Skip to main content

Compliance

Octomil provides pre-configured compliance presets and platform controls to satisfy HIPAA, GDPR, PCI, and SOC 2 requirements. This page covers presets, per-framework guidance, and production checklists.

Compliance Presets

Apply a preset during octomil init or update later in the dashboard:

octomil init "Your Org" --compliance hipaa --region us
PresetAudit RetentionMFAAdmin ApprovalSession DurationReauth Timeout
hipaaConfigurable (compliance-appropriate)All usersYesConfigurableConfigurable
gdprConfigurable (compliance-appropriate)Admins onlyNoDefaultDefault
pciDefaultAll usersYesConfigurableConfigurable
soc2ConfigurableAdmins onlyYesDefaultDefault

HIPAA

Octomil is architecturally incapable of violating HIPAA's core data protection requirements because it never receives, processes, or stores Protected Health Information (PHI). Training happens on-device. The only data transmitted to the server is model weight deltas -- numerical arrays representing how the model changed after local training.

How Octomil meets HIPAA safeguards

HIPAA RequirementSafeguard CategoryOctomil Feature
Access controlsAdministrativeRBAC with owner, admin, member roles. Scoped API keys
Workforce securityAdministrativeMFA enforced for all users under HIPAA preset. SSO/SCIM integration
Audit controlsAdministrativeImmutable audit log. HIPAA preset: compliance-appropriate retention
Transmission securityTechnicalTLS 1.3. Certificate pinning in iOS and Android SDKs
Encryption at restTechnicalModel artifacts encrypted in S3. Database encrypted at disk level
Access validationTechnicalDevice bootstrap token exchange. JWT validation with org_id claims
Automatic logoffTechnicalConfigurable session duration with configurable re-authentication timeout
Data integrityTechnicalDP pipeline: gradient clipping, noise injection. Byzantine-robust aggregation

For HIPAA workloads, use epsilon <= 4.0 with secure aggregation enabled:

curl -X PUT https://api.octomil.com/api/v1/federations/radiology-screening/privacy \
  -H "Authorization: Bearer edg_..." \
  -H "Content-Type: application/json" \
  -d '{
    "differential_privacy": {"enabled": true, "epsilon": 4.0, "delta": 1e-5, "noise_multiplier": 1.1, "max_grad_norm": 1.0},
    "secure_aggregation": {"enabled": true, "min_participating_clients": 10, "reconstruction_threshold": 0.6}
  }'

Business Associate Agreement (BAA)

Octomil offers BAA execution on the Enterprise tier. Contact team@octomil.com to initiate.

HIPAA checklist

  • HIPAA compliance preset applied (octomil init --compliance hipaa)
  • MFA enforced for all users
  • SSO/SCIM configured
  • Differential privacy enabled with epsilon <= 4.0
  • Secure aggregation enabled
  • Audit log retention set to compliance-appropriate duration
  • Admin approval required for production deployments
  • BAA executed with Octomil (Enterprise tier)
  • On-device training pipeline verified: no intermediate artifacts uploaded

GDPR

Octomil is GDPR-compliant by design. No PII is collected, transmitted, or centralized. Training data stays on end-user devices.

How Octomil meets GDPR requirements

GDPR RequirementArticleOctomil Feature
Data minimizationArt. 5(1)(c)Only model weight deltas transmitted. DP further reduces information content
Purpose limitationArt. 5(1)(b)Updates used solely for federated aggregation
Storage limitationArt. 5(1)(e)Only aggregated model weights stored. Retention configurable
Lawfulness and consentArt. 6, 7SDKs require explicit opt-in before training participation
Right to erasureArt. 17Device revocation via octomil devices revoke <device-id>. Local data controlled by end user
Data residencyArt. 44-49--region eu constrains all data flow to EU infrastructure
Privacy by designArt. 25On-device training is the default. DP and SecAgg are first-class features

Data residency

When you initialize with --region eu, Octomil constrains model storage, aggregation compute, audit logs, and API routing to EU-based infrastructure.

Right to erasure workflow

  1. Revoke the device token: octomil devices revoke <device-id>
  2. Application deletes local training data (Octomil never holds a copy)
  3. For full unlearning, retrain the model excluding rounds where the device participated

GDPR checklist

  • GDPR compliance preset applied (octomil init --compliance gdpr --region eu)
  • Data residency set to eu
  • Differential privacy enabled
  • SDK configured to require explicit user opt-in
  • Device revocation workflow documented and tested
  • Audit log retention set to compliance-appropriate duration
  • DPIA completed and filed with your DPO

SOC 2

Octomil's architecture is aligned to all five SOC 2 Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Key controls

CategoryCoverage
Security (CC1-CC9)RBAC, MFA, immutable audit logs, TLS 1.3, encryption at rest, vulnerability scanning
Availability (A1)Auto-scaling, rate limiting, configurable RPO and RTO
Processing Integrity (PI1)Input validation, DP pipeline, deterministic aggregation
Confidentiality (C1)On-device training, encrypted transit/rest, secure aggregation
Privacy (P1-P8)Opt-in consent, data minimization, configurable retention

SOC 2 preset

octomil init "Your Org" --compliance soc2

Configures: configurable audit retention, admin MFA, deployment approvals, auto-rollback on elevated error rates, daily compliance evidence collection.

Evidence collection

octomil org compliance-report --format pdf

Generates a report covering control status, audit log summary, encryption config, RBAC assignments, API key inventory, deployment history, and incident history.

SOC 2 checklist

  • SOC 2 compliance preset applied
  • MFA enforced for admin users
  • Audit log retention meets requirements
  • RBAC assignments follow principle of least privilege
  • Compliance report generated and reviewed
  • Incident response procedures documented
  • Backup and recovery procedures tested