Compliance Reference
This document maps Scorpio Net’s security controls to major regulatory
frameworks.
NIST SP 800-53 Rev. 5
| Control Family |
Control |
Implementation |
| AC — Access Control |
AC-3 Access Enforcement |
PIN + optional biometric; auto-lock |
| AC |
AC-7 Unsuccessful Login Attempts |
Exponential-backoff lockout; data wipe |
| AU — Audit & Accountability |
AU-2 Event Logging |
SecureLogger + AuditLogger (tamper-evident HMAC) |
| AU |
AU-9 Protection of Audit Information |
HMAC-SHA-512 on audit records |
| CM — Configuration Mgmt |
CM-6 Configuration Settings |
SecurityConfig, AppConfig constants |
| IA — Identification & Auth |
IA-5 Authenticator Management |
Argon2id PIN hashing; no plaintext storage |
| SC — System & Comms |
SC-8 Transmission Confidentiality |
TLS 1.3 + WSS + certificate pinning |
| SC |
SC-12 Cryptographic Key Establishment |
X3DH + Double Ratchet |
| SC |
SC-13 Cryptographic Protection |
AES-256-GCM, Ed25519, X25519, HKDF-SHA-512 |
| SC |
SC-28 Protection of Information at Rest |
iOS Keychain / Android Keystore; encrypted DB |
| SI — System Integrity |
SI-3 Malicious Code Protection |
Jailbreak/root detection |
HIPAA Security Rule (45 CFR Part 164)
| Safeguard |
Standard |
Implementation |
| Technical |
§ 164.312(a)(1) Access Control |
PIN + biometric + auto-lock |
| Technical |
§ 164.312(a)(2)(iv) Encryption & Decryption |
AES-256-GCM end-to-end |
| Technical |
§ 164.312(b) Audit Controls |
Tamper-evident audit log |
| Technical |
§ 164.312(c)(1) Integrity |
HMAC-SHA-512 on audit records |
| Technical |
§ 164.312(e)(2)(ii) Encryption in Transit |
TLS 1.3 + certificate pinning |
| Administrative |
§ 164.308(a)(5) Security Awareness |
Developer security guidelines (SECURITY.md) |
GDPR (EU 2016/679)
| Article |
Requirement |
Implementation |
| Art. 5 |
Data minimisation |
No metadata beyond sender/receiver/timestamp |
| Art. 17 |
Right to erasure |
Account deletion wipes all keys + ciphertext |
| Art. 20 |
Data portability |
Export of encrypted message archive |
| Art. 25 |
Privacy by design |
E2EE default; minimal data collection |
| Art. 32 |
Security of processing |
AES-256-GCM + Signal Protocol |
| Art. 33 |
Breach notification |
72-hour notification procedure (TODO: document) |
FERPA (20 U.S.C. § 1232g)
Where Scorpio Net is deployed in educational settings, student communications
are treated as education records. Controls include:
- Access limited to authorised parties only (E2EE enforced)
- Audit logging of access events
- Data retention limited to institutional policy
- No disclosure to third parties without consent
Algorithm Compliance (FIPS 140-3 / NIST SP 800-175B)
| Algorithm |
Standard |
Usage |
| AES-256-GCM |
FIPS 197 + SP 800-38D |
Message encryption |
| SHA-512 |
FIPS 180-4 |
HMAC, HKDF |
| Ed25519 |
SP 800-186 |
Identity signatures |
| X25519 |
SP 800-186 |
Key exchange |
| Argon2id |
SP 800-63B |
Password hashing |
| HKDF |
RFC 5869 |
Key derivation |