# Compliance Reviewer Pack - 2026-04-20 This packet is the reviewer-facing summary for DataSitr's current compliance traceability posture. It is meant for regulator-adjacent technical review, procurement diligence, and security-review coordination. It is not: - regulator approval - external legal advice - certification - proof that every surfaced gap is already closed ## Executive Summary As of 2026-04-20, DataSitr maintains a machine-validated control matrix that maps repo-visible PDPL article references, internal audit findings, claim-boundary lines, and runtime controls to their current test and evidence surface. Current matrix summary: - total controls tracked: `126` - controls with at least one automated test reference: `106` - controls without automated test references: `20` - controls marked `external_dependency=true`: `12` - coverage-gap severity breakdown: - `critical`: `0` - `high`: `3` - `medium`: `3` - `acceptable`: `2` Current control-type breakdown: - `pdpl_article`: `25` - `audit_finding`: `18` - `claim_boundary`: `49` - `runtime_control`: `17` - `routing_control`: `8` - `billing_integrity`: `7` - `operational_principle`: `2` The matrix is reviewer-useful because it does not hide gaps. The dated backlog snapshot still records `18` surfaced coverage issues total: - `16` actionable surfaces (`critical + high + medium`) - `2` acceptable surfaces kept visible as documentary boundaries rather than synthetic test obligations ## What Is Included The compliance reviewer bundle should contain: - `docs/control_matrix.yaml` - `docs/generated/control_matrix.json` - `docs/generated/control_matrix.md` - the latest dated `docs/control-matrix-coverage-backlog-*.md` - `docs/claims-boundary.md` - `docs/regulatory-audit-findings.md` - `docs/founding-charter.md` - `docs/pdpl-self-contained-operation-principle.md` - `docs/green-lane-transfer-legal-position.md` - `compliance/COMPLIANCE_STATUS.md` - `docs/generated/claims_registry.md` - `docs/generated/living_docs_status.md` - `trusted_public_key.pem` - `bundle_manifest.json` - `bundle_manifest.signed.json` - `bundle_manifest.sha256` ## How To Verify The Bundle Build the bundle: ```bash python3 scripts/build_compliance_reviewer_bundle.py ``` Verify one bundle: ```bash python3 scripts/verify_compliance_reviewer_bundle.py \ tmp/compliance-reviewer-bundles/-compliance-reviewer-pack/ \ --trusted-public-key ``` Verification checks: - the bundle manifest is present - the signed manifest verifies against an out-of-band trusted Ed25519 public key PEM - the signed manifest payload matches `bundle_manifest.json` - every signed manifest attachment matches its recorded SHA-256 digest - the bundled control matrix is complete against the repo-local source matrix - the verifier prints the trusted key fingerprint used for the check The verifier fails closed: - exit `0` = verified - exit `1` = tampered, incomplete, or otherwise failed verification - exit `2` = external trusted public key PEM missing ## Control Matrix Overview The control matrix has three reviewer-useful properties: 1. It is source-first. `docs/control_matrix.yaml` is the source of truth. 2. It is machine-validated. `scripts/validate_control_matrix.py` rejects broken code/test/evidence references. 3. It is gap-explicit. `coverage_gap` and `gap_severity` stay visible per control until a fix branch actually closes them. For a specific control: - open `docs/generated/control_matrix.md` - search for `## ` - or use the generated anchor form `#` in a Markdown viewer that follows GitHub-style heading anchors Examples: - `PDPL-ART-29-CROSS-BORDER-TOKENIZATION` - `AUDIT-001-RAW-PII-EXTERNAL-LEAK-PROTECTION` - `CLAIM-THREE-LANE-ROUTING-LIVE` - `RUNTIME-PROCESSING-CHAIN-HMAC-INTEGRITY` ## Coverage Summary Current coverage posture: - `106 / 126` controls have direct automated test references - `20 / 126` controls currently have no automated test references - `12 / 126` controls are explicitly external-dependency controls - Phase 6 backlog severity split: - `0` critical - `12` high - `4` medium - `2` acceptable Important interpretation: - not every missing test is a defect; some are documentary or external-fact boundaries - not every tested control is fully exhaustive; the backlog also tracks weak or mismatched coverage - the backlog is part of the reviewer story, not something hidden from it ## Known Limitations Do not read this reviewer pack as proof that all surfaced issues are already closed. Known limitations as of 2026-04-21: - the backlog still records `16` actionable surfaces that need follow-on fix branches - no critical backlog items remain, but PDPL citation cleanup and article-level coverage normalization still dominate the remaining high-priority work - the dashboard claim for TRA / subject-rights actions is currently limited by a Python-only validator that cannot yet machine-check the corresponding Vitest files - PDPL article coverage remains mixed: some article entries are strong code-tested mappings, while others are still documentary placeholders or citation-cleanup work items - this pack does not widen into regulator approval, legal sign-off, external certification, or whole-platform audit completeness ## Related References Use these documents together: 1. `docs/generated/control_matrix.md` 2. `docs/control-matrix-coverage-backlog-20260425.md` 3. `docs/claims-boundary.md` 4. `docs/regulatory-audit-findings.md` 5. `docs/pdpl-self-contained-operation-principle.md` 6. `docs/green-lane-transfer-legal-position.md` 7. `compliance/COMPLIANCE_STATUS.md` ## Safe Wording Boundary Safe summary wording: - DataSitr maintains a machine-validated control matrix spanning PDPL article references, audit findings, claim-boundary lines, and runtime controls. - The matrix is packaged into an Ed25519-signed reviewer bundle with a dated coverage backlog. - The current bundle is reviewer-safe because it keeps surfaced gaps visible rather than hiding them. Unsafe wording: - all compliance gaps are closed - regulator-approved control coverage - externally audited full control completeness - buyer-ready proof of every stated claim without qualification