Compliance · Documentation Library

40 Operating Policies, One Library

The full H33 compliance documentation set — every policy, procedure, and record the platform operates against. Spans HIPAA, ISO 27001, PCI DSS, and operational security. Each document is a live record, not a marketing page.

Documents

Frameworks

Topic groups

Live

Production posture

Framework

HIPAA

8 docs · Privacy & security rule

Framework

ISO 27001

8 docs · ISMS + Annex A

Framework

SOC 2

Crosswalk · ops controls

Framework

PCI DSS

1 doc · cardholder data flow

HIPAA Privacy & Security

HIPAA — Privacy Rule, Security Rule, Breach Notification

PHI handling, breach response, business-associate controls, and the supporting role designations.

Privacy, Use, and Disclosure Policy Privacy Rule

/compliance/docs/hipaa-privacy-use-disclosure/

Breach Notification Policy §164.400

/compliance/docs/hipaa-breach-notification/

Business Associate Policy BA

/compliance/docs/hipaa-business-associate/

HIPAA Security Officer Designation

/compliance/docs/hipaa-security-officer/

Minimum Necessary Standard Policy

/compliance/docs/minimum-necessary/

PHI Contingency Plan Addendum

/compliance/docs/phi-contingency-plan/

Data Subject Rights Procedures

/compliance/docs/data-subject-rights/

DPIA: Biometric Processing DPIA

/compliance/docs/dpia-biometric/

ISO 27001 · ISMS + Annex A

ISO 27001 — ISMS Plan, Statement of Applicability, Management Reviews

The complete ISMS evidence chain: scope, plan, SoA, internal audits, management reviews, and nonconformity management.

Information Security Management System (ISMS) Plan

/compliance/docs/isms-plan/

ISMS Scope Statement

/compliance/docs/isms-scope/

ISO Statement of Applicability SoA

/compliance/docs/iso-statement-of-applicability/

Statement of Applicability (Quick Reference)

/compliance/docs/soa/

ISO Internal Audits

/compliance/docs/iso-internal-audits/

ISO Management Reviews

/compliance/docs/iso-management-reviews/

ISO Management of Nonconformities

/compliance/docs/iso-nonconformity-management/

ISO Evidence of Competence

/compliance/docs/iso-evidence-of-competence/

PCI DSS

PCI DSS — Cardholder Data Scope

Scope and data-flow documentation for PCI DSS environments.

Cardholder Data Flow Diagram PCI DSS

/compliance/docs/cardholder-data-flow/

Audit & Monitoring

Audit Trails, Monitoring, Security Events

Retention, access, monitoring activities, and remediation tracking — the audit posture H33 operates against.

Audit Log Retention Period

/compliance/docs/audit-log-retention/

Access to Audit Trails

/compliance/docs/audit-trail-access/

Monitoring Activities Policy

/compliance/docs/monitoring-activities/

Security Event Reporting Procedure

/compliance/docs/security-event-reporting/

Compliance Remediation Tracker

/compliance/docs/remediation-tracker/

Access & Credentials

Credential Management, Key Storage, Duties

Identity, secrets, and the separation of privilege.

Credential Management and Control of Audit Activities

/compliance/docs/credential-management/

Key Storage Locations Limited

/compliance/docs/key-storage-locations/

Segregation of Duties

/compliance/docs/segregation-of-duties/

Unique First-time Passwords with One-Time Use

/compliance/docs/unique-first-time-passwords/

Engineering & Software

Secure Coding, SDLC, Software Inventory

Engineering controls and the documented software supply chain.

Secure Coding Standards

/compliance/docs/secure-coding/

Documented Secure Development Process SDLC

/compliance/docs/secure-development-lifecycle/

Software and Third-Party Libraries Inventory

/compliance/docs/software-inventory/

Documented Operating Procedures

/compliance/docs/documented-operating-procedures/

Threat Intelligence & Communications

Threat Intelligence, External Coordination, Email Hygiene

External-facing security posture: who we coordinate with, how we filter, how we respond.

Threat Intelligence Program

/compliance/docs/threat-intelligence-program/

Contact with Authorities

/compliance/docs/contact-with-authorities/

Contact with Special Interest Groups

/compliance/docs/contact-with-special-interest-groups/

Email Authentication / Phishing and Spam Detection

/compliance/docs/email-authentication-phishing/

Web Filtering Policy

/compliance/docs/web-filtering-policy/

Operations & Continuity

BIA, Cloud Security, Time, Records of Processing

The foundational operational posture: continuity, time integrity, cloud posture, processing records.

Business Impact Analysis BIA

/compliance/docs/business-impact-analysis/

Cloud Security Policy

/compliance/docs/cloud-security/

Clock Synchronization and System Time Source

/compliance/docs/clock-synchronization/

Records of Processing Activities RoPA

/compliance/docs/processing-records/

Media & Asset Handling

Media Handling, Inventory

Asset lifecycle and physical/logical media controls.

Media Handling Policy

/compliance/docs/media-handling-policy/

Media Inventory Logs

/compliance/docs/media-inventory-logs/

How this maps to the receipt

Every operating policy here is enforced at the substrate level — the H33-Root authority bindings (instruction, authority, execution) reject any agent action not bound to an active policy and a valid receipt. The documents are the evidence layer; the substrate is the enforcement. See the architecture, H33-Root, and the cryptographic audit trail.

Next step

Need a specific control crosswalk? The conformance suite maps each policy to ISO 27001 Annex A controls, HIPAA Security Rule sections, and the underlying H33 substrate enforcement points.

View crosswalks › Compliance overview Auditor artifact loop Talk to compliance