6ec8d3236d
- Replace TLAS with License Authority throughout documentation - Add Government of Goa emblem/logo (Ashoka Chakra style) - Update frontend branding to match documentation - Add configurable Swagger API link via VITE_API_BASE_URL env var - Fix Docker build for VitePress (git dependency, .dockerignore) - Fix helmet security headers for HTTP deployments - Add CORS support for VM deployment Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2.6 KiB
2.6 KiB
Compliance Framework
Overview
This platform is designed and operated in compliance with applicable Indian laws, government standards, and international security frameworks.
Regulatory Compliance
Information Technology Act, 2000
| Requirement | Implementation |
|---|---|
| Section 3A: Electronic signatures | Digital certificates with PKI |
| Section 4: Legal recognition of electronic records | Blockchain-based immutable records |
| Section 43A: Data protection | Encryption at rest and in transit |
| Section 72A: Breach notification | Incident response procedures |
Digital Personal Data Protection Act, 2023
| Principle | Implementation |
|---|---|
| Lawful purpose | Data collected only for licensing functions |
| Purpose limitation | No secondary use without consent |
| Data minimization | Only necessary fields collected |
| Accuracy | Applicant can update their information |
| Storage limitation | Defined retention periods |
| Security safeguards | Technical and organizational measures |
Government Guidelines
| Standard | Compliance |
|---|---|
| GIGW 3.0 | Web accessibility guidelines followed |
| MeitY Cloud Guidelines | Data residency in India |
| NIC Security Guidelines | Network and application security |
Security Standards
OWASP Top 10 Mitigation
| Vulnerability | Control |
|---|---|
| Injection | Parameterized queries, input validation |
| Broken Authentication | JWT with secure configuration |
| Sensitive Data Exposure | TLS 1.3, AES-256 encryption |
| XML External Entities | XML parsing disabled where not needed |
| Broken Access Control | RBAC with principle of least privilege |
| Security Misconfiguration | Hardened deployment checklist |
| Cross-Site Scripting | Output encoding, CSP headers |
| Insecure Deserialization | Schema validation |
| Components with Vulnerabilities | Automated dependency scanning |
| Insufficient Logging | Comprehensive audit logging |
ISO 27001 Alignment
Platform security controls align with ISO 27001 Annex A:
- A.5: Information security policies
- A.6: Organization of information security
- A.9: Access control
- A.10: Cryptography
- A.12: Operations security
- A.14: System acquisition and development
- A.16: Incident management
- A.18: Compliance
Documentation Index
- Data Protection - Personal data handling procedures
- Audit Framework - Logging, monitoring, and audit procedures
- Security Standards - Technical security controls
- Regulatory Alignment - Detailed compliance mapping