NIST Compliance¶

NIST SP 800-190: Container Security¶

The haagsman.ai Product Suite follows NIST SP 800-190 guidelines for application container security.

Control Area	NIST Recommendation	Our Implementation
Image security	Use minimal base images, scan for vulnerabilities	python:3.12-slim base, Trivy scanning, pinned dependencies
Registry security	Use trusted registries, sign images	Built from source, no third-party pre-built images
Orchestration	Limit container privileges	Non-root user, resource limits, no privileged mode
Container runtime	Monitor for anomalous behavior	Docker health checks, Prometheus metrics, audit logging
Host OS	Use container-specific host OS	Docker Desktop (dev), Alpine/Ubuntu host (prod)
Networking	Segment container networks	Products on isolated Docker network, bind to 127.0.0.1

Function	Controls
Govern	AI governance documented in security architecture. Roles defined via RBAC.
Map	Each product's AI use case is documented. Risk classification: limited risk (EU AI Act).
Measure	LLM performance tracked via Prometheus (latency, error rates, token usage).
Manage	Fallback providers for resilience. PII detection before cloud LLM calls. Prompt injection protection.

Criteria	Controls Implemented
Security	Encryption (AES-256), auth (JWT + API keys), RBAC, rate limiting, security headers, audit logging
Availability	Docker restart policies, health checks, resource limits, fallback LLM providers
Processing Integrity	Input validation (Pydantic), structured LLM output parsing, error handling
Confidentiality	Encryption at rest and in transit, PII detection, RBAC, network isolation
Privacy	GDPR endpoints, data retention policies, consent tracking, data minimization

Key Annex A controls implemented:

Control	Description	Implementation
A.5	Information security policies	Documented in security architecture
A.6	Organization of information security	RBAC with defined roles
A.8	Asset management	Data inventory per product documented
A.9	Access control	JWT + API keys, least-privilege roles
A.10	Cryptography	AES-256-GCM at rest, TLS 1.3 in transit
A.12	Operations security	Health monitoring, audit logging, change management
A.14	System development	Secure SDLC, dependency scanning, security testing
A.16	Incident management	Audit logs, monitoring, documented response process
A.18	Compliance	GDPR, CCPA, HIPAA readiness documented

Requirement	Implementation
AI policy	Documented: responsible AI use, no training on client data without consent
Risk assessment	Products classified as limited risk (EU AI Act). Risk per product documented.
AI system inventory	8 products cataloged with data flows, LLM dependencies, and risk profiles
Data governance	PII detection, data retention, consent tracking, GDPR export/delete
Bias monitoring	LLM outputs are user-reviewed, not auto-executed. Human-in-the-loop by design.
Transparency	FAQ Chatbot identifies as AI. API responses include model name.
Incident management	Audit trail + monitoring for AI-specific incidents (hallucination, data leakage)

Certification	Status	Timeline
SOC 2 Type II	Controls implemented, audit-ready	Target Q3 2026
ISO 27001	Controls implemented	Target Q4 2026
ISO 42001	Controls implemented	Target Q1 2027 (bundled with 27001)
HIPAA	Ready with air-gapped deployment	Available on request

For certification inquiries: niels@haagsman.ai