ISO Statement of Applicability
Effective: March 17, 2026 · DCF-162
1. Purpose
This Statement of Applicability (SOA) is a mandatory component of the H33.ai Information Security Management System (ISMS) as required by ISO 27001:2022 Clause 6.1.3(d). It identifies all ISO 27001:2022 Annex A controls, states whether each control is applicable to H33.ai's operations, provides justification for any exclusions, and documents the implementation status of each applicable control.
2. Scope
This SOA covers the entire scope of the H33.ai ISMS, which encompasses:
- The H33 post-quantum cryptographic authentication platform (FHE, ZK-STARK, ML-DSA/Dilithium)
- Auth1 identity and authentication service (H33 subsidiary)
- All AWS infrastructure (Graviton4 compute, RDS PostgreSQL, ElastiCache Redis, Elastic Beanstalk)
- Corporate IT systems (Microsoft 365, GitLab, Drata, DataDog)
- All personnel, processes, and information assets of H33.ai, Inc.
3. Document Information
| Document Owner | Eric Beans, CEO/CISO |
| Classification | Internal / Audit Evidence |
| ISMS Scope | H33.ai post-quantum authentication platform and supporting infrastructure |
| Standard | ISO/IEC 27001:2022 |
| Total Controls | 93 (Annex A) |
| Applicable | 92 |
| Not Applicable | 1 (A.8.30) |
| Implemented | 92 |
4. Statement of Applicability — Annex A Controls
The following table lists all 93 controls from ISO 27001:2022 Annex A. For each control: App. = Applicable (Y/N), Impl. = Implemented (Y/N).
| Control | Title | App. | Justification / Implementation Details | Impl. |
|---|---|---|---|---|
| A.5 — Organizational Controls | ||||
| A.5.1 | Policies for information security | Y | Information Security Policy published and reviewed annually. Maintained in Drata policy library. Approved by CEO/CISO. | Y |
| A.5.2 | Information security roles and responsibilities | Y | Roles defined: CEO/CISO (Eric Beans) as Security Officer. Responsibilities documented in ISMS role matrix and enforced via Drata personnel tracking. | Y |
| A.5.3 | Segregation of duties | Y | SoD matrix maintained (see DCF-745). Compensating controls in place for small team: Drata continuous monitoring, automated CI/CD controls, GitLab merge request approvals, audit trails. | Y |
| A.5.4 | Management responsibilities | Y | Management commitment documented. CEO/CISO conducts quarterly ISMS reviews. Security objectives set annually and tracked in Drata. | Y |
| A.5.5 | Contact with authorities | Y | Authority contact register maintained (see DCF-744). Includes HHS OCR, FBI Cyber, US-CERT/CISA, FTC, Florida AG. Reviewed annually. | Y |
| A.5.6 | Contact with special interest groups | Y | Active participation in NIST PQC standardization community, FHE.org, IACR. Monitoring NIST SP 800-208 and FIPS 203/204/205 updates. | Y |
| A.5.7 | Threat intelligence | Y | DataDog threat monitoring for infrastructure. AWS GuardDuty enabled. NIST NVD and US-CERT advisories monitored. Post-quantum threat landscape tracked via NIST PQC mailing list. | Y |
| A.5.8 | Information security in project management | Y | Security requirements integrated into all development projects. Threat modeling performed for new features. Security review gates in GitLab CI/CD pipelines. | Y |
| A.5.9 | Inventory of information and other associated assets | Y | Asset inventory maintained in Drata. Covers AWS infrastructure, endpoints, SaaS applications, data stores, cryptographic keys, and code repositories. | Y |
| A.5.10 | Acceptable use of information and other associated assets | Y | Acceptable Use Policy published. Covers endpoint usage, SaaS applications, data handling, and corporate communications. All personnel acknowledge upon onboarding. | Y |
| A.5.11 | Return of assets | Y | Offboarding procedure includes return/wipe of all company assets. Remote wipe capability via endpoint management. Access revocation within 24 hours of termination. | Y |
| A.5.12 | Classification of information | Y | Four-tier classification: Public, Internal, Confidential, Restricted. Cryptographic keys and biometric templates classified as Restricted. Classification guide published. | Y |
| A.5.13 | Labelling of information | Y | Labelling requirements defined per classification tier. Documents include classification headers. Automated labelling in Microsoft 365 via sensitivity labels. | Y |
