Data Governance - Security and Compliance Metrics
Understanding where data comes from, how it is transformed, and where it moves over time is vital for both compliance and data quality. This includes detailed histories of data sources, transformations applied, and downstream uses.Understanding where data comes from, how it is transformed, and where it moves over time is vital for both compliance and data quality. This includes detailed histories of data sources, transformations applied, and downstream uses.
Security and Compliance Metrics are essential components of a Data Governance Platform, serving as critical indicators of an organization's adherence to security standards and regulatory compliance. These metrics provide a comprehensive view of the security posture and compliance status of data across an organization, helping to identify vulnerabilities, monitor for compliance with legal and policy requirements, and ensure that data protection measures are effective.
1. Access Controls and Audit Logs: Security and compliance metrics track who is accessing data, when, and for what purpose. Audit logs are maintained to record all access and modification events related to sensitive data. These logs are crucial for forensic analysis in the event of a security incident and for regular compliance audits. Access controls ensure that only authorized personnel can access sensitive data based on their role and responsibilities.
At the Data Object Layer, ARPIA leverages MySQL binary logs (binlogs) for transaction-level auditing and supports point-in-time recovery at the database level. Separately, all changes to Knowledge Nodes are recorded in the platform audit log, allowing administrators to review and revert Node-level changes to any prior state.
User & Profile management in ARPIA.
2. Data Encryption Metrics: Metrics related to data encryption help ensure that data at rest and in transit is protected according to best practices. This includes monitoring the strength of encryption methods, the management of encryption keys, and compliance with industry standards such as PCI-DSS for payment data or HIPAA for health information. In ARPIA, encryption at rest is configurable at the time of Repository setup, and is available at both the OS and Data Repository levels. All data in transit is transmitted over encrypted connections.
3. Vulnerability Assessments and Penetration Testing: Security metrics include results from regular vulnerability assessments and penetration tests. These tests identify and remediate security vulnerabilities across the platform's infrastructure, including databases, applications, and network systems. Results are used to prioritize security issues based on severity and potential impact. Penetration test results and related security documentation are available to customers and prospective customers upon request.
4. Incident Response Metrics: These metrics track the organization's ability to detect, respond to, and recover from security incidents. Key performance indicators include Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). ARPIA maintains internal incident response processes aligned with these KPIs. Additionally, organizations can leverage the ARPIA Data Platform to build custom incident management applications and generate analytics dashboards to support their own incident tracking and reporting workflows.
5. Data Breach Metrics: In the event of a data breach, these metrics detail the scope, impact, and nature of the incident — including the types of data compromised, the number of individuals affected, and the status of containment and mitigation efforts. These metrics support regulatory reporting obligations and inform ongoing improvements to data security measures. ARPIA maintains internal breach response procedures, and organizations can also use the Data Platform to build custom breach tracking and reporting applications.
6. User Behavior Analytics: By monitoring and analyzing user behavior, security teams can identify anomalies that may indicate a security threat, such as unauthorized access attempts or data exfiltration. In ARPIA, every Knowledge Node maintains a detailed access log that records how data is delivered and consumed across the platform, enabling administrators to detect and respond to unauthorized access patterns.
By continuously monitoring these metrics, organizations can effectively manage security risk, maintain compliance with applicable regulatory requirements, and build trust with customers, regulators, and partners.
🔐 Security at the Knowledge Node Level
Each Knowledge Node in ARPIA includes a dedicated Security tab that provides visibility and control over who can access the node. This tab displays Security Dashboards (Last 3 Months), showing two panels: Profiles using this Node and Users using this Node.
From this tab you can:
- View which Security Profiles and Users have accessed the node over the last 3 months
- Add Profiles that will have access to the node via + Add Profile
- Search and manage the list of Profiles with access to this report
- Review Users Requests to this node — any pending access requests appear here
👤 Security Profiles — User & Profile Management
Security Profiles in ARPIA define granular permissions for users across the platform. Each profile is configured through five tabs:
Access to Dashboards — Select which application dashboards the profile can access.
Access to DataApps — Define which DataApps and their individual screens the profile can access. Apps are listed with a count of permitted screens (e.g., 4/4).
