and the ones still on roadmap. Marketing surfaces link here; if a claim on another LYDOS page conflicts with the chip on this page, this page is the source of truth (KURAL 13).
Audited
0
In scope
8
Roadmap
5
Won't pursue
1
AICPA
Security, Availability, Confidentiality, Processing Integrity, Privacy Trust Services Criteria.
Why this status: Q226 SOC 2 readiness engine wires the 25 TSC controls into the platform; ASR audit chain provides the immutable evidence trail. Type I observation window opens once the first external auditor engagement begins.
Verifiable in: core/q226_*.py + /api/q226/soc2/*
ISO/IEC
Information Security Management System — Annex A 93 controls.
Why this status: ISMS controls mapped against the sovereign stack; control matrix tracked in compliance/audit. Stage 1 certification audit not yet scheduled.
Verifiable in: compliance/audit/iso27001-control-matrix.md (in preparation)
ISO/IEC
Cloud-services-specific extension to 27002.
Why this status: Bundled with ISO 27001 Stage 2 audit. Single-VPS deployment posture means the cloud-shared-responsibility split is fully internal — codified after the 27001 report issues.
Verifiable in: compliance/audit/iso27017-readiness.md (planned)
ISO/IEC
Protection of PII in public clouds acting as PII processors.
Why this status: Bundled with ISO 27001 + 27017 audit cycle. PII handling already encrypted at rest via AES-256-GCM vault.
Verifiable in: core/integrations/cross_surface_vault.py + ASR redaction policy
ISO/IEC
Privacy Information Management System extension to 27001.
Why this status: Mapped against GDPR + KVKK control set; certification deferred until 27001 Stage 2 issues.
Verifiable in: compliance/audit/iso27701-roadmap.md (planned)
EDPB / national DPAs
EU general data protection regulation — data subject rights, lawful basis, DPA contracts.
Why this status: DSAR/right-to-erasure endpoints live; data-processing addendum template available; SCCs in place for sub-processors. Customer-chosen Frankfurt/Helsinki deployment satisfies data-residency requirements out of the box.
Verifiable in: core/routes/legal_routes.py + /legal/dpa + ASR audit chain
KVKK (Kişisel Verilerin Korunması Kurumu)
Turkish Personal Data Protection Law — VERBİS registration + data subject rights.
Why this status: VERBİS registration completed; Turkish-language privacy notices + KVK contact (kvk@ailydian.com) live in legal_routes. Customer-chosen Istanbul deployment available for in-country residency.
Verifiable in: core/routes/legal_routes.py (KVKK section)
U.S. Health and Human Services / OCR
U.S. health information protection — Security Rule, Privacy Rule, Breach Notification.
Why this status: BAA-eligible deployment template live; PHI table set + immutable trigger + KSL-signed access ledger active in PG. Zero production PHI traffic yet — Sprint 12 audit recorded 0 PHI records. BAA signature is a per-customer onboarding step.
Verifiable in: scripts/migrations/2026_05_hipaa_phi_tables.sql + Q226 evidence
PCI Security Standards Council
Payment card industry data security — applies to environments storing/processing/transmitting CHD.
Why this status: LYDOS never stores, processes, or transmits cardholder data directly. All payment flows tokenise via Stripe; the merchant of record bears PCI DSS responsibility. SAQ-A scope only.
Verifiable in: core/integrations/stripe_*.py — no PAN/CVV ever in process memory
U.S. NIST
Govern · Identify · Protect · Detect · Respond · Recover function set.
Why this status: Sovereign stack maps 1:1 onto the CSF 2.0 functions; LSIA immunity engine supplies Respond/Recover automation. Self-assessment maintained, no third-party attestation (NIST CSF is not a certification regime).
Verifiable in: compliance/audit/nist-csf-2-mapping.md (in preparation)
European AI Office
Risk-classification + GP-AI model obligations for AI systems in the EU market.
Why this status: Q202 risk classifier annotates every AI decision with a tier; ASR records the classification on the immutable audit chain. Conformity assessment package tracked against the 2026-08-02 GP-AI obligation deadline.
Verifiable in: core/q202_*.py + /control/governance/eu-ai-act-risk-distribution
National CSIRTs (per Member State)
Cybersecurity baseline for essential and important entities operating in the EU.
Why this status: Controls largely covered by ISO 27001 in-scope work; per-MS incident reporting wiring deferred until customer base includes a regulated essential entity.
Verifiable in: compliance/audit/nis2-readiness.md (planned)
California Privacy Protection Agency
California consumer privacy rights — access, deletion, opt-out of sale/sharing.
Why this status: Consumer rights endpoints reuse the GDPR DSAR pipeline; opt-out of sale/sharing is N/A — LYDOS does not sell or share personal information.
Verifiable in: core/routes/legal_routes.py + ASR redaction policy
U.S. GSA FedRAMP PMO
U.S. federal authorisation regime for cloud service providers.
Why this status: Phase 0 readiness prep only — no ATO. 24–36 month timeline contingent on sponsor agency. NIST SP 800-53 Rev 5 control matrix in preparation. No marketing surface may claim FedRAMP authorisation until the ATO issues.
Verifiable in: compliance/audit/fedramp-phase-0-readiness.md (in preparation)
For auditors and procurement: The Python registry at core/integrations/compliance_frameworks.py is the load-bearing source of truth. It refuses to import if a status changes to audited without a third-party report id, or to will_not_pursue without a stated reason. A CI drift gate (tests/test_sprint37_phase3_compliance_canonical.py) keeps the TypeScript mirror this page reads from in sync with the Python registry, slug-for-slug and status-for-status.