| A.5.14 | Information transfer | Y | All data in transit encrypted via TLS 1.3 minimum. API communications use Kyber key exchange + AES-256-GCM (post-quantum hybrid). Email secured via Microsoft 365 HIPAA package. | Y |
| A.5.15 | Access control | Y | Role-based access control (RBAC) across all systems. AWS IAM least-privilege policies. Auth1 MFA enforced for all administrative access. Access reviews quarterly. | Y |
| A.5.16 | Identity management | Y | H33.ai identity platform (own product) with post-quantum FHE biometric authentication. Auth1 for workforce identity. Unique identifiers for all users and service accounts. | Y |
| A.5.17 | Authentication information | Y | Passwords meet NIST SP 800-63B requirements (minimum 12 characters). MFA required for all systems. Biometric templates encrypted via BFV FHE (never stored in plaintext). SSH keys rotated quarterly. | Y |
| A.5.18 | Access rights | Y | Access provisioned on need-to-know basis. Quarterly access reviews conducted and documented in Drata. Privileged access requires separate approval. AWS IAM policies enforce least privilege. | Y |
| A.5.19 | Information security in supplier relationships | Y | Vendor security assessment performed prior to engagement. Key suppliers: AWS (SOC 2 Type II, ISO 27001), Microsoft (SOC 2, HIPAA BAA), GitLab (SOC 2), Drata (SOC 2), DataDog (SOC 2). BAAs executed with all HIPAA-relevant vendors. | Y |
| A.5.20 | Addressing information security within supplier agreements | Y | Security requirements included in all vendor contracts. HIPAA Business Associate Agreements in place with AWS, Microsoft 365, and all subprocessors handling PHI. Annual review of supplier compliance. | Y |
| A.5.21 | Managing information security in the ICT supply chain | Y | Supply chain risk assessed for all third-party dependencies. Rust dependency auditing via cargo-audit. AWS shared responsibility model documented. No hardware manufacturing supply chain (cloud-only). | Y |
| A.5.22 | Monitoring, review and change management of supplier services | Y | Supplier SOC 2 reports reviewed annually. AWS Health Dashboard monitored via DataDog. Vendor risk reassessments triggered by material changes. Drata vendor management module tracks compliance status. | Y |
| A.5.23 | Information security for use of cloud services | Y | AWS cloud security architecture documented. Security groups, NACLs, and VPC configurations reviewed quarterly. CloudTrail enabled for all API activity. AWS Config rules enforce baseline compliance. CloudFront CDN with WAF enabled. | Y |
| A.5.24 | Information security incident management planning and preparation | Y | Incident Response Plan documented and tested. Roles defined (CEO/CISO as Incident Commander). Runbooks for common scenarios. Communication templates prepared. Contact authorities register maintained (DCF-744). | Y |
| A.5.25 | Assessment and decision on information security events | Y | Event classification criteria defined (severity levels 1-4). DataDog alerting with automated triage. Security events logged and correlated. Escalation thresholds documented. | Y |
| A.5.26 | Response to information security incidents | Y | Incident response procedures documented: containment, eradication, recovery, lessons learned. HIPAA breach notification procedures included (60-day HHS notification). Forensic evidence preservation procedures in place. | Y |
| A.5.27 | Learning from information security incidents | Y | Post-incident review (PIR) required for all Severity 1-2 incidents. Root cause analysis documented. Corrective actions tracked in Drata. Lessons learned shared and incorporated into updated procedures. | Y |
| A.5.28 | Collection of evidence | Y | Evidence collection procedures documented. AWS CloudTrail, VPC Flow Logs, and application logs preserved. Chain of custody procedures defined. Log retention minimum 1 year (6 years for HIPAA). | Y |
| A.5.29 | Information security during disruption | Y | Business Continuity Plan addresses security during disruption. AWS multi-AZ deployment ensures availability. RDS automated backups with point-in-time recovery. Security controls maintained during failover scenarios. | Y |