Access to Reasoning Knowledge — Select which Knowledge Nodes the profile can access. Nodes are listed individually with checkboxes, showing the total count of permitted nodes (e.g., 50/120).
MCP / API Collection — Define which MCP / API Collections the profile can access.
Administrative Settings — Configure platform-level permissions across three groups: Arpia AI Platform (21 settings including Orchestrator, Data Sources, Workshop, AI Governance, and more), Security Options (Security Settings, Users, User Sessions), and Other Options (Billing, WorkArea creation, Screen Snapshots, and more).
Profile Audit Log
Every change to a Security Profile is recorded in the Profile Audit log. The audit view displays a Git-style diff comparing a selected historical configuration against the current configuration, allowing administrators to identify exactly what permissions were added or removed and when.
🏛️ Compliance Framework Alignment
Security and compliance metrics directly support the following frameworks:
| Requirement | ISO 42001 | SOC 2 Type 2 | ISO 27001 | GDPR | HIPAA | NIST AI RMF | DORA |
|---|---|---|---|---|---|---|---|
| Access controls & RBAC | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Audit logs & change tracking | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Data encryption at rest & in transit | ✅ | ✅ | ✅ | ✅ | ✅ | ||
| Vulnerability assessments & pen testing | ✅ | ✅ | ✅ | ✅ | |||
| Incident response & breach metrics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| User behavior analytics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Profile-level permission management | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Why Security & Compliance Metrics Support Each Framework
🤖 ISO 42001 — AI Management System
ISO 42001 requires organizations to implement controls that govern who can access AI systems and the data they consume, with traceability over changes and access events. ARPIA's Security Profiles, Knowledge Node Security tab, and Profile Audit Log together provide the access governance and change traceability required to demonstrate accountability over AI data pipelines and system configurations.
🔐 SOC 2 Type 2 — Security, Availability, and Confidentiality
SOC 2 is fundamentally an audit of security controls over time. ARPIA's role-based access controls, audit logs at both the data object and node level, encryption at rest and in transit, and the Profile Audit Log's Git-style diff view provide auditors with the continuous, time-stamped evidence of control operation required across the Security, Confidentiality, and Availability trust service criteria.
🛡️ ISO 27001 — Information Security Management
ISO 27001 Annex A requires organizations to implement access control policies, protect audit logs, encrypt sensitive data, conduct vulnerability assessments, and maintain incident response capabilities. ARPIA directly addresses these controls through its RBAC system, binlog-based audit trails, encryption options, penetration testing program, and incident management tooling.
🇪🇺 GDPR — General Data Protection Regulation
GDPR Articles 25 and 32 require organizations to implement appropriate technical and organizational measures to ensure data security, including access controls, encryption, and the ability to detect and respond to breaches. ARPIA's Security Profiles enforce data minimization and purpose limitation at the node level, while audit logs and breach response procedures support Articles 33 and 34 notification obligations.
🏥 HIPAA — Health Insurance Portability and Accountability Act
HIPAA's Security Rule requires covered entities to implement administrative, physical, and technical safeguards for PHI. ARPIA's technical safeguards — including RBAC, audit controls, encryption, and user activity monitoring via the Knowledge Node Security tab — directly satisfy the Security Rule's required and addressable implementation specifications for access control, audit controls, and transmission security.
🧭 NIST AI RMF — AI Risk Management Framework
The NIST AI RMF's GOVERN and MANAGE functions require organizations to establish and maintain controls over who can access AI systems and data, with mechanisms to detect and respond to unauthorized activity. ARPIA's Security Profiles, node-level access logs, and Profile Audit Log support these functions by providing verifiable, role-based access governance and a complete change history for security configurations.
⚡ DORA — Digital Operational Resilience Act
DORA requires financial entities to implement ICT security controls, maintain detailed audit trails, conduct regular vulnerability assessments, and demonstrate incident response capabilities. ARPIA's layered security architecture — combining database-level binlogs, node-level access tracking, role-based profiles, encryption, and penetration testing — provides the technical controls and audit evidence required to meet DORA's ICT security and resilience requirements.