Security and Compliance Posture (Business-Level)

This page captures the security and compliance requirements for the headless stack. It does not prescribe implementation details.

Network security (WAF)

• AWS WAF protects all API endpoints and CloudFront distributions.
• Managed rule groups: Common Rule Set (OWASP top 10), Known Bad Inputs (Log4j/JNDI), Amazon IP Reputation List.
• Rate limiting: 2,000 requests per 5 minutes per source IP (API Gateway); 5,000 per 5 minutes (CloudFront).
• WAF-blocked requests return 403 with an HTML body (no JSON envelope). Application-level 403 errors always include a JSON error object.
• All WAF metrics are published to CloudWatch (g3nretailstack-waf, g3n-cf-waf).

Access control and identity

• All operations are org-scoped; facility-scoped actions require explicit facility grants.
• Roles are consistent across services; owners have full access, members require explicit grants.
• Cost visibility is restricted to cost_view (facility-scoped) and finance_audit (org-wide).
• Anti-enumeration is required where org association is not confirmed.

Data handling and privacy

• No secrets or sensitive personal data are emitted in logs or events.
• Data classification tags must be applied to events and exports.
• Consent and privacy flags must gate any customer data usage or export.
• Retention policies must be explicit per data class (audit vs operational vs analytics).

Secrets posture (API keys + webhook secrets)

• Secrets are never emitted in logs/events and are returned once on create/rotate.
• All data is encrypted at rest using service-managed keys. Secrets must be treated as bearer credentials.
• Rotation:
  • Prefer dual-running: provision a new secret, update the integration, then revoke the old secret after verification.
  • If a dedicated rotate endpoint exists for a service, it returns the new secret once and invalidates the prior secret after the overlap window.
• Secret scanning is required in all code repos and build artifacts. If a secret is detected:
  • Revoke/rotate immediately,
  • Audit delivery logs for misuse,
  • Re-issue keys for affected integrations.

Data classification (baseline)

Classify data as:

• PII: names, emails, phone numbers, addresses, government IDs, loyalty identifiers.
• Payment: payment tokens, tender references (no raw PAN/CVV).
• Credentials: session GUIDs, API keys, passcodes (never log/emit).
• Operational: stock positions, orders, procurement, pricing.

Forbidden in logs/events:

• Raw passcodes, session GUIDs, API keys, full payment tokens, government IDs.

Retention baselines (minimum)

Record class	Baseline retention	Notes
Financial/accounting events	7 years	Policy may extend; audit-grade storage.
Inventory stock card	24 months hot	Older history retained for audit.
Customer/CRM data	While active	Respect consent and deletion policies.
Attachments (MRS)	Policy-managed	Default retention varies by status.
Event deliveries/logs	30–90 days	Replay windows and delivery logs are time-bounded.

Tenant offboarding minimum posture (required)

• Export + freeze + tombstone is the minimum supported action even before full purge is implemented.
• Freeze blocks new writes while preserving read-only access for audit/export.
• Tombstone records the offboarding decision with reason and policy snapshot; retains audit trails.
• Purge/export workflows remain deferred until all services are implemented and policy-approved.

Offboarding lifecycle (explicit)

• Export-only: generate snapshots + manifests; no write freeze.
• Export + freeze + tombstone: blocks tenant writes; preserves read access for audit; records offboarding decision.
• Purge: irreversible data deletion after policy/approval window (UNCONFIRMED until production cutover).

Customer-visible artifacts:

• Export manifest (download links + checksums)
• Offboarding status and timestamps
• Optional legal-hold notice

Pointer lifetime rules (required)

• Events that reference external payloads (attachments, blobs, manifests) must not outlive those payloads.
• If referenced content expires, the event stream must still retain audit-sufficient metadata (tombstone or inline summary).
• Retention defaults are policy-managed; overrides must be auditable and org-scoped.

Auditability

• Financial-impacting records are append-only; corrections are reversals with references.
• Every workflow emits auditable events with actor, time, reason, and policy snapshot.
• Access to sensitive operations is traceable (who did what, when, and why).

Jurisdictional compliance

• Tax, labeling, and product restrictions are versioned and effective-dated.
• Regional requirements (such as product warnings) must be traceable by facility/jurisdiction.
• Data residency constraints, if required, must be explicitly documented.

Approved sign-off answers

• Retention windows (baseline):
  • Financial and accounting events: minimum 7 years retention (policy override allowed to extend).
  • Inventory stock card: 24 months in hot access, older history retained for audit.
  • Customer and CRM data: retain while active; honor consent and deletion policies.
• Payment data: store only tokenized tender references; never store raw PAN/CVV.
• Access governance: quarterly role review and approval policy review.
• Cross-tenant isolation: explicit tests for org/facility boundary leakage.
• Data residency: initial release has no hard residency constraints but captures jurisdiction for future policy enforcement.

Security posture checklist (approved baseline)

• Role matrix and facility scoping finalized for each module.
• Redaction rules defined for all event schemas and exports.
• Retention windows approved for audit, financial, and customer data.
• Consent and privacy rules validated for all CRM/Loyalty flows.
• Incident response and breach notification policy documented.