# Compliance Reviewer Pack - 2026-05-18

This packet is the reviewer-facing summary for DataSitr's current compliance
traceability posture after the 2026-05-17 ACK production deploy of image
`datasitr-api:979aa53b`, the matching GCP Dammam warm-standby refresh, and the
post-deploy DPIA / credibility-ladder updates.

**Last updated:** 2026-05-18

It is meant for regulator-adjacent technical review, procurement diligence, and
security-review coordination.

It is not:

- regulator approval
- external legal advice
- certification
- proof that every surfaced gap is already closed

## Executive Summary

As of 2026-05-18, DataSitr maintains a machine-validated control matrix that
maps repo-visible PDPL article references, internal audit findings,
claim-boundary lines, routing controls, runtime controls, billing integrity
controls, and operational principles to their current test and evidence surface.

Current matrix summary:

- total controls tracked: `144`
- `code_test` controls: `115`
- `dated_live_evidence` controls: `16`
- `external_fact` controls: `13`
- `unspecified_pending` controls: `0`
- controls with at least one automated test reference: `123`
- controls marked `external_dependency=true`: `14`
- controls with an explicit coverage gap: `5`

Current control-type breakdown:

- `pdpl_article`: `25`
- `audit_finding`: `21`
- `claim_boundary`: `49`
- `runtime_control`: `29`
- `routing_control`: `9`
- `billing_integrity`: `7`
- `operational_principle`: `4`

The current production application baseline is:

- ACK Riyadh production image: `datasitr-api:979aa53b`
- ACK image digest: `981f67c23426...`
- GCP Dammam warm-standby image: `datasitr-api:979aa53b`
- Public-site static release: `20260517T145702Z`
- Public-site payload hash: `sha256:eecc3365...d192a0`

The 2026-05-17 production deploy made the Subject Rights Case-Queue UI live for
tenant administrators at `/dashboard/subject-rights`, clearing the DPIA Element
8 #4 operator-surface gap. The live queue includes SLA badges, role-gated
transitions, required audit notes, and erasure double confirmation. Boundary:
DataSitr has not yet processed a real customer subject-rights request
end-to-end, so this pack does not claim real-request operating evidence.

The deploy also deliberately left the Phase 1 AI gateway preview disabled:
`SV_AI_GATEWAY_ENABLED=false`. `ai.datasitr.com` must not be treated as a
customer-facing or regulator-reviewed capability until the separate AI gateway
preview enablement runbook is executed by the operator.

The 2026-05-04 matrix adds five HA controls:

- `HA.001` - verified live cutover from the legacy edge to ACK ingress
- `HA.002` - multi-AZ ACK ingress topology on Alibaba Cloud
- `HA.003` - TLS termination with documented renewal path
- `HA.004` - public-route HA verification harness
- `HA.005` - 4-hour soak window with periodic re-checks

The matrix remains reviewer-useful because it does not hide gaps. The HA rows
are tied to the signed ACK customer-route bundle under
`evidence/ha/alibaba-live-2026-05-04T01:17:03Z/` and the signed scoped
multi-region warm-standby drill under
`evidence/multi-region-drill/multi-region-warm-standby-20260516T220433Z/`.

The post-deploy operator evidence trail is documented in
`docs/operator-runbooks/ack-deploy-gotchas-2026-05-17.md`. That runbook records
the exact build/deploy gotchas that surfaced during the ACK deploy, including
ACR token reuse, Host B build-path constraints, config-secret presence checks,
and the reason the AI gateway preview remained off.