| A.5.30 | ICT readiness for business continuity | Y | Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour. AWS infrastructure supports rapid recovery. RDS automated backups (35-day retention). ElastiCache Redis replication. Disaster recovery tested annually. | Y |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | Y | Compliance register maintained: HIPAA, SOC 2 Type II, ISO 27001, Florida breach notification statute (FS 501.171), NIST SP 800-171. Regulatory monitoring via Drata. Legal counsel reviews annually. | Y |
| A.5.32 | Intellectual property rights | Y | All source code owned by H33.ai, Inc. Open-source license compliance tracked. Employee IP assignment agreements executed. Patent-pending post-quantum cryptographic methods documented. | Y |
| A.5.33 | Protection of records | Y | Records management policy defines retention schedules. HIPAA records retained 6 years. Audit logs retained 1 year minimum. Records protected from unauthorized access, modification, and destruction. AWS S3 versioning and MFA delete enabled. | Y |
| A.5.34 | Privacy and protection of PII | Y | Privacy policy published. HIPAA Privacy Rule compliance enforced. Biometric data encrypted via FHE (never decrypted at rest). Data minimization practiced. Privacy impact assessments performed for new processing activities. | Y |
| A.5.35 | Independent review of information security | Y | Annual SOC 2 Type II audit by independent CPA firm. ISO 27001 certification audit planned. Drata continuous monitoring provides independent control validation. Internal audits per DCF-165. | Y |
| A.5.36 | Compliance with policies, rules and standards | Y | Drata continuously monitors compliance with internal policies. Quarterly policy compliance reviews. Non-compliance tracked via nonconformity management process (DCF-566). Automated evidence collection reduces manual gaps. | Y |
| A.5.37 | Documented operating procedures | Y | Operating procedures documented for: deployment (Elastic Beanstalk), monitoring (DataDog), backup/recovery (RDS), incident response, access management, change management. Stored in GitLab and Drata. | Y |
| A.6 — People Controls | ||||
| A.6.1 | Screening | Y | Background checks performed on all personnel prior to employment. Verification of identity, employment history, and criminal record. Proportional to data classification access level. | Y |
| A.6.2 | Terms and conditions of employment | Y | Employment agreements include: confidentiality obligations, acceptable use requirements, security responsibilities, IP assignment, termination obligations. Reviewed and signed at onboarding. | Y |
| A.6.3 | Information security awareness, education and training | Y | Annual security awareness training required for all personnel. HIPAA-specific training completed annually. Role-specific training for development and operations. Training completion tracked in Drata. | Y |
| A.6.4 | Disciplinary process | Y | Disciplinary process documented for security policy violations. Progressive discipline: verbal warning, written warning, suspension, termination. Severity-based response for intentional violations. | Y |
| A.6.5 | Responsibilities after termination or change of employment | Y | Post-employment obligations defined in employment agreements. Confidentiality survives termination. Exit interviews cover security obligations. Non-compete and non-solicitation as applicable. | Y |
| A.6.6 | Confidentiality or non-disclosure agreements | Y | NDAs required for all employees, contractors, and third parties with access to confidential information. Covers proprietary cryptographic algorithms, customer data, and business information. Annual review. | Y |
| A.6.7 | Remote working | Y | Fully remote workforce. Remote work security policy enforced: encrypted endpoints (FileVault/BitLocker), VPN for administrative access, secure home network requirements, approved device policy. Endpoint compliance monitored via Drata agent. | Y |
| A.6.8 | Information security event reporting | Y | All personnel required to report security events immediately to security@h33.ai. Reporting procedures documented in Security Awareness Training. Anonymous reporting option available. No retaliation policy for good-faith reports. | Y |
| A.7 — Physical Controls | ||||
| A.7.1 | Physical security perimeters | Y | Fully remote workforce; no corporate office. Physical security perimeters managed by AWS for data center infrastructure (SOC 2 Type II certified facilities). Remote work environments secured per remote work policy. | Y |
