Technical Transparency & System Integrity

For external auditors, security reviewers, compliance consultants, technical due-diligence reviewers

1. Design Philosophy

HAIEC prioritizes deterministic behavior because compliance decisions must be reproducible and defensible in regulatory proceedings. Stochastic systems introduce variance that cannot be explained to auditors or regulators.

Evidence is treated as a first-class object because it forms the foundation of audit trails. Every compliance finding must trace back to verifiable source material.

Human oversight is mandatory in regulated systems because automated decisions affecting employment, credit, or legal standing require accountability. HAIEC surfaces findings for human review rather than making autonomous determinations.

2. System Layers & Control Boundaries

LayerResponsibilityControl Boundary
IntakeSource captureImmutable input
NormalizationCanonical structuringSchema-validated
ParsingStatic analysisRule-bounded
DetectionControl evaluationDeterministic
TracingSource-to-finding linkageReplayable
EvidenceArtifact bindingVerifiable
ReviewHuman validationRequired
RetentionVersioning & storageTamper-evident
ExportAudit handoffRead-only

3. Determinism Guarantees

Same Input → Same Output

HAIEC enforces determinism through:

  1. Rule-based classification: All risk scoring uses explicit if-then logic, not probabilistic models
  2. Version-locked rules: Control definitions are versioned and immutable once deployed
  3. Timestamp-based evaluation: All assessments record exact rule version and evaluation time
  4. No adaptive behavior: System does not learn or adjust rules based on usage patterns

Limitation: Determinism applies to compliance evaluation only. User interface personalization and analytics may use non-deterministic methods.

4. Security Controls

Authentication & Authorization

  • OAuth 2.0 for user authentication (GitHub, Google)
  • Role-based access control (RBAC) with least-privilege model
  • Session tokens expire after 24 hours
  • Multi-factor authentication available for enterprise accounts

Secrets Handling

  • Environment variables for API keys and database credentials
  • No secrets in source code or version control
  • Secrets rotation supported via environment variable updates
  • Third-party API keys stored encrypted in database

Input Validation

  • All user inputs validated against schema before processing
  • File uploads restricted to documented formats (PDF, MD, JSON)
  • Maximum file size: 10MB
  • Content-type verification for all uploads

Limitation: HAIEC does not perform penetration testing or third-party security audits. Customers requiring these should engage independent security firms.

5. Error Handling & Failure Modes

NOT AUDIT-READY Conditions:

  • Parse failure on critical documents
  • Missing evidence for high-risk controls
  • System error during assessment
  • Incomplete user responses in questionnaire
  • Evidence older than retention period

Silent Failure Prevention:

  • All critical operations wrapped in try-catch blocks
  • Errors logged before returning to user
  • Health check endpoint monitors database and API connectivity
  • Alerting configured for error rate thresholds

6. Evidence Integrity & Chain of Custody

Evidence Linking

  • Each finding includes source file path or URL
  • Evidence hash (SHA-256) recorded at ingestion
  • Finding references evidence by hash, not mutable identifier
  • Evidence changes trigger new assessment version

Modification Protection

  • Evidence files stored in immutable object storage
  • Hash verification on retrieval
  • Modification attempts logged as security events
  • Original evidence retained even if superseded

Limitation: HAIEC does not use blockchain or cryptographic signatures for evidence. Hash-based verification is sufficient for current use cases.

7. Human Oversight & Accountability

What Requires Human Review

  • High-Risk Systems: Hiring tools, credit decisioning, healthcare AI
  • Medium-Risk Systems: Recommendation engines, content moderation, fraud detection
  • Low-Risk Systems: Informational chatbots, public data analysis

Responsibility Transfer

HAIEC Responsibility:

  • Accurate evidence collection
  • Correct rule application
  • Complete gap identification
  • Audit trail maintenance

Customer Responsibility:

  • Evidence accuracy
  • Compliance interpretation
  • Remediation execution
  • Regulatory submissions

8. Regulatory & Standards Grounding

HAIEC references the following standards and laws:

Standards

  • NIST AI RMF 1.0
  • ISO 42001:2023
  • ISO 27001:2022
  • SOC 2 Trust Services Criteria

Laws

  • NYC Local Law 144
  • Colorado AI Act (SB 24-205)
  • EU AI Act (reference only)
  • GDPR Article 22

Alignment Claim: HAIEC's control mapping references these frameworks but does not claim certification or full compliance. Customers must independently verify alignment with their specific regulatory obligations.

9. Explicit Non-Capabilities

HAIEC does NOT:

  1. Issue certifications
  2. Provide legal opinions
  3. Automate approvals
  4. Score AI risk probabilistically
  5. Substitute for auditors
  6. Guarantee compliance
  7. Monitor production AI systems
  8. Perform bias testing
  9. Replace compliance counsel
  10. Certify data privacy

10. How This Page Should Be Interpreted

Who this page is for:

  • External auditors evaluating HAIEC's technical controls
  • Security reviewers conducting vendor risk assessments
  • Compliance consultants assessing tool suitability
  • Technical buyers conducting due diligence

What this page does not replace:

  • Security audit or penetration test
  • Legal compliance opinion
  • Vendor risk assessment questionnaire
  • Service Organization Control (SOC) report

Document Control:

Version: 1.0 | Last Updated: January 8, 2025 | Owner: CTO | Next Review: April 8, 2025