## What Is Included

The 2026-05-18 reviewer archive contains the machine-readable matrix, the
rendered public trust resources, the current claim-boundary documents, the
audit-finding tracker, the post-deploy operator gotchas runbook, and the signed
manifest material needed to verify that the archive has not been tampered with.
It should contain:

- `docs/control_matrix.yaml`
- `docs/generated/control_matrix.json`
- `docs/generated/control_matrix.md`
- `public-site/resources/control_matrix.json`
- `public-site/resources/control_matrix.md`
- `public-site/resources/trust-report.json`
- `public-site/trust-report.html`
- the latest dated `docs/control-matrix-coverage-backlog-*.md`
- `docs/claims-boundary.md`
- `docs/regulatory-audit-findings.md`
- `docs/founding-charter.md`
- `docs/pdpl-self-contained-operation-principle.md`
- `docs/green-lane-transfer-legal-position.md`
- `docs/dpia-datasitr-platform-2026-05-09.md`
- `docs/operator-runbooks/ack-deploy-gotchas-2026-05-17.md`
- `docs/compliance-reviewer-pack-20260420.md`
- `docs/compliance-reviewer-pack-20260504.md`
- `docs/compliance-reviewer-pack-20260505.md`
- `docs/compliance-reviewer-pack-20260517.md`
- `docs/compliance-reviewer-pack-20260518.md`
- `compliance/COMPLIANCE_STATUS.md`
- `docs/generated/claims_registry.md`
- `docs/generated/living_docs_status.md`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/bundle-soak-passed.tar.gz`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/bundle-soak-passed.sig`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/soak/PASSED.md`
- `evidence/multi-region-drill/multi-region-warm-standby-20260516T220433Z/evidence-bundle.json`
- `evidence/multi-region-drill/multi-region-warm-standby-20260516T220433Z/evidence-bundle.json.sig`
- `docs/generated/compliance-reviewer-bundle-20260518/pre-soak-stop-report-framing.md`
- `trusted_public_key.pem`
- `bundle_manifest.json`
- `bundle_manifest.signed.json`
- `bundle_manifest.sha256`

The companion evidence archive contains the raw dated evidence that is too
large or too operationally specific to read as a single summary document:

- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/bundle.tar.gz`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/bundle.sig`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/bundle-soak-passed.tar.gz`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/bundle-soak-passed.sig`
- `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/summary-v2.md`
- `evidence/multi-region-drill/multi-region-warm-standby-20260516T220433Z/`
- `evidence/chain-fix-verification-20260505T002623Z/`

## How To Verify The Bundle

Build the bundle:

```bash
python3 scripts/build_compliance_reviewer_bundle.py \
  --output-dir docs/generated/compliance-reviewer-bundle-20260518 \
  --force
```

Verify one bundle:

```bash
python3 scripts/verify_compliance_reviewer_bundle.py \
  docs/generated/compliance-reviewer-bundle-20260518/ \
  --trusted-public-key docs/generated/compliance-reviewer-bundle-20260518/trusted_public_key.pem
```

Verification checks:

- the bundle manifest is present
- the signed manifest verifies against an out-of-band trusted Ed25519 public key PEM
- the signed manifest payload matches `bundle_manifest.json`
- every signed manifest attachment matches its recorded SHA-256 digest
- the bundled control matrix is complete against the repo-local source matrix
- the verifier prints the trusted key fingerprint used for the check

The verifier fails closed:

- exit `0` = verified
- exit `1` = tampered, incomplete, or otherwise failed verification
- exit `2` = external trusted public key PEM missing

## Production Baseline Scope

The current production baseline is the ACK Riyadh deployment of
`datasitr-api:979aa53b`. The post-deploy gotchas runbook is part of this pack's
operator-governance evidence trail because it records how the one-time deploy
was converted into safer reproducible operator muscle:

- one ACR temporary token must be reused for image push and pull-secret refresh
- Host B build dispatch avoids unreliable local amd64 emulation
- required runtime env vars must be checked before rollout
- the AI gateway preview remains disabled until a dedicated secret-placement and
  flag-flip window

This pack may say that the Subject Rights Case-Queue UI is production-live. It
must not say that DataSitr has completed a real customer subject-rights request
until such a request has flowed through the queue and its audit evidence exists.

## HA Evidence Scope

The HA evidence added on 2026-05-04 substantiates this narrow claim:

DataSitr's customer route was cut over from the legacy single-VPS edge
(`8.213.18.247`) to the ACK ingress (`8.213.49.193`), with public DNS,
ACK TLS, public-site parity, API route checks, and a 4-hour soak passing.

The operator-recorded DNS flip timestamp is `2026-05-04T01:12:50Z`; the signed
bundle root uses T0 `2026-05-04T01:17:03Z`. Keep these timestamps distinct when
reviewing the evidence.

