Compliance

Regulatory alignment by design.

TrueSign is engineered against the controls that govern regulated authorization. Status reflects current implementation, certification, and roadmap posture.

Examiner-facing positioning

TrueSign is not a second factor of authentication. It is a transaction-bound cryptographic authorization control. Each approval produces a deterministic, hardware-bound, policy-governed artifact intended to satisfy supervisory expectations for non-repudiation, dynamic linking, and audit reconstruction.

The above is the positioning provided to internal audit, second-line risk, and external examiners during institutional procurement review. It reflects the control TrueSign actually enforces, not the category to which it is sometimes informally assigned.

Audit artifact, per authorization

Canonical intent message (deterministic)
Hardware-attested signing key identifier
Verifier policy hash at sign-time
Authorization signature (Ed25519; PQ hybrid optional)
Hash-chained ledger commitment
Optional external notarization reference

Framework matrix

Seventeen frameworks tracked.

Framework	Scope	Jurisdiction	Status
PSD2 / PSD3 SCA	Strong Customer Authentication, dynamic linking	EU / UK	Aligned
FFIEC Authentication Guidance	High-risk transaction authentication	United States	Aligned
NIST SP 800-63B AAL3	Hardware authenticator, verifier impersonation resistance	United States	Aligned
NIST SP 800-207	Zero Trust Architecture, transaction-level verification	United States	Aligned
NYDFS 23 NYCRR 500	Financial services cybersecurity, MFA, audit trail	New York	Aligned
NAIC Model Cybersecurity (MDL-668)	Insurance information security	United States	Aligned
PCI DSS 4.0	Strong cryptography, MFA, non-repudiation of admin action	Global	Aligned
FedRAMP Moderate	Federal cloud authorization baseline	United States	Implementation in progress; authorization targeted
FedRAMP High	Federal cloud baseline for high-impact workloads	United States	Roadmap
CMMC 2.0	Defense Industrial Base maturity	United States DoD	Aligned
MAS TRM	Singapore Technology Risk Management	Singapore	Aligned
RBI Master Direction (IT Governance)	Indian banking IT governance	India	Aligned
APRA CPS 234	Australian information security prudential standard	Australia	Aligned
SOC 2 Type II	Service organization controls	Global	Preparation in progress
ISO/IEC 27001	Information security management system	Global	Certification path in progress
GDPR / UK GDPR	Lawful processing, data minimization, audit trail of consent and authorization	EU / UK	Aligned
CCPA / CPRA	Consumer data rights, transparency, and authorization recordkeeping	California, US	Aligned

Statements of alignment refer to the controls TrueSign implements relative to the named framework. They do not constitute certification. Certification status is presented separately and updated as evidence is filed with the relevant authority. FedRAMP Moderate authorization is targeted; FedRAMP High is on the roadmap subject to sponsor agency engagement. SOC 2 Type II report and ISO/IEC 27001 certification are made available to qualified counterparties under mutual non-disclosure once issued.

Per-framework commentary

How each framework maps to the control.

The notes below summarize how TrueSign's authorization control aligns to the cited obligation. They are written for second-line risk, internal audit, and examiner review, and are intended as the basis for a more detailed control-mapping workbook provided under NDA.

PSD2 / PSD3 SCA

Aligned

EU / UK

TrueSign satisfies the two-factor inherence/possession composition by binding a hardware-attested signing key to a deterministic intent message. Dynamic linking is enforced cryptographically: the signature commits to payee, amount, and currency, so post-authorization tampering is detectable by any verifier.

FFIEC Authentication Guidance

Aligned

United States

Layered security and transaction-level authentication for high-risk account activity are implemented through per-transaction cryptographic authorization, not session-bound MFA. Each authorization produces a non-repudiable artifact suitable for examiner reconstruction.

NIST SP 800-63B AAL3

Aligned

United States

TrueSign meets AAL3 by requiring a hardware-bound cryptographic authenticator with verifier impersonation resistance and replay resistance. Authentication intent is established per authorization rather than per session.

NIST SP 800-207

Aligned

United States

Zero Trust requires per-request policy decision and continuous verification. TrueSign moves the trust boundary from the session to the transaction: every authorization is independently policy-evaluated, signed, and logged.

NYDFS 23 NYCRR 500

Aligned

New York

Section 500.12 multi-factor authentication and Section 500.06 audit trail obligations are satisfied with cryptographically verifiable evidence of who authorized what, when, and under which policy version.

NAIC Model Cybersecurity (MDL-668)

Aligned

United States

Section 4 information security program requirements are supported by hardware-bound authorization, immutable audit trail, and incident-ready evidence preservation aligned with state insurance department examinations.

PCI DSS 4.0

Aligned

Global

Requirements 8.4 (MFA), 8.5 (non-shared credentials), and 10.x (logging integrity) are addressed by per-action cryptographic authorization with a hash-chained ledger that detects log tampering.

FedRAMP Moderate

Implementation in progress; authorization targeted

United States

Control families AC, AU, IA, and SC are mapped to TrueSign's authorization, audit, identity, and cryptographic boundary. Authorization package preparation underway under sponsor agency engagement; status updated as evidence is filed.

FedRAMP High

Roadmap

United States

High-impact uplift includes additional SC and AU controls already addressed by hardware attestation and ledger-chained audit. Pursued subject to sponsor agency engagement following Moderate authorization.

CMMC 2.0

Aligned

United States DoD

Level 2 practices for IA, AC, and AU are met through hardware-bound authentication and immutable audit; Level 3 expectations regarding advanced persistent threat resilience are addressed by post-quantum hybrid cryptography on the authorization channel.

MAS TRM

Aligned

Singapore

MAS TRM 14.x access control and 11.x cryptography expectations are met by hardware-rooted authorization keys, deterministic transaction binding, and verifiable audit trails suitable for MAS thematic reviews.

RBI Master Direction (IT Governance)

Aligned

India

Chapter IV cryptographic controls and Chapter VI audit trail expectations are addressed by per-transaction cryptographic authorization with hash-chained ledger commitments.

APRA CPS 234

Aligned

Australia

Paragraphs 23 to 28 information security capability and incident management obligations are supported by cryptographic non-repudiation and rapid evidence reconstruction for APRA notification windows.

SOC 2 Type II

Preparation in progress

Global

Common Criteria CC6 logical access and CC7 system operations controls are designed-in. Type II observation period preparation underway; report made available under mutual NDA upon issuance.

ISO/IEC 27001

Certification path in progress

Global

Annex A controls A.5, A.8, A.9, and A.12 are addressed by the authorization control plane and ledger. Statement of Applicability and certification engagement underway.

GDPR / UK GDPR

Aligned

EU / UK

Article 5 data minimization is supported by signing intent, not personal data. Article 32 security of processing is met through hardware-rooted cryptography. Records of authorization decisions support Article 30 documentation obligations.

CCPA / CPRA

Aligned

California, US

Verifiable consumer request workflows and recordkeeping for authorized actions are supported by tamper-evident logs. TrueSign does not sell personal information and supports purpose-limitation by design.