| A.7.2 | Physical entry | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. AWS data centers enforce multi-factor physical access controls, biometric verification, and 24/7 security staffing. | Y |
| A.7.3 | Securing offices, rooms and facilities | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. Home office security guidelines provided to all remote workers. | Y |
| A.7.4 | Physical security monitoring | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. AWS facilities have CCTV, intrusion detection, and 24/7 security monitoring. DataDog monitors infrastructure health. | Y |
| A.7.5 | Protecting against physical and environmental threats | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. AWS data centers designed for fire suppression, flood protection, seismic resilience, and redundant power/cooling. | Y |
| A.7.6 | Working in secure areas | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. Remote workers advised on secure workspace practices (screen privacy, clean desk, locked devices). | Y |
| A.7.7 | Clear desk and clear screen | Y | Clear desk and clear screen policy published. Auto-lock configured (5 minutes). Sensitive information not to be left visible. Enforced through security awareness training and endpoint configuration. | Y |
| A.7.8 | Equipment siting and protection | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. Endpoint devices must use full-disk encryption. Mobile device management enforced. | Y |
| A.7.9 | Security of assets off-premises | Y | All company endpoints encrypted (FileVault/BitLocker). Remote wipe capability. VPN required for administrative access. Asset tracking maintained in Drata inventory. | Y |
| A.7.10 | Storage media | Y | Removable media policy restricts use. Cloud-first data storage (AWS S3, RDS). Media sanitization procedures follow NIST SP 800-88. Encrypted storage required for any local data. | Y |
| A.7.11 | Supporting utilities | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. AWS provides redundant power, UPS, and generator backup. Remote workers advised on UPS for critical devices. | Y |
| A.7.12 | Cabling security | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. AWS manages all data center cabling infrastructure with physical access controls. | Y |
| A.7.13 | Equipment maintenance | Y | Fully remote workforce; physical security managed via AWS data centers and endpoint security policies. AWS manages all infrastructure maintenance. Endpoint updates managed via OS auto-update policies. | Y |
| A.7.14 | Secure disposal or re-use of equipment | Y | Equipment disposal follows NIST SP 800-88 media sanitization guidelines. All drives cryptographically erased before disposal. AWS handles infrastructure decommissioning per their SOC 2 controls. | Y |
| A.8 — Technological Controls | ||||
| A.8.1 | User endpoint devices | Y | Endpoint security policy enforced: full-disk encryption (FileVault/BitLocker), OS auto-update, screen lock (5 min), antivirus/EDR. Endpoint compliance monitored via Drata agent. Approved device list maintained. | Y |
| A.8.2 | Privileged access rights | Y | Privileged access restricted and documented. AWS IAM roles follow least privilege. Root account secured with hardware MFA. Privileged access reviews conducted quarterly. Break-glass procedures documented. | Y |
| A.8.3 | Information access restriction | Y | Access restricted per classification level. AWS IAM policies enforce resource-level permissions. Database access limited to application service accounts. Direct production access requires approval and logging. | Y |
| A.8.4 | Access to source code | Y | Source code hosted on GitLab with role-based access. Protected branches require merge request approvals. Repository access audited quarterly. No public repositories for proprietary code. | Y |
| A.8.5 | Secure authentication | Y | H33 post-quantum biometric authentication (own product): BFV FHE-encrypted biometric matching, ML-DSA/Dilithium attestation, ZK-STARK proof verification. Auth1 MFA for workforce access. FIDO2/WebAuthn supported. No plaintext credential storage. | Y |
| A.8.6 | Capacity management | Y | AWS Auto Scaling configured for production workloads. DataDog monitors CPU, memory, disk, and network utilization. Capacity thresholds trigger automated scaling. Graviton4 metal instances for FHE compute workloads benchmarked at 2.17M auth/sec sustained. | Y |
