Segregation of Duties
Effective: March 17, 2026 · DCF-745
1. Purpose
This document defines the Segregation of Duties (SoD) policy and matrix for H33.ai, Inc., as required by ISO 27001:2022 Control A.5.3. Segregation of duties reduces the risk of unauthorized or unintentional modification, misuse, or loss of information assets by ensuring that no single individual has control over all phases of a critical process.
H33.ai acknowledges that as a small organization (currently a single-person team), full segregation of duties across all functions is not feasible. Where complete separation is not possible, compensating controls have been implemented to mitigate the associated risks to an acceptable level.
2. Policy Statement
H33.ai shall separate conflicting duties and areas of responsibility to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets. Where full segregation is not achievable due to organizational size, compensating controls shall be implemented that provide equivalent risk mitigation, including:
- Automated monitoring and alerting via Drata and DataDog
- Immutable audit trails (AWS CloudTrail, application logs)
- Automated CI/CD pipeline controls (GitLab)
- Independent external audits (SOC 2 Type II, ISO 27001)
- Quarterly review of all compensating controls for continued effectiveness
3. Segregation of Duties Matrix
The following matrix identifies conflicting function pairs, the current assignment, the risk level of combining functions, and the compensating controls in place. Risk levels: High (significant fraud/error risk), Medium (moderate risk, standard for small orgs), Low (minimal additional risk with controls).
| Function A | Function B (Conflicting) | Current Assignment | Risk | Compensating Controls |
|---|---|---|---|---|
| Code Development | Production Deployment | Both: Eric Beans | High | GitLab CI/CD pipeline enforces automated build, test, and deployment. No manual production deployments. All changes committed to version control with full audit trail. Elastic Beanstalk managed deployments with automated rollback on health check failure. Drata monitors deployment pipeline configuration. |
| Code Authoring | Code Review / Approval | Both: Eric Beans | High | GitLab merge request workflow enforced (all changes via MRs, not direct push to protected branches). Automated CI/CD checks (cargo test, cargo clippy, cargo audit) must pass before merge. Protected branch rules prevent force-push. All commits signed and logged. External SOC 2 auditor reviews SDLC controls. Rust compiler enforces memory safety (eliminates entire classes of vulnerabilities). |
| Access Provisioning | Access Approval | Both: Eric Beans | Medium | AWS IAM policies follow least-privilege principle with pre-defined role templates. Access changes logged in AWS CloudTrail (immutable audit trail). Quarterly access reviews documented in Drata. Drata agent monitors endpoint and SaaS access configuration continuously. All IAM policy changes trigger DataDog alerts. |
| Security Monitoring | Security Administration | Both: Eric Beans | Medium | DataDog provides independent, automated infrastructure monitoring with tamper-evident logs. AWS GuardDuty operates independently (managed by AWS). AWS CloudTrail logs are stored in S3 with object lock (cannot be modified or deleted). Drata continuously monitors compliance controls independently. Security configuration changes generate automated alerts to separate notification channels. |
| Financial Transactions | Financial Approval | Both: Eric Beans | Medium | Stripe handles all payment processing with built-in fraud detection and audit trails. AWS billing monitored via AWS Cost Explorer with budget alerts. Financial transactions limited to pre-approved vendor payments and Stripe-processed customer payments. Bank account requires multi-factor authentication. Monthly financial reconciliation documented. External accountant reviews financial records. |
| Backup Administration | Backup Verification | Both: Eric Beans | Low | AWS RDS automated backups (managed by AWS, not manually configurable to disable without CloudTrail logging). Backup completion verified via automated AWS RDS monitoring and DataDog alerts. Quarterly backup restoration tests documented with evidence in Drata. S3 versioning and MFA delete protect backup data from unauthorized deletion. |
| Incident Investigation | Incident Response Authority | Both: Eric Beans | Medium | All incident data preserved in immutable logs (CloudTrail, DataDog). Post-incident reviews documented and stored in Drata. External SOC 2 auditor reviews incident management process and evidence. Incident timeline reconstruction possible from independent log sources. Authority contact procedures documented (DCF-744) with external reporting obligations that provide independent oversight. |
| ISMS Policy Development | ISMS Compliance Auditing | Both: Eric Beans | High | External ISO 27001 certification auditor provides independent assessment. External SOC 2 Type II auditor provides independent control testing. Drata automated monitoring validates policy compliance independently. Internal audit program (DCF-165) will engage external consultant for audit independence. Management review process provides structured self-evaluation framework. |
| Risk Assessment | Risk Treatment Approval | Both: Eric Beans | Medium | Risk assessment methodology follows ISO 27005 framework (structured, repeatable). Risk register reviewed at quarterly management reviews (DCF-164) with documented rationale. External auditors review risk assessment methodology and outputs. Drata tracks risk register changes with version history. Risk treatment plans require documented justification and evidence of implementation. |
4. Compensating Controls for CEO/CISO Dual Role
The combination of CEO and CISO roles in a single individual (Eric Beans) represents the most significant SoD conflict in the organization. The following compensating controls collectively provide equivalent assurance to role separation:
4.1 Drata Continuous Monitoring
Drata operates as an independent compliance monitoring platform that continuously validates controls regardless of who configures or manages them. It provides automated evidence collection, control testing, and compliance scoring that cannot be manipulated without generating audit trail entries. Drata monitors endpoint compliance, access configurations, policy acknowledgments, training completion, and vendor compliance status.
