Rediacc runs entirely on your infrastructure. During environment cloning, backup, and deployment operations, data never leaves your machine. You remain both the data controller and processor. No third-party SaaS handles your data.
This section maps Rediacc’s technical capabilities to the requirements of major compliance frameworks. Each page covers a specific regulation with article-level references to the official legal texts.
Compliance Matrix
| Framework | Scope | Key Rediacc Capabilities |
|---|---|---|
| GDPR | EU data protection and privacy | CoW cloning on same machine, LUKS2 encryption, zero-knowledge config store, audit logging, right to erasure via rdc repo destroy |
| SOC 2 | Trust service criteria for service organizations | Encryption at rest, zero-knowledge config sync, network isolation, audit trail, backup and recovery |
| HIPAA | US health information protection | LUKS2 encryption, zero-knowledge config store, SSH-only access, isolated Docker daemons, transmission security |
| CCPA | California consumer privacy rights | Self-hosted (no data sale/sharing), zero-knowledge encryption, encrypted deletion, data inventory per repository |
| ISO 27001 | Information security management controls | Asset management, cryptographic controls, zero-knowledge config store, access control, operations security |
| PCI DSS | Payment card data protection | Network segmentation by architecture, mandatory encryption, audit logging, scope reduction via self-hosted |
| NIS2 and DORA | EU cybersecurity and financial resilience | Supply chain risk elimination, resilience testing via CoW cloning, encryption, incident detection |
| Data Sovereignty | Global data residency laws (PIPL, LGPD, KVKK, PIPA, and more) | Self-hosted = data never leaves your jurisdiction. No cross-border transfers, no adequacy assessments |
Architectural Foundations
Every compliance framework in this section maps back to the same technical properties:
- Encryption at rest: Every repository is LUKS2 AES-256 encrypted. Credentials are stored only in the operator’s local config, never on the server.
- Network isolation: Each repository gets its own Docker daemon, loopback IP subnet (/26), and iptables rules. Containers from different repositories cannot communicate.
- Copy-on-write cloning:
rdc repo forkuses filesystem reflinks (cp --reflink=always). Data is duplicated on the same machine without any network transfer. - Audit logging: 70+ event types covering authentication (login, 2FA, password changes, session revocation), API token lifecycle, config store operations, subscription/licensing activity, and CLI machine operations (repo lifecycle, backup, sync, terminal sessions). Accessible via admin dashboard, portal activity page (with org-scoped filtering), and
rdc auditCLI. Machine operations are also recorded in your system logs for defense in depth. - Encrypted backup:
rdc repo backup push/pulltransfers data over SSH. The backup destination receives LUKS-encrypted volumes. - Zero-knowledge config store: Optional encrypted config sync across devices. Configs are encrypted client-side with AES-256-GCM before upload. The server stores only opaque blobs. The server cannot read SSH keys, credentials, IP addresses, or any plaintext config data. Key derivation uses passkey PRF extension + HKDF with domain separation. Member access is managed via X25519 key exchange, and revocation is immediate.
For details on these capabilities, see Architecture, Repositories, Config Storage, and Account Security.
Why It Matters
Compliance failures are costly. These enforcement cases involved problems that Rediacc’s architecture structurally prevents:
| Incident | Fine | What went wrong |
|---|---|---|
| Meta: EU-US data transfers | EUR 1.2B | Personal data transferred across borders without adequate safeguards. Self-hosted means no transfer. |
| Equifax: unencrypted data | $700M | 147 million records stored unencrypted with poor network segmentation. LUKS2 is mandatory, not optional. |
| Target: lateral movement | $18.5M | Attackers pivoted from an HVAC vendor to payment systems over a flat network. Per-repo isolation prevents this. |
| Anthem: unencrypted PHI | $16M | 79 million health records stored without encryption. LUKS2 AES-256 is always on. |
| Blackbaud: SaaS breach cascade | $49.5M | Ransomware at one SaaS vendor exposed data from 13,000+ customer organizations. Self-hosted means a vendor breach cannot reach your data. |
| British Airways: poor segmentation | GBP 20M | Attackers injected malicious code due to inadequate network controls. Isolated Docker daemons and iptables prevent lateral access. |
| Google: right to erasure | EUR 50M | Difficulty fully erasing data across distributed systems. Cryptographic erasure via LUKS destroy is instant and complete. |
Important Notice
These pages describe Rediacc’s technical capabilities as they relate to compliance requirements. Compliance with any regulation requires organizational policies, procedures, staff training, and potentially third-party audits beyond the scope of any single tool. Consult your legal and compliance team for guidance specific to your organization.