Trust & Compliance

Autional is built with security and compliance as core design principles — not afterthoughts.

🔐

Data Encryption

All sensitive fields encrypted with AES-256-GCM at rest. Key rotation supported. SM4-GCM for Chinese national standard compliance.

🔒

Password Security

argon2id hashing with per-tenant pepper. Password transmission supports ECDH symmetric and RSA asymmetric encryption.

📝

Audit Trail

Immutable Merkle hash chain audit logs. Every authentication event is cryptographically linked and verifiable.

🛡️

MFA & Access Control

TOTP, WebAuthn/FIDO2, SMS, email, push MFA. RBAC + ABAC + ReBAC + PIM authorization models.

🌐

Compliance Frameworks

Built-in data models and tooling for: ISO 27001, PCI DSS, HIPAA, SOX, GDPR, PSD2, PIPL, Dengbao 2.0.

🔑

Key Management

Centralized secret-service for encryption keys, JWT signing keys, and API keys. Hardware-backed key storage support.

🏗️

Architecture

24 independently deployable microservices. PostgreSQL, MongoDB, Redis, RabbitMQ. gRPC service mesh with OpenTelemetry tracing.

🔍

Vulnerability Management

Regular dependency scanning, penetration testing workflows, and security audit finding tracking built into the compliance service.

Compliance Disclaimer

The technical capabilities described above represent Autional's platform design goals and built-in tooling. Compliance certifications (ISO 27001, SOC 2, PCI DSS, etc.) are the responsibility of the deploying organization. Autional provides the technical foundation — achieving certification requires organization-specific controls, audits, and policies.