Controls Overview

82 security controls across the platform.

Technical Controls

Platform-Provided

ID	Title	Owner	CSF Function
SID-ACCESS-01	Multi-Tenant Isolation	platform	protect
SID-ACCESS-02	Rate Limiting and Brute-Force Protection	platform	protect
SID-ACCESS-03	User Consent Before Credential Disclosure	platform	protect
SID-ACCESS-04	SPOCP Policy-Based Query Authorization	platform	protect
SID-ARCH-01	Platform Architecture Non-Applicability Register	platform	identify
SID-AUDIT-01	Structured Security Event Logging	platform	detect
SID-AUDIT-02	Privacy-Preserving Audit Event Taxonomy	platform	detect
SID-AUTH-01	FIDO2/WebAuthn Passwordless Authentication	platform	protect
SID-AUTH-02	JWT Bearer Token Session Management	platform	protect
SID-AUTH-03	OIDC Gate for External Identity Providers	platform	protect
SID-AUTH-04	WebSocket JWT Handshake Authentication	platform	protect
SID-AUTH-05	Wallet Unlock, Lockout, and PIN Security	platform	protect
SID-AUTH-06	Wallet Lifecycle Management	platform	protect
SID-CRYPTO-01	PKCS#11 HSM Key Protection	platform	protect
SID-CRYPTO-02	PRF Extension Key Derivation	platform	protect
SID-CRYPTO-03	AES-256-GCM Encrypted Keystore	platform	protect
SID-CRYPTO-04	COSE Sign1 and mDOC Cryptography	platform	protect
SID-CRYPTO-05	Secure Random Number Generation	platform	protect
SID-DATA-01	SD-JWT Selective Disclosure	platform	protect
SID-DATA-02	mDOC Element-Level Selective Disclosure	platform	protect
SID-DATA-03	Credential Revocation via Token Status List	platform	protect
SID-DATA-04	VCTM Schema Validation	platform	protect
SID-DATA-06	PII Field Encryption for User Records	platform	protect
SID-DATA-07	Credential Re-issuance and Lifecycle Management	platform	protect
SID-DATA-08	Server-Side Data Cache Protection	platform	protect
SID-DATA-09	Runtime Memory Protection	platform	protect
SID-DATA-10	Wallet Backup Security	platform	protect
SID-HARD-01	Error Message Sanitization	platform	protect
SID-HARD-02	Input Validation and Injection Prevention	platform	protect
SID-HARD-03	Network Segmentation (Separate Server Ports)	platform	protect
SID-HARD-04	Secure Registration Enforcement	platform	protect
SID-HARD-05	Browser Security Controls	platform	protect
SID-HARD-06	Wallet Attestation and Environment Integrity	platform	identify
SID-HARD-07	Resource Upload Constraints	platform	protect
SID-HARD-08	Sensitive Data UI Protection	platform	protect
SID-HARD-09	Application Resilience and Anti-Tampering	platform	protect
SID-KEY-01	WSCA WebSocket Key Signing Delegation	platform	protect
SID-KEY-02	IACA Certificate Management	platform	protect
SID-KEY-03	WSCD Client Library with rawSign API	platform	protect
SID-KEY-04	R2PS Remote WSCD SCAL2 Compliance	platform	protect
SID-PRIV-01	Minimal Disclosure Enforcement	platform	protect
SID-PRIV-02	VP Nonce Binding (Anti-Replay)	platform	protect
SID-PRIV-03	Right-to-Erasure Bulk Deletion API	platform	protect
SID-PRIV-04	Pseudonymous Authentication	platform	protect
SID-TRANS-01	TLS 1.2+ Minimum with Configurable Version	platform	protect
SID-TRANS-02	OpenID4VCI Credential Issuance Protocol	platform	protect
SID-TRANS-03	OpenID4VP Credential Presentation Protocol	platform	protect
SID-TRANS-04	SSRF-Protected HTTP Client	platform	protect
SID-TRUST-01	AuthZEN PDP Trust Evaluation Service	platform	identify
SID-TRUST-02	Multi-Registry Trust Framework Support	platform	identify
SID-TRUST-03	Issuer and Verifier Trust Gating	platform	protect
SID-TRUST-04	Trust Decision Caching with Circuit Breaker	platform	protect
SID-TRUST-05	Relying Party Registration and Over-Request Detection	platform	protect

Operator-Required

ID	Title	Owner	CSF Function
SID-ARCH-02	Operator-Scope Compliance Obligations	operator	govern
SID-TRANS-05	Operator TLS Deployment Enforcement	operator	protect

Organizational Controls

Platform-Provided

ID	Title	Owner	CSF Function
SID-OPS-04	Vulnerability Management	platform	detect
SID-OPS-05	Secure Configuration Management	platform	govern
SID-OPS-08	Secure Development Lifecycle	platform	protect
SID-OPS-09	Platform Security Documentation	platform	identify

Operator-Required

ID	Title	Owner	CSF Function
SID-OPS-01	Incident Response and Management	operator	respond
SID-OPS-02	Business Continuity and ICT Readiness	operator	recover
SID-OPS-03	Backup and Recovery	operator	recover
SID-OPS-06	Monitoring and Alerting	operator	detect
SID-OPS-07	Fraud Management	operator	detect
SID-OPS-10	Encryption-at-Rest and Secrets Management	operator	protect
SID-OPS-11	Data Leakage Prevention — Infrastructure Controls	operator	protect
SID-OPS-12	Deployment Environment Separation	operator	protect
SID-OPS-13	Operator Security Documentation	operator	identify
SID-ORG-01	Information Security Policy	operator	govern
SID-ORG-02	Roles, Responsibilities, and Segregation of Duties	operator	govern
SID-ORG-03	Risk Management Framework	operator	identify
SID-ORG-04	Supplier and Third-Party Security	operator	govern
SID-ORG-05	Legal, Regulatory, and Contractual Compliance	operator	govern
SID-ORG-06	Wallet Service Practice Statement	operator	govern
SID-ORG-07	Terms of Service and Privacy Policy	operator	govern
SID-ORG-08	Information Classification and Labelling	operator	identify
SID-PHY-01	Data Center Physical Security	operator	protect
SID-PHY-02	Equipment and Media Security	operator	protect
SID-PPL-01	Personnel Screening and Onboarding	operator	protect
SID-PPL-02	Security Awareness, Education, and Training	operator	protect
SID-PPL-03	Confidentiality and Non-Disclosure Agreements	operator	protect
SID-PPL-04	Information Security Event Reporting	operator	detect

Technical Controls​

Platform-Provided​

Operator-Required​

Organizational Controls​

Platform-Provided​

Operator-Required​

Technical Controls

Platform-Provided

Operator-Required

Organizational Controls

Platform-Provided

Operator-Required