Compliance Pack

Security, data handling, and regulatory documentation for auditors and reviewers.

Narrative documents

• Security model — auth, encryption, tenancy isolation, secrets
• Data model + PHI classification — what data is held where, classification levels
• Audit trail — what's logged, where, retention
• Retention + GDPR erasure — retention policy, Article 17 handling, crypto-shredding
• Architecture — network topology, service map, data flow

Generated artifacts (CI build outputs, not in git)

Available from each release's GitHub artifacts and the published docs site:

• sbom.cdx.json — CycloneDX SBOM
• sbom.spdx.json — SPDX SBOM (FDA-preferred format)
• licenses.json / licenses.md — Dependency license inventory
• soup.md — Software of Unknown Provenance classification

To regenerate locally: bash scripts/generate-docs.sh.