Compliance Mapping

Noxys is built to help you comply with global regulations. This page maps Noxys features to specific regulatory requirements.

EU AI Act (Regulation 2024/1689)

The EU AI Act regulates high-risk AI systems and prohibits certain AI uses.

Prohibited AI Systems (Article 4)

Prohibited uses under EU AI Act:

Prohibited Use	Noxys Feature	How It Helps
Subliminal messaging	Policy: Block	Create policy to block AI for subliminal use
Real-time biometric ID (without exception)	Policy: Block	Block unauthorized facial recognition models
Social credit scoring	Policy: Log	Track usage for compliance audit

High-Risk AI (Article 9)

High-risk AI systems require governance. Noxys supports:

Requirement	Implementation
User information	Extensions notifies users of AI usage
Logging & record-keeping	Immutable audit trail (1-year retention)
Transparency	Admin dashboards show all AI interactions
Risk assessment	Risk scoring for each interaction (0-1)
Mitigation measures	Policies can block/warn on high-risk usage
Human oversight	Admins review alerts and exceptions

Transparency Requirements (Articles 13-14)

Article	Requirement	Noxys Implementation
13(2)(a)	Inform users AI is being used	Extension shows banner when AI is detected
13(2)(b)	Identify provider	Dashboard shows platform name (ChatGPT, Claude, etc.)
13(2)(c)	Explain system characteristics	Admin guide documents classification tiers
14(3)	Meaningful information to affected users	Audit log exports show all affected users

Audit Trail for Compliance

Export compliance report:

# API
curl -X GET "https://api.noxys.cloud/api/v1/audit-log?export=true" \
  -H "Authorization: Bearer $TOKEN" > audit-trail.json

# Dashboard: Settings → Audit Log → Export

Export includes:

• Which employees used which AI platforms
• Which policies were applied
• Classification results (no PII)
• Admin actions taken
• Timestamps and user identities

GDPR (Regulation 2016/679)

GDPR is the foundation of EU data protection law.

GDPR Articles & Noxys Implementation

Article	Requirement	Noxys Feature
5	Data minimization	Only hashes + metadata, never raw prompts
5	Storage limitation	90-day default retention, configurable
6	Lawful basis	DPA (Data Processing Agreement) available
25	Privacy by design	Raw data never collected, TLS by default
32	Encryption	TLS 1.3 in transit, optional at-rest encryption
33	Data breach notification	Contact security@noxys.eu; 72-hour notification
34	Data subject notification	Noxys notifies affected users of breaches
35	DPIA	Data Processing Impact Assessment template on request

Data Processing Agreement (DPA)

To execute a DPA with Noxys:

1. Contact sales@noxys.eu with:

   • Organization name
   • Data processing purpose
   • Categories of personal data
   • Intended recipients

2. Noxys provides Standard Contractual Clauses (SCCs) under EU adequacy

3. Agreement signed within 10 business days

Right to Erasure (Article 17)

Delete all user data immediately:

Dashboard:

1. Go to Settings → Data & Privacy
2. Click Delete All My Data
3. Confirm (irreversible)
4. Data deleted within 30 days; backups purged within 90 days

API:

curl -X DELETE https://api.noxys.cloud/api/v1/users/me \
  -H "Authorization: Bearer $TOKEN"

Data Portability (Article 20)

Export all your data in machine-readable format:

Dashboard:

1. Go to Settings → Data & Privacy
2. Click Export Data
3. Choose format: JSON, CSV, or NDJSON
4. Download export

API:

curl -X GET https://api.noxys.cloud/api/v1/users/me/data-export \
  -H "Authorization: Bearer $TOKEN" \
  -o export.json

GDPR Checklist

Use this to verify your Noxys deployment is GDPR-compliant:

• ✅ DPA signed with Noxys
• ✅ Data minimization: Only hashes stored (no raw content)
• ✅ Encryption in transit: TLS 1.3
• ✅ Encryption at rest: Full-disk encryption enabled
• ✅ Access control: RBAC with SSO
• ✅ Audit logging: All admin actions logged
• ✅ Data retention: 90-day default (configurable)
• ✅ Right to erasure: Users can delete data
• ✅ Data portability: Users can export data
• ✅ Incident response: Contact security@noxys.eu

NIS2 Directive (2022/2555)

NIS2 applies to critical infrastructure operators.

NIS2 Requirements & Noxys Implementation

Requirement	Noxys Feature
Asset & risk management	Dashboard shows all AI platform usage, risk scores
Access control	RBAC (Admin/Viewer), SSO support, MFA coming v0.5
Encryption	TLS 1.3, optional full-disk encryption
Supply chain security	Dependency scanning, vulnerability management
Security monitoring	Real-time alerts, webhook integration with SIEM
Incident handling	Audit trail, incident response playbooks
Business continuity	Automated daily backups, 30-day retention
Recovery procedures	Documented RTO/RPO targets

NIS2 Compliance Report

Generate compliance report:

# Export all interactions with risk classifications
curl -X GET "https://api.noxys.cloud/api/v1/interactions?export=true" \
  -H "Authorization: Bearer $TOKEN" > nis2-report.json

Report shows:

• AI platform inventory
• Risk assessments
• Policy enforcement
• User activities
• Incident history

ISO 27001 (Information Security Management)

Noxys is on track for ISO 27001 certification in Q3 2026.

