Compliance & Security
TrustAI is built on Knox — a defense-in-depth security architecture with Knox-anchored audit permanence aligned with NIST SP 800-53, HIPAA, FedRAMP infrastructure, SOC 2, and OMB Circular A-123. Trust, estate, and fiduciary disputes involve protected health information, financial records, and minor children — TrustAI treats every byte accordingly.
Operator: Bonis Systems LLC UEI: R2BPJDC5CBA3 USPTO provisional application 64/036,498
Knox Security Architecture
| # | Layer | Status |
|---|---|---|
| 1 | DDoS Protection (50 req/10s sustained, 20/2s burst) | Active |
| 2 | Bot & Scanner Detection (16 signatures) | Active |
| 3 | Payload Inspection (XSS, SQLi, traversal, injection) | Active |
| 4 | Honeypot Traps (16 decoy paths) | Active |
| 5 | Brute Force Prevention (lockout at 5 attempts) | Active |
| 6 | IP Threat Scoring & Auto-Block (score 80+) | Active |
| 7 | Content Security Policy (CSP) | Active |
| 8 | HSTS + Security Headers | Active |
| 9 | Request Fingerprinting (SHA-256) | Active |
| 10 | Knox-anchored audit trail (immutable) | Active |
| 11 | AES-256-GCM Encryption at Rest | Active |
| 12 | TLS 1.3 Transport Security | Active |
| 13 | Permissions-Policy (camera, mic, geo, payment disabled) | Active |
PII / PHI Protection
TrustAI's PII scrubber automatically detects and redacts the 18 HIPAA Safe Harbor identifiers plus legal/financial data before any AI inference, log write, or external transmission:
| Identifier | Detection | Treatment |
|---|---|---|
| Social Security Number | Regex (validated) | Redacted |
| Employer ID Number | Regex | Redacted |
| Bank account / routing | Pattern + context | Redacted |
| Medical Record Number | Pattern + context | Redacted |
| Date of birth | Regex | Redacted |
| Phone, email, ZIP, IP | Regex | Redacted |
| Driver license | Regex | Redacted |
| Credit card | Luhn + regex | Redacted |
NIST SP 800-53 Rev 5 Control Families
| Family | Description | Status |
|---|---|---|
| AC | Access Control (RBAC, session management) | Implemented |
| AU | Audit & Accountability (immutable Knox ledger) | Implemented |
| IA | Identification & Authentication (bcrypt 12 rounds) | Implemented |
| SC | System & Communications Protection (TLS 1.3, AES-256) | Implemented |
| SI | System & Information Integrity (payload inspection, PII scrub) | Implemented |
| IR | Incident Response (Knox dashboard, threat log) | Implemented |
| CM | Configuration Management (Cloud Run revisions) | Implemented |
HIPAA Alignment
While trust documents are not Protected Health Information per se, they routinely contain medical history, capacity assessments, and HEMS distribution evidence. TrustAI applies HIPAA Security Rule administrative, physical, and technical safeguards to all case data. A signed Business Associate Agreement (BAA) is available to any covered entity engagement: View BAA template.
Compliance Posture
| Framework | Status |
|---|---|
| FISMA Continuous Monitoring | Active (Knox Dashboard) |
| OMB Circular A-123 | Compliant (immutable audit trail) |
| Federal Records Act | Compliant (Knox-anchored retention) |
| SOC 2 Type II | Self-Assessment Complete; Formal Audit Pending |
| Section 508 Accessibility | Audit Scheduled |
Federal Rules of Evidence Posture
TrustAi audit-pack bundles are framed for self-authenticating admissibility under Federal Rules of Evidence 902(13) and 902(14). The substrate provides the cryptographic evidence; the firm-side bar-licensed attorney of record signs the printed certificate of authenticity that accompanies each bundle. Procedural prerequisites that fall under FRE 902(11) and 902(12) — including the pretrial written notice to adverse parties and the fair opportunity to challenge the certification — are firm-side responsibilities, not substrate-side.
| Rule | Substrate-side coverage |
|---|---|
| FRE 902(13) | For records generated by an electronic process or system: the substrate generates and stores the record on an immutable hash chain. The firm-side qualified person provides the certification on the bundle's printed certificate of authenticity, and complies with the FRE 902(11)/(12) certification-and-notice requirements at filing. |
| FRE 902(14) | For data copied from an electronic device, storage medium, or file: the substrate emits the digital identification used to authenticate the copy — SHA-256 payload hashes, ML-DSA-87 block signatures (FIPS 204), and OpenTimestamps Bitcoin anchors. The firm-side certification of the qualified person, and the FRE 902(11)/(12) notice procedure, remain firm-side. |
Each audit-pack bundle contains a canonical manifest, the firm-side certificate of authenticity (operator-fill template, attorney-signed at print time), verification instructions written for a sub-attorney reviewer or court clerk, and one signed-record JSON per included event. Verification procedure is documented end-to-end against the live public verify endpoint at /api/trustai/v1/decisions/verify; any reviewer can confirm the hash-chain, Merkle inclusion proof, and OpenTimestamps Bitcoin anchor without contacting the issuing firm.
Hosting Infrastructure
Google Cloud Run (us-central1) on a FedRAMP High authorized cloud platform. Encryption at rest via Google-managed AES-256-GCM. TLS 1.3 with HSTS preload. Inherited GCP infrastructure controls.
Machine-Readable Attestation
Machine-readable attestation: /api/knox/compliance returns a JSON descriptor of platform compliance posture, security controls, and Knox audit-permanence configuration. Verifiable by any reviewer.