Define data export controls and watermarking

Related rules

From the same buckets as this rule.

• Critical

  Encrypt sensitive data at rest with KMS and rotate keys

  Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

  compliance-soc2-essentialssecrets-credentials+1
• Critical

  Enforce TLS 1.2+ and HSTS on all external endpoints

  Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.

  compliance-soc2-essentialssecurity-hardening+1
• Critical

  Use a secrets manager and 90-day rotation policy

  All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

  compliance-soc2-essentialssecrets-credentials+1