| A.8.7 | Protection against malware | Y | Endpoint protection deployed on all devices. AWS GuardDuty for infrastructure threat detection. Rust-native codebase reduces attack surface (memory safety). cargo-audit for dependency vulnerability scanning in CI/CD. | Y |
| A.8.8 | Management of technical vulnerabilities | Y | Vulnerability management program: cargo-audit in CI/CD pipeline, AWS Inspector for infrastructure scanning, DataDog security monitoring. Critical vulnerabilities patched within 72 hours. Monthly vulnerability reviews. | Y |
| A.8.9 | Configuration management | Y | Infrastructure as code (Elastic Beanstalk configurations). Baseline configurations documented. AWS Config rules monitor drift. Configuration changes tracked via GitLab version control. Hardening baselines per CIS benchmarks. | Y |
| A.8.10 | Information deletion | Y | Data retention and deletion policies defined per classification and regulatory requirements. HIPAA: 6-year retention. Automated data lifecycle management. Cryptographic erasure for FHE-encrypted data (key destruction). | Y |
| A.8.11 | Data masking | Y | Biometric data processed exclusively under FHE encryption (never decrypted server-side). PII masked in logs. Test environments use synthetic data. Database queries return only necessary fields (projection). | Y |
| A.8.12 | Data leakage prevention | Y | Microsoft 365 DLP policies configured. GitLab secret scanning enabled. AWS Macie monitors S3 for sensitive data. Egress filtering on production VPC. FHE architecture inherently prevents data leakage (data never decrypted in processing). | Y |
| A.8.13 | Information backup | Y | RDS PostgreSQL: automated daily backups with 35-day retention, point-in-time recovery enabled. ElastiCache Redis: daily snapshots. S3: versioning and cross-region replication for critical data. Backup restoration tested quarterly. | Y |
| A.8.14 | Redundancy of information processing facilities | Y | AWS multi-AZ deployment for RDS and ElastiCache. Elastic Beanstalk health monitoring with auto-replacement. CloudFront CDN with global edge locations. No single points of failure in production architecture. | Y |
| A.8.15 | Logging | Y | Comprehensive logging: AWS CloudTrail (API activity), VPC Flow Logs (network), application logs (structured JSON), Auth1 authentication events. Logs shipped to centralized DataDog. Tamper-evident log storage in S3 with object lock. | Y |
| A.8.16 | Monitoring activities | Y | DataDog infrastructure monitoring (CPU, memory, disk, network, application metrics). AWS GuardDuty for threat detection. CloudWatch alarms for operational thresholds. Drata continuous compliance monitoring. 24/7 alerting configured. | Y |
| A.8.17 | Clock synchronization | Y | All AWS instances synchronized via Amazon Time Sync Service (NTP). Chrony configured on EC2 instances. Time source: GPS and atomic clocks via AWS. Log timestamps in UTC. Drift monitoring via DataDog. | Y |
| A.8.18 | Use of privileged utility programs | Y | Privileged utility use restricted and logged. SSH access to production requires key-based authentication. Administrative tools limited to authorized personnel. All privileged sessions logged via CloudTrail and session recording. | Y |
| A.8.19 | Installation of software on operational systems | Y | Software installation on production systems controlled via Elastic Beanstalk deployment pipeline. No manual installations. CI/CD pipeline enforces build reproducibility. Endpoint software installation governed by acceptable use policy. | Y |
| A.8.20 | Networks security | Y | AWS VPC with private subnets for databases and application servers. Security groups restrict inbound/outbound traffic. NACLs provide additional network segmentation. VPC Flow Logs enabled. WAF on CloudFront. | Y |
| A.8.21 | Security of network services | Y | All network services encrypted (TLS 1.3). AWS PrivateLink for inter-service communication where applicable. API Gateway with rate limiting and authentication. DDoS protection via AWS Shield Standard. | Y |
| A.8.22 | Segregation of networks | Y | Production, staging, and development environments in separate AWS VPCs. Database subnets isolated (private, no internet gateway). Security groups enforce micro-segmentation. No cross-environment network paths. | Y |
| A.8.23 | Web filtering | Y | CloudFront WAF rules filter malicious web traffic. Rate limiting on API endpoints. Bot detection enabled. OWASP Top 10 protection rules active. Egress filtering on production instances. | Y |