The signed HA evidence bundle records:

- pre-soak DNS, HTTPS, certificate-chain, public-site, and API contract checks
- ACK TLS readiness for `datasitr.com`, `www.datasitr.com`, and
  `api.datasitr.com`
- gate-state output with all four HA conditions passing
- scheduled soak checkpoints at T+15m, T+1h, T+2h, and T+4h
- separate post-soak signature material

The HA evidence does not widen into:

- external certification
- regulator approval
- full-vault decrypt verification on every row
- permanent immutable-retention controls
- automated cert-manager DNS-01 renewal, which remains a documented follow-up

The ACK TLS certificate in the cutover bundle expires
`2026-06-06T00:36:09Z`. Manual renewal copy-forward is documented in
`docs/runbooks/ack-tls-cert-renewal.md`; cert-manager DNS-01 automation remains
a separate follow-up.

## Multi-Region Warm-Standby Drill Scope

The signed multi-region drill evidence added on 2026-05-16 substantiates this
narrow claim:

DataSitr has an in-Kingdom warm-standby endpoint on Google Cloud Dammam
(`standby.gcp.datasitr.com`) and a tested operator-directed DNS route-swap
procedure using a disposable drill hostname. The drill validated DNS-level
route switching between Alibaba Riyadh and GCP Dammam, TLS-valid service on
the Dammam standby, GKE workload health, evidence capture, and rollback.

The drill evidence path is:

- `evidence/multi-region-drill/multi-region-warm-standby-20260516T220433Z/evidence-bundle.json`
- `evidence/multi-region-drill/multi-region-warm-standby-20260516T220433Z/evidence-bundle.json.sig`

The signed content hash is:

- `sha256:158f604ae895a0f841bfeddeae43eafad14b4709b63ed8b596a708bc39b11a51`

The signing key identifier is:

- `ed25519:f4c7e4088a05833afaf275aacdb71a73692d48e25584ab83628b13f6f48690b7`

The drill explicitly does not validate:

- cross-cloud database failover or replication
- authoritative authentication failover
- customer data continuity
- active-active routing
- unplanned full-region failure tolerance

Cross-cloud DB replication remains a tracked coverage gap pending the Alibaba
RDS `wal_level=logical` maintenance window. Target tracking date:
`2026-06-15`.

## Composite-Chain Fix Scope

The composite-chain branch addresses an internal integrity finding caught by
DataSitr's own stress tooling: concurrent finalization could mutate
`record_hash` after a successor row linked to the pre-finalization value. The
fix separates immutable chain continuity (`chain_hash` / `prev_chain_hash`)
from mutable current-state record hashing.

This reviewer pack may say:

- the race was found by internal integrity tooling before any customer-tenant
  records were affected
- affected pre-fix records were internal only: 2 pilot-proof records and 57
  stress-test seed records
- the deterministic reproducer now blocks the regression
- a 200-request post-fix burst produced 0 broken links

This reviewer pack must not say the composite-chain fix has independent live
ACK chain-integrity proof unless a guarded rollout and live verification bundle
exists for that specific control.

## Customer-Route Verification Commands

Use these checks to inspect the current customer route:

```bash
for h in datasitr.com api.datasitr.com www.datasitr.com; do
  echo "=== $h ==="
  curl -sI -o /dev/null \
    -w "HTTP %{http_code} IP %{remote_ip} TLS_verify %{ssl_verify_result}\n" \
    "https://$h/"
done
```

Expected result:

- `datasitr.com` resolves to the ACK ingress path
- `api.datasitr.com` resolves to the ACK ingress path
- `www.datasitr.com` follows the apex route
- TLS verification returns `0`

For matrix-level verification, use:

```bash
python3 scripts/validate_control_matrix.py
python3 scripts/render_control_matrix.py
python3 scripts/generate_trust_report.py
python3 scripts/check_control_matrix_rendered_drift.py
python3 scripts/verify_ha_evidence_gate.py \
  evidence/ha/alibaba-live-2026-05-04T01:17:03Z/ha-evidence-bundle.json
```

## Control Matrix Overview

The control matrix has three reviewer-useful properties:

1. It is source-first. `docs/control_matrix.yaml` is the source of truth.
2. It is machine-validated. `scripts/validate_control_matrix.py` rejects broken
   code/test/evidence references.
3. It is gap-explicit. `coverage_gap` and `gap_severity` stay visible per
   control until a fix branch actually closes them.