4.2 Automated Technical Controls
Technical controls operate independently and cannot be bypassed without generating alerts:
- GitLab CI/CD: Automated pipeline runs cargo test, cargo clippy, cargo audit on every commit. Protected branches prevent direct push. Merge request history immutable.
- AWS CloudTrail: Records all API activity across all AWS services. Logs stored in S3 with object lock (WORM compliance). Cannot be disabled without generating its own trail entry.
- AWS GuardDuty: AI-powered threat detection operates independently. Findings delivered to separate notification channel.
- DataDog: Infrastructure monitoring with independent alerting. Configuration changes logged. Monitors alert on anomalies without manual intervention.
4.3 External Audit Oversight
Independent external auditors provide the separation of duties that cannot be achieved internally:
- SOC 2 Type II audit: Independent CPA firm tests control design and operating effectiveness over a defined period. Covers access management, change management, monitoring, incident response.
- ISO 27001 certification audit: Independent certification body assesses ISMS conformity to ISO 27001:2022 requirements, including verification that compensating controls for SoD are adequate.
- External accountant: Reviews financial records and transactions independently.
4.4 Immutable Audit Trails
All critical actions generate audit trail entries that cannot be modified or deleted:
- AWS CloudTrail logs: S3 with object lock, MFA delete enabled
- GitLab commit history: Cryptographically signed, immutable
- DataDog logs: Retained per retention policy, tamper-evident
- Drata evidence: Timestamped, versioned evidence collection
- Stripe transaction logs: Independent payment processor records
5. Technical Controls Detail
GitLab Merge Request Approvals
All code changes to protected branches (main, production) require merge request creation. CI/CD pipeline must pass (automated tests, linting, security scanning). Direct push to protected branches is blocked at the GitLab repository level. All merge request activity logged with timestamps, diffs, and pipeline results.
AWS IAM Least Privilege
IAM policies grant minimum permissions required for each function. Separate IAM roles for different functions (deployment, monitoring, database access). Root account secured with hardware MFA and used only for account-level operations. Service accounts use IAM roles (not long-lived access keys). IAM Access Analyzer identifies overly permissive policies.
Separate Production / Development Environments
Production and development environments are in separate AWS VPCs with no network connectivity between them. Separate databases, separate IAM roles, separate monitoring configurations. Production credentials are not accessible from development environment. Deployment to production only through CI/CD pipeline (Elastic Beanstalk managed updates).
Automated Deployment Pipeline
Elastic Beanstalk managed deployments ensure consistent, repeatable deployments. No manual server configuration or ad-hoc deployments. Health checks automatically roll back failed deployments. Deployment history maintained with timestamps and configuration snapshots. All deployment configurations version-controlled in GitLab.
Independent Monitoring Stack
DataDog operates as a SaaS platform independent of H33 infrastructure. Alerts are delivered via independent channels (email, PagerDuty). AWS GuardDuty findings are managed by AWS, independent of customer configuration. Drata agent runs independently on endpoints, reporting directly to Drata cloud platform.
6. Hiring Plan Impact
As H33.ai grows, the following SoD improvements will be implemented with new hires:
| Hire # | Role | SoD Improvement |
|---|---|---|
| 1 | Senior Engineer | Separates code authoring from code review. Enables peer review for all changes. Reduces deployment conflict (engineer deploys, CISO approves). |
| 2 | DevOps / SRE | Separates development from deployment and infrastructure management. Separates security monitoring from security administration. |
| 3 | Compliance Analyst | Separates policy development from compliance auditing. Enables independent internal audit function. Separates access provisioning from access approval. |
7. Review Schedule
| Review Frequency | Quarterly (March, June, September, December) |
| Last Review | March 17, 2026 |
| Next Review | June 2026 |
| Review Scope | Effectiveness of compensating controls, organizational changes affecting SoD, new function pairs requiring assessment, hiring plan updates |
| Reviewer | Eric Beans, CEO/CISO |
| External Validation | SOC 2 Type II audit covers SoD controls and compensating controls annually |
8. Approval
| Prepared By | Eric Beans, CEO/CISO |
| Approved By | Eric Beans, CEO/CISO |
| Approval Date | March 17, 2026 |
| Next Review | June 2026 (quarterly) |
| Signature | /s/ Eric Beans |
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945