| A.8.24 | Use of cryptography | Y | Post-quantum cryptographic architecture: BFV Fully Homomorphic Encryption (lattice-based, H33-128 security), ML-DSA/Dilithium digital signatures (FIPS 204), ML-KEM/Kyber key exchange (FIPS 203), ZK-STARKs (SHA3-256). AES-256-GCM for symmetric encryption. All cryptographic implementations follow NIST PQC standards. Key management via AWS KMS and application-level key hierarchy. Cryptographic agility designed for algorithm migration. | Y |
| A.8.25 | Secure development life cycle | Y | Secure SDLC enforced: threat modeling in design, secure coding standards (Rust memory safety), static analysis in CI/CD, dependency scanning (cargo-audit), code review via GitLab merge requests, security testing before deployment. | Y |
| A.8.26 | Application security requirements | Y | Security requirements defined for all applications. Input validation, output encoding, authentication, authorization, cryptographic controls, error handling, and logging requirements documented. OWASP ASVS Level 2 target. | Y |
| A.8.27 | Secure system architecture and engineering principles | Y | Zero-trust architecture principles applied. Defense in depth: FHE (data never decrypted), ZK-STARKs (zero-knowledge verification), Dilithium (post-quantum signatures). Microservice isolation. Least privilege. Fail-secure defaults. | Y |
| A.8.28 | Secure coding | Y | Rust programming language for core cryptographic operations (memory safety by design). Secure coding guidelines documented. Code reviews required for all changes. No unsafe Rust blocks without explicit justification and review. SAST integrated in CI/CD. | Y |
| A.8.29 | Security testing in development and acceptance | Y | Automated testing suite: unit tests, integration tests, cryptographic correctness tests (known-answer tests). Criterion benchmarks verify performance invariants. Security regression testing in CI/CD. Acceptance testing before production deployment. | Y |
| A.8.30 | Outsourced development | N | Not Applicable. All development is performed in-house by H33.ai employees. No outsourced development activities. All source code is authored, reviewed, and maintained internally. Should outsourced development be engaged in the future, this control will be reassessed and appropriate controls implemented. | — |
| A.8.31 | Separation of development, test and production environments | Y | Separate AWS environments: development, staging, production. Each environment has isolated VPCs, separate databases, and distinct IAM roles. No production data in development/test environments (synthetic data used). Deployment promotion via CI/CD pipeline only. | Y |
| A.8.32 | Change management | Y | Change management process: GitLab merge requests with required approvals, CI/CD pipeline validation, staging deployment and testing, production deployment via Elastic Beanstalk managed updates. Emergency change procedures documented. All changes logged and auditable. | Y |
| A.8.33 | Test information | Y | Production data not used in test environments. Synthetic biometric templates generated for testing. Test data generation scripts maintained. Data masking applied if production-like data is ever needed for debugging (requires approval). | Y |
| A.8.34 | Protection of information systems during audit testing | Y | Audit testing performed in controlled manner. Production audit activities scheduled during low-traffic periods. Audit tools and access limited to authorized auditors. Audit evidence collected via Drata automated controls where possible to minimize production impact. | Y |
5. Summary of Exclusions
| A.8.30 | Outsourced Development — All development is performed in-house. No outsourced development contracts exist or are planned. This exclusion will be reassessed if development activities are outsourced in the future. |
6. SOA Revision History
| Rev 1.0 | March 17, 2026 — Initial SOA created for ISO 27001:2022 certification. All 93 Annex A controls assessed. 92 applicable, 1 excluded (A.8.30). |
7. Approval
| Prepared By | Eric Beans, CEO/CISO |
| Approved By | Eric Beans, CEO/CISO |
| Approval Date | March 17, 2026 |
| Next Review | March 17, 2027 (or upon material change to ISMS scope) |
| Signature | /s/ Eric Beans |
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945