For a specific control:

- open `docs/generated/control_matrix.md`
- search for `## <CONTROL_ID>`
- or use the generated anchor form `#<lowercase-control-id>` in a Markdown
  viewer that follows GitHub-style heading anchors

Examples:

- `PDPL-ART-29-CROSS-BORDER-TOKENIZATION`
- `AUDIT-001-RAW-PII-EXTERNAL-LEAK-PROTECTION`
- `CLAIM-THREE-LANE-ROUTING-LIVE`
- `RUNTIME-PROCESSING-CHAIN-HMAC-INTEGRITY`
- `HA.001`
- `HA.005`

## Known Limitations

Do not read this reviewer pack as proof that all surfaced issues are already
closed.

Known limitations as of 2026-05-18:

- the three continuity marker directories/files under
  `evidence/parity-rollout-20260418_083031/`,
  `evidence/parity-rollout-20260419_184221/`, and
  `evidence/security-scans/` are not evidence; they document pre-existing
  unpreserved evidence directories that still need cleanup
- the matrix still records explicit coverage gaps where evidence is partial,
  documentary, or externally dependent
- cert-manager DNS-01 renewal is not yet wired; the current ACK TLS renewal path
  is documented as a manual copy-forward procedure
- full-vault decrypt verification remains a separate evidence stage
- the composite-chain fix has code/evidence proof, but this pack does not claim
  separate live ACK chain-integrity proof for that control
- the Subject Rights Case-Queue UI is live, but no real customer
  subject-rights request has completed end-to-end yet
- the GCP Dammam warm-standby drill is DNS/GKE/TLS evidence only; cross-cloud
  DB replication, auth failover, and customer data continuity remain deferred
- the AI gateway preview is present in the deployed image but flag-disabled
- this pack does not widen into regulator approval, legal sign-off, external
  certification, or whole-platform audit completeness

## Related References

Use these documents together:

1. `docs/generated/control_matrix.md`
2. `public-site/resources/trust-report.json`
3. `docs/control-matrix-coverage-backlog-20260425.md`
4. `docs/claims-boundary.md`
5. `docs/regulatory-audit-findings.md`
6. `docs/pdpl-self-contained-operation-principle.md`
7. `docs/green-lane-transfer-legal-position.md`
8. `compliance/COMPLIANCE_STATUS.md`
9. `evidence/ha/alibaba-live-2026-05-04T01:17:03Z/soak/PASSED.md`
10. `evidence/chain-fix-verification-20260505T002623Z/`
11. `docs/operator-runbooks/ack-deploy-gotchas-2026-05-17.md`

## Safe Wording Boundary

Safe summary wording:

- DataSitr maintains a machine-validated control matrix spanning PDPL article
  references, audit findings, claim-boundary lines, routing controls, runtime
  controls, billing integrity controls, and operational principles.
- The matrix is packaged into an Ed25519-signed reviewer bundle with a dated
  coverage backlog, the signed 2026-05-04 HA evidence bundle, companion
  composite-chain fix evidence, the 2026-05-16 warm-standby drill evidence, and
  the post-deploy operator gotchas runbook.
- The HA evidence substantiates verified ACK customer-route cutover and
  infrastructure-level HA for the documented public/API paths and soak window.
- The Subject Rights Case-Queue UI is live on ACK production image
  `datasitr-api:979aa53b`, with no claim yet of real customer-request evidence.
- The current bundle is reviewer-safe because it keeps surfaced gaps visible
  rather than hiding them.

Unsafe wording:

- all compliance gaps are closed
- regulator-approved control coverage
- externally audited full control completeness
- buyer-ready proof of every stated claim without qualification
- full-vault decrypt verification on every row
- do not claim automatic failover, active-active, or full-region tolerance