Roadmap

Phase	Timeline	Activities
Assessment	Q1-Q2 2026	Gap analysis, security audit
Implementation	Q2 2026	Policy development, controls enhancement
Certification	Q3 2026	External audit by accredited body

Pre-Certification Controls

Noxys already implements ISO 27001 controls:

Control	Implementation
Asset management	Inventory of all systems, data, users
Access control	RBAC, authentication, authorization
Cryptography	TLS 1.3, SHA-256 hashing, AES-256 encryption
Physical security	Data centers with biometric access
Incident management	24/7 monitoring, incident response plan
Business continuity	Daily backups, disaster recovery plan
Supplier management	Third-party risk assessments, contracts

SOC 2 Type II

SOC 2 audit in progress; expected completion Q2 2026.

Audit Scope

Category	Status
Security	✅ In scope
Availability	✅ In scope
Processing integrity	✅ In scope
Confidentiality	✅ In scope

Pre-Audit Controls

• ✅ Access controls (authentication, RBAC)
• ✅ Encryption (TLS, hashing)
• ✅ Audit logging (immutable records)
• ✅ Monitoring & alerting (24/7)
• ✅ Incident response (documented procedures)
• ✅ Backup & recovery (tested quarterly)
• ✅ Change management (documented process)
• ✅ Segregation of duties (admin/viewer roles)

HIPAA (Health Insurance Portability & Accountability Act)

Noxys architecture supports HIPAA but is not yet HIPAA-certified.

HIPAA Readiness

Requirement	Implementation
Administrative safeguards	Access control, authentication
Physical safeguards	Data center security, access logs
Technical safeguards	Encryption, audit logs, access controls
Organizational safeguards	Employee training, incident response

Enable HIPAA Mode

NOXYS_HIPAA_MODE=true
NOXYS_ENCRYPTION_AT_REST_ENABLED=true
NOXYS_AUDIT_LOG_RETENTION=2555  # 7 years
NOXYS_BACKUP_RETENTION=365      # 1 year

Contact compliance@noxys.eu for HIPAA BAA (Business Associate Agreement).

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS applies if you process payment card data.

Noxys is PCI DSS Ready

Noxys does not store payment card data (Stripe integration tokenizes cards).

If using Noxys with payment processing:

• ✅ Encryption for all data in transit (TLS 1.3)
• ✅ Access control (RBAC, authentication)
• ✅ Audit logging (all transactions logged)
• ✅ Regular security testing (penetration testing)

Enable PCI Mode

NOXYS_PCI_MODE=true
NOXYS_ENCRYPTION_AT_REST_ENABLED=true
NOXYS_TLS_MIN_VERSION=1.2

SOX (Sarbanes-Oxley)

SOX applies to public companies and requires controls over financial systems.

SOX Compliance with Noxys

Requirement	Implementation
IT controls	Access controls, audit logs, change management
Data integrity	Immutable audit trail, no data modification
Monitoring	Real-time alerts, compliance dashboards
Documentation	Policy library, audit trail exports

Generate SOX Report

# Export audit log for financial systems
curl -X GET "https://api.noxys.cloud/api/v1/audit-log?filter=financial_systems" \
  -H "Authorization: Bearer $TOKEN" > sox-audit.json

Data Residency Compliance

EU Data Residency (GDPR Article 44)

Ensure data never leaves the EU:

# Cloud deployment in EU regions
NOXYS_DATA_RESIDENCY=eu

# Or self-host entirely
NOXYS_DEPLOYMENT=self-hosted  # Your VPC/on-premise only

Schrems II Compliance

Following EU-US data transfer restrictions (Vienna Court decision):

• ✅ Standard Contractual Clauses (SCCs) included in DPA
• ✅ Optional: EU data residency (no US transfers)
• ✅ Optional: Self-hosting (zero US cloud)

Regional Requirements

Region	Noxys Options
Germany	EU data only; German language support
France	EU data only; CNIL compliance
Canada	PIPEDA compliance coming Q4 2026
Australia	APPs compliance coming Q4 2026

Compliance Checklist

Use this to verify your deployment meets regulatory requirements:

GDPR

• ✅ DPA signed
• ✅ Data minimization (hashes only)
• ✅ Encryption enabled
• ✅ Right to erasure implemented
• ✅ Data portability available
• ✅ Audit logging enabled

EU AI Act

• ✅ Prohibited use policies created
• ✅ High-risk AI tracked
• ✅ Audit trail maintained
• ✅ Transparency enabled
• ✅ Risk scoring active

NIS2

• ✅ Asset inventory maintained
• ✅ Access control configured
• ✅ Monitoring & alerting enabled
• ✅ Incident response plan documented
• ✅ Business continuity in place

SOC 2

• ✅ Access controls implemented
• ✅ Encryption enabled
• ✅ Monitoring 24/7
• ✅ Audit logs maintained
• ✅ Backup & recovery tested

Next Steps

• Trust Center & Certifications
• Data Handling & Privacy
• Responsible Disclosure

---

Compliance questions? Email compliance@noxys.eu or sales@noxys.eu