Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program. BUSINESS plan free for life.

What Compliance Actually Requires

Rediacc runs on your infrastructure. You control your data. Here's how that aligns with major compliance frameworks.

Rediacc runs entirely on your infrastructure. During cloning, backups, and deployments, your data stays on your machines. You’re both the controller and processor. No third-party SaaS, no external access.

We map Rediacc’s technical capabilities to major compliance requirements. Each page breaks down a specific regulation with references to the official legal text.

Compliance Matrix

FrameworkScopeKey Rediacc Capabilities
GDPREU data protection and privacyCoW cloning on same machine, LUKS2 encryption, zero-knowledge config store, audit logging, right to erasure via rdc repo delete
SOC 2Trust service criteria for service organizationsEncryption at rest, zero-knowledge config sync, network isolation, audit trail, backup and recovery
HIPAAUS health information protectionLUKS2 encryption, zero-knowledge config store, SSH-only access, isolated Docker daemons, transmission security
CCPACalifornia consumer privacy rightsSelf-hosted (no data sale/sharing), zero-knowledge encryption, encrypted deletion, data inventory per repository
ISO 27001Information security management controlsAsset management, cryptographic controls, zero-knowledge config store, access control, operations security
PCI DSSPayment card data protectionNetwork segmentation by architecture, mandatory encryption, audit logging, scope reduction via self-hosted
NIS2 and DORAEU cybersecurity and financial resilienceSupply chain risk elimination, resilience testing via CoW cloning, encryption, incident detection
Data SovereigntyGlobal data residency laws (PIPL, LGPD, KVKK, PIPA, and more)Self-hosted = data never leaves your jurisdiction. No cross-border transfers, no adequacy assessments

Architectural Foundations

Here’s what connects them all: every compliance framework in this section maps back to the same technical foundation.

  • Encryption at rest: Every repository is LUKS2 AES-256 encrypted. Credentials are stored only in the operator’s local config, never on the server.
  • Network isolation: Each repository gets its own Docker daemon, loopback IP subnet (/26), and iptables rules. Containers from different repositories cannot communicate.
  • Copy-on-write cloning: rdc repo fork uses filesystem reflinks (cp --reflink=always). Data is duplicated on the same machine without any network transfer.
  • Audit logging: 70+ event types covering authentication (login, 2FA, password changes, session revocation), API token lifecycle, config store operations, subscription/licensing activity, and CLI machine operations (repo lifecycle, backup, sync, terminal sessions). Accessible via admin dashboard, portal activity page (with org-scoped filtering), and rdc audit CLI. Machine operations are also recorded in your system logs for defense in depth.
  • Encrypted backup: rdc repo push/pull transfers data over SSH. The backup destination receives LUKS-encrypted volumes.
  • Zero-knowledge config store: Optional encrypted config sync across devices. Configs are encrypted client-side with AES-256-GCM before upload. The server stores only opaque blobs. The server cannot read SSH keys, credentials, IP addresses, or any plaintext config data. Key derivation uses passkey PRF extension + HKDF with domain separation. Member access is managed via X25519 key exchange, and revocation is immediate.

For details on these capabilities, see Architecture, Repositories, Config Storage, and Account Security.

Why It Matters

Compliance failures are expensive. Really expensive. The cases below show problems Rediacc’s architecture structurally prevents:

IncidentFineWhat went wrong
Meta: EU-US data transfersEUR 1.2BPersonal data transferred across borders without adequate safeguards. Self-hosted means no transfer.
Equifax: unencrypted data$700M147 million records stored unencrypted with poor network segmentation. LUKS2 is mandatory, not optional.
Target: lateral movement$18.5MAttackers pivoted from an HVAC vendor to payment systems over a flat network. Per-repo isolation prevents this.
Anthem: unencrypted PHI$16M79 million health records stored without encryption. LUKS2 AES-256 is always on.
Blackbaud: SaaS breach cascade$49.5MRansomware at one SaaS vendor exposed data from 13,000+ customer organizations. Self-hosted means a vendor breach cannot reach your data.
British Airways: poor segmentationGBP 20MAttackers injected malicious code due to inadequate network controls. Isolated Docker daemons and iptables prevent lateral access.
Google: right to erasureEUR 50MDifficulty fully erasing data across distributed systems. Cryptographic erasure via LUKS destroy is instant and complete.

Important Notice

These pages explain how Rediacc’s architecture aligns with compliance requirements. But here’s the reality: compliance is bigger than software. You’ll need policies, procedures, training, and probably third-party audits. Rediacc handles the infrastructure part. Work with your legal and compliance teams on the rest.