15 Security & Trust Whitepaper
Audience: client IT/OT security teams. Purpose: pre-answer the security review that gates every oil & gas deal — the single highest-leverage client doc. Reference: CSA CAIQ, Shared Assessments SIG, AICPA SOC 2; trust-center examples from Vanta/Drata/Secureframe; Palantir & Samsara public trust centers. Much of the substance already exists in PRD Appendix F (esp. F.7) and Deployment — this packages it for a security reviewer and pre-empts their questionnaire.
15.1 Sections
- Security posture summary — observe-reason-recommend only; read-only OT.
- OT/IT boundary — read-only OPC UA enforcement (access rights, DMZ write-rejection, firewall port restriction); no writes/actuation. (PRD Deployment + F.5.)
- Data protection — encryption at rest (AES-256) / transit (TLS 1.2/1.3); residency; air-gapped option with no callbacks.
- Identity & access — JWT, RLS multi-tenancy, SSO (SAML/OIDC).
- Supply chain — image signing (cosign), Trivy scanning, SPDX SBOM. (PRD F.7.)
- Secrets management — Vault / cloud KMS; rotation; X.509/mTLS. (PRD F.7.)
- Compliance roadmap — SOC 2 Type II (target Q4 2026), IEC 62443 alignment.
- Sub-processors — list (cloud, LLM API) and how on-prem eliminates them.
- Incident response & breach notification (72h).
- Pre-filled CAIQ/SIG — attach as appendix so buyers don’t have to send their own.
15.2 Maintenance
Update whenever Deployment / App F changes. This doc and PRD App F must never disagree — keep PRD App F.7 as the source of truth and summarize here.