Compliance posture

Built to the standards public partners require.

This page is maintained by the REBUILT OS team to summarize the compliance frameworks we align to today and the audits we are actively pursuing. It describes controls that are enabled in the platform and is not, on its own, an independent certification or attestation. Signed reports, BAAs, DPAs, and security questionnaires are available under NDA — contact compliance@operationrebuilt.com.

All frameworks below: Aligned / In Progress — formal audits underway
HIPAA
Aligned

Protected Health Information (PHI) — wellness, behavioral health, and clinical data.

  • Administrative, physical, and technical safeguards mapped to 45 CFR §164
  • Encryption at rest and in transit for all identified PHI
  • Role-based access control with least-privilege enforcement
  • Immutable audit logging of PHI access and modifications
  • Breach notification procedures documented
  • Business Associate Agreements (BAAs) available upon partner request
SOC 2 Type II
Aligned

Security, Availability, Confidentiality, and Privacy Trust Services Criteria.

  • Access control policies with quarterly access reviews
  • Change management and code review requirements enforced
  • Continuous monitoring, incident response, and vulnerability management
  • Vendor and subprocessor risk review program
  • Formal Type II audit engagement targeted — evidence collection underway
CJIS
Aligned

Criminal Justice Information Services Security Policy v5.9 — required for court, probation, and law enforcement data.

  • Advanced authentication (MFA) for all users touching CJI
  • Personnel screening standards for staff with CJI access
  • Encryption FIPS 140-2 validated modules in transit and at rest
  • Detailed audit logging and 1+ year log retention
  • Physical security via SOC 2 audited cloud host
  • CJIS Security Addendum available for signatory partners
FERPA
Aligned

Education records for youth prevention and academy participants under 18.

  • Parent/guardian consent capture with versioning
  • Directory information handling controls
  • Right to inspect, amend, and request deletion supported
  • School Official designation available for education partners
NIST 800-53 (Moderate)
Aligned

Federal baseline control set — foundation for FedRAMP and StateRAMP.

  • Control families implemented across AC, AU, CM, IA, IR, RA, SC, SI
  • System Security Plan (SSP) maintained internally
  • Continuous monitoring against control baseline
  • POA&M process for tracking gaps and remediation
GDPR
Aligned

EU/UK data subjects — participants, mentors, and staff.

  • Lawful basis documented per processing activity
  • Data Subject Access, Rectification, Erasure, Portability requests honored
  • Data Processing Agreement (DPA) available
  • Subprocessor list published and updated
  • Standard Contractual Clauses (SCCs) for international transfers
StateRAMP
Aligned

State and local government cloud authorization — Ready → Authorized pathway.

  • Control implementation mapped to NIST 800-53 Moderate baseline
  • 3PAO engagement planned for formal assessment
  • Listed on the StateRAMP Progressing Snapshot as a next milestone
Audit & certification roadmap

Timelines are targets, not guarantees. Updated as milestones are met.

Now
  • HIPAA safeguards implemented
  • GDPR DSAR workflow live
  • Consent Center in production
  • Immutable audit logs enabled
Next 90 days
  • SOC 2 Type I readiness assessment
  • Formal BAA template published
  • CJIS Security Addendum published
  • Penetration test (third-party)
6–12 months
  • SOC 2 Type II audit window
  • StateRAMP Ready status
  • HITRUST e1 assessment (evaluation)
  • FedRAMP Tailored Low (evaluation)
Shared responsibility

REBUILT OS operates the platform, its managed cloud infrastructure, and the platform-level controls listed above. Partner organizations remain responsible for administering their users, executing consent workflows appropriate to their jurisdiction, and safeguarding data they export or share outside the platform. Compliance is a shared commitment.