Security & Regulatory Alignment
Compliance & Standards
QueryTek Tapestry maintains rigorous compliance with enterprise security and privacy standards. As an identity and routing interoperability layer, we implement controls that protect sensitive data while enabling seamless partner integrations.
Compliance Scope Boundary
Tapestry's compliance framework is focused on our core responsibilities as an identity broker and routing platform:
- Identity brokering, session lifecycle, and token handling
- Partner routing and integration control surfaces
- Platform configuration, secrets, observability, and operational controls
Note: Partner domain logic and partner-owned compliance workflows remain outside Tapestry's core runtime. We maintain strict boundaries to ensure clear accountability.
Core Standards
These standards apply universally to Tapestry's operations and are fundamental to our enterprise service delivery.
- ISO 27001: Information Security Management System (ISMS)
- SOC 2: Trust Services Criteria for security, availability, and confidentiality
- GDPR: EU data protection and privacy rights
- CCPA/CPRA: California consumer privacy obligations
- WCAG 2.1 AA: Web accessibility for inclusive interfaces
Conditional Standards
These standards apply based on specific customer requirements, data processing contexts, or market conditions.
- ISO 27018: Cloud PII protection
- PIPEDA: Canadian privacy law
- EU-U.S. DPF: Cross-border data transfers
- FedRAMP: Federal cloud authorization
- Section 508: Federal accessibility requirements
Program Governance
Our organizational policies ensure ethical operations and accountability across all stakeholder relationships.
- Code of Conduct: Ethical standards and supplier diversity
- Confidentiality Policy: NDA and information protection
- Training Programs: Annual awareness and ethical reporting
- Privacy Policy: Data handling and security baselines
Standards Applicability Matrix
Core standards are generally expected for Tapestry. Conditional standards apply based on customer, market, or data processing requirements.
Security & Information Management
| Standard | Applicability | Status |
|---|---|---|
| ISO 27001 | Core | In Progress |
| ISO 27017 | Conditional | Planned |
| ISO 27018 | Conditional | Planned |
| SOC 2 | Core | In Progress |
| SOX | Conditional | Planned |
Privacy & Data Protection
| Standard | Applicability | Status |
|---|---|---|
| GDPR | Core | In Progress |
| CCPA/CPRA | Core | In Progress |
| PIPEDA | Conditional | Planned |
| EU-U.S. DPF | Conditional | Planned |
| APEC CBPR | Conditional | Planned |
Federal & Accessibility Standards
| Standard | Applicability | Status |
|---|---|---|
| WCAG 2.1 AA | Core | In Progress |
| Section 508 | Conditional | Planned |
| FedRAMP Rev. 5 | Conditional | Planned |
| NIST SP 800-53 | Conditional | Planned |
| FIPS 140-3 | Conditional | Planned |
Evidence & Audit Readiness
Tapestry maintains comprehensive evidence artifacts to support compliance audits and customer due diligence:
Core Documentation
- Information Security Policy
- Privacy and Data Handling Policy
- Risk Register and ISMS Records
- Control Matrix and Testing Logs
Operational Runbooks
- Incident Response Procedures
- Vulnerability Management
- Secrets and Key Rotation
- Backup and Recovery Plans
Technical Evidence
- Architecture Decision Records (ADRs)
- Test Strategy and Quality Gates
- Security Scan Reports
- Access Review Logs
Review Cadence: Quarterly compliance review by Security and Compliance team. Last Updated: February 2026.