Security Compliance Framework

This document outlines the security compliance framework for ALTCHA Sentinel designed for enterprise self-hosted deployments. It clarifies the security responsibilities of ALTCHA and of enterprise customers to ensure a secure, compliant, and resilient deployment aligned with SOC 2, ISO 27001, GDPR, HIPAA, and other global standards.

Security is a foundational design principle of ALTCHA, which provides secure software and controls, while customers are responsible for securely deploying, configuring, and operating the system in their environments.

Shared Security Model

ALTCHA’s Responsibilities:

• Develop, test, and release secure, patched software.
• Implement Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) features.
• Provide encryption capabilities for data in transit and at rest.
• Conduct vulnerability assessments and deliver timely patches.
• Implement audit logging and enable export of logs.
• Design software to support high availability and disaster recovery.
• Provide security documentation and support vulnerability disclosures.

Customer’s Responsibilities:

• Deploy and configure ALTCHA Sentinel securely in their chosen environment.
• Manage user roles, credentials, and enforce MFA policies.
• Configure and manage encryption settings and encryption keys securely.
• Apply security patches promptly and run vulnerability scans.
• Secure the hosting infrastructure including network, OS, and container runtime.
• Implement backup schedules and test disaster recovery procedures.
• Configure log aggregation, monitoring, alerting, and review audit logs regularly.
• Ensure compliance with applicable privacy regulations and data protection laws.
• Harden the deployment environment by securing OS, containers, and network.

Recommended Deployment Environments

ALTCHA Sentinel supports deployment on modern cloud and container platforms, including:

• Azure App Services
• Amazon ECS (Elastic Container Service)
• Kubernetes (K8s)

Customer Responsibilities for Deployment:

• Use hardened base images and enforce security best practices.
• Manage secrets securely (e.g., Azure Key Vault, AWS Secrets Manager, Kubernetes Secrets).
• Configure network security measures such as firewalls, private endpoints, and DDoS protection.
• Set up monitoring, alerting, and log aggregation with cloud-native or third-party tools.
• Manage backups and disaster recovery planning using cloud provider features.

ALTCHA Responsibilities:

• Provide software hardened for these environments with secure configurations.
• Enable integrations for secrets, logging, and monitoring where applicable.
• Release regular security updates and patches.

Access Controls

Provided by ALTCHA:

• Role-Based Access Control (RBAC) framework with least-privilege enforcement.
• Support for Multi-Factor Authentication (MFA).
• Session management and rate limiting to mitigate brute-force and DoS attacks.
• Audit logging of authentication and access events.

Customer Responsibilities:

• Assign appropriate roles and permissions to users.
• Enforce MFA policies and manage user credentials securely.
• Configure IP whitelisting or network restrictions as needed.
• Regularly review audit logs and investigate suspicious activity.

Data Protection

Provided by ALTCHA:

• Support for encryption at transit and at rest configurable by customers.

Customer Responsibilities:

• Encryption in transit via TLS (1.2+).
• Enable and configure encryption-at-rest features.
• Manage encryption keys securely using cloud key management services or vaults.
• Ensure secure backups and enforce data lifecycle policies.

Vulnerability Management

Provided by ALTCHA:

• Secure development lifecycle including testing and penetration assessments.
• Regular security patches and updates.
• Provision of Software Bill of Materials (SBOM) for transparency.

Customer Responsibilities:

• Monitor security advisories and apply patches promptly.
• Run vulnerability scans on deployed infrastructure.
• Integrate security checks into CI/CD pipelines.

System Availability

Provided by ALTCHA:

• Software designed to support high availability and fault tolerance.

Customer Responsibilities:

• Deploy ALTCHA in high-availability configurations with load balancing and redundancy.
• Implement backup and disaster recovery processes.
• Monitor system health and automate failover as needed.

Confidentiality & Privacy

Provided by ALTCHA:

• ALTCHA does not transmit or store customer data externally.
• No use of tracking cookies, fingerprinting, or third-party dependencies.

Customer Responsibilities:

• Comply with privacy regulations applicable to their data.
• Minimize data collection and enforce retention policies.
• Secure access to sensitive information within their systems.

Logging & Monitoring

Provided by ALTCHA:

• Comprehensive audit logging of system and API activity.
• Support for exporting logs to external systems.

Customer Responsibilities:

• Configure centralized log management and SIEM tools.
• Set up monitoring, alerting, and regular log reviews.
• Investigate anomalies and suspicious activities promptly.

Security Hardening

Customers must implement additional hardening controls in their environment, including but not limited to:

• Using minimal, secure operating system and container images.
• Disabling unnecessary services and ports.
• Enforcing SSH key authentication and disabling password-based login.
• Applying container security policies (e.g., seccomp, AppArmor, SELinux).
• Implementing network segmentation and enforcing least-privilege networking.

Reporting Security Issues

If you identify a vulnerability or security concern, please report it responsibly via our contacts. ALTCHA prioritizes prompt investigation and remediation support.

Refer to the Security Vulnerability Disclosure Policy for more details.

Related Documents

• Regulatory Compliance
• Legal Considerations
• Responsible Disclosure Policy