ADR 0018 — Enterprise Procurement Compliance Track¶

Status: Accepted (locked 2026-05-08, formalized 2026-05-09)
Date: 2026-05-08
Deciders: TLSStress.Art project
Targets: 18-month rolling horizon (audits + cert annually)
Source memo: project_enterprise_compliance_track_2026_05_08.md

Context¶

User locked 2026-05-08 the strategic intent to land enterprise giants in BR/LATAM (NTT, VIVO, America Movil, Claro) and parallel EU/US enterprise customers. These procurement organizations share an immutable compliance baseline:

"Sem SOC 2 Type II + ISO 27001 + LGPD/GDPR documentado + DPA assinável, não passamos do procurement gate."

The bench's open-source nature does not exempt us from this — the operator's deployment must inherit our compliance posture for the customer to use it under their certified controls.

Decision¶

Adopt an 18-month rolling certification track with mandatory baseline + opt-in differentiators:

Mandatory baseline (18-month plan)¶

Certification	Scope	Year-1 cost	Recurring
SOC 2 Type II	Security + Availability + Confidentiality	$40-70K USD	$30-50K/yr
ISO 27001	ISMS — controls aligned with SOC 2 to amortize work	$30-50K USD	$15-25K/yr
LGPD compliance (BR)	DPO appointed + privacy notice + DPA template	$10-20K USD	$5-10K/yr
GDPR compliance (EU)	Same DPO + DPA + UK-IDTA addendum	$10-20K USD	$5-10K/yr

Opt-in differentiators (per-customer demand)¶

Item	When to invest
VPAT 2.5 (accessibility)	US Federal RFPs; FedRAMP precursor
CAIQ (Cloud Security Alliance)	Cloud-native enterprise customers
SIG (Standardized Information Gathering)	Financial sector customers
Cyber insurance ≥ $10M USD	Required by most enterprise procurement clauses
DPA template	LGPD/GDPR — customer-signable boilerplate
HIPAA BAA template	Healthcare customers (US)
PCI-DSS attestation	Payment industry customers

Audit & artifact production¶

Annual external audit (SOC 2 Type II requires 6-month observation window); use Drata or Vanta for continuous evidence collection.
Quarterly internal review of controls + evidence.
Auditor-blessed report bundles generated by the dashboard itself (see Inspection Profile compliance preset, ADR 0010).

Year-1 budget envelope¶

Bucket	Range
External audits (SOC 2 + ISO 27001)	$70-120K
Compliance tooling (Drata / Vanta + GRC)	$30-50K
Legal (DPO + DPAs + privacy review)	$20-40K
Cyber insurance premium ($10M cover)	$20-30K
Total year-1	$140-240K USD
Recurring annual	$50-90K USD

Consequences¶

Positive: unlocks enterprise procurement gate; competitive parity with IXIA / Spirent who are SOC 2 + ISO 27001 by default; LGPD/GDPR compliance reduces legal exposure across the customer base.
Negative: significant year-1 cost; ongoing audit cadence consumes engineering attention (~20 person-days/year); DPO appointment is a personal-liability role.
Hard to reverse: once customers reference our SOC 2 report in their own audit chain, dropping it forces them to re-paper their certification. Plan for permanent recurring cost.

Roadmap¶

Quarter	Milestone
Q1 (next 3 months)	DPO appointed; LGPD/GDPR privacy notice + DPA template published; cyber insurance bound
Q2	Drata/Vanta deployed; controls inventory mapped; gap remediation begins
Q3	SOC 2 Type II observation window starts (6 months)
Q4	ISO 27001 surveillance audit; gap remediation completes
Q5 (Y2 Q1)	SOC 2 Type II report issued; ISO 27001 certification awarded
Q6+	Annual recertification cadence; opt-in additions per customer demand

Open questions¶

Tracked in source memo:

Use a third-party auditor (KPMG / Deloitte / EY) or a compliance-tech-native firm (Vanta-affiliated)?
Self-host the compliance evidence platform (MinIO + signed artefacts) or use Drata/Vanta's hosted SaaS?
Country of incorporation for the DPO role (BR vs DE vs US)?

References¶

Source memo: project_enterprise_compliance_track_2026_05_08.md
Cross-ref: ADR 0010 (Inspection Profile — compliance preset)
Cross-ref: ADR 0017 (Backup/DR — required by SOC 2 + ISO 27001)
Cross-ref: project_quality_excellence_policy_2026_05_08.md