Sami Assiri 33af10127d feat(tier1): master closure checklist AR, CI preflight, Class B bundle API, trust and execution docs

Made-with: Cursor

2026-04-16 16:28:33 +03:00

PDPL, NCA ECC, and AI control matrices (operational templates) — WS7

Not legal advice. Engineering templates to operationalize saudi-compliance-and-ai-governance.md.

PDPL control matrix (template)

Control ID	Topic	Implementation hint	Evidence
PDPL-01	Lawful basis documented	Link to consent / contract in `salesflow-saas/docs/legal/`	Policy version + UI copy hash
PDPL-02	Data minimization	Field-level collection review per feature	Design review sign-off
PDPL-03	Subject access / export	Runbook + API capability	Test + ticket
PDPL-04	Retention & deletion	TTL jobs + soft-delete	Job logs
PDPL-05	Processor / subprocessor register	Table of vendors + regions	Updated quarterly

ECC theme	Gap	Mitigation owner	Target date	Status
Asset management	…	…	…	Open

(Replace with organization-specific mapping against ECC 2-2024 controls.)

RMF function	Practical control	Release gate
Govern	Model allowlist per environment	WS6
Map	Data flow for prompts containing PII	WS7
Measure	Offline eval + red-team subset	WS4
Manage	Rollback + incident runbook	WS3/WS6

OWASP LLM risk	Mitigation	Test
Prompt injection	Tool allowlists + input guards	Automated + manual
Insecure output handling	Schema validation on outputs	pytest
Excessive agency	Executor vs recommender separation	Policy review

Define configuration keys for data region and LLM routing per tenant; document in ADR when enforced in policy_engine or external PDP.

Before tagging an enterprise release candidate:

Reconcile this matrix with ../enterprise-readiness.md and saudi-compliance-and-ai-governance.md.
Attach evidence: PDPL rows above filled (no … placeholders for production claims), NCA gap register owner + date, AI RMF row sign-off.
Cross-check ../TIER1_MASTER_CLOSURE_CHECKLIST_AR.md §14 and ../../salesflow-saas/docs/tier1-master-closure-checklist.md Gate 8.