Compliance Documentation

This section contains documentation related to IDPFlare's alignment with ISO 27001:2022 and SOC 2 Type II security standards.

Important Disclaimer: This documentation is for informational purposes only. It does not constitute a certification or guarantee of compliance. You are responsible for validating your deployment's compliance with applicable standards and working with qualified auditors.

Getting Started

For deployments requiring compliance certification, we recommend starting with these documents:

  1. Validation - Review how security claims are validated against source code
  2. Gap Analysis - Identify controls you need to implement
  3. Implementation - Follow step-by-step security configuration
  4. Audit Preparation - Use the checklist for auditor reviews

Key Concepts

What IDPFlare Is

  • OAuth 2.0 / OpenID Connect Authorization Server
  • SAML 2.0 Service Provider
  • User authentication and management system
  • Multi-Factor Authentication (MFA) provider

What IDPFlare Is NOT

  • A complete application security solution (you still need to secure your applications)
  • A monitoring/alerting service (you must implement external monitoring)
  • A backup/disaster recovery solution (you must implement backup procedures)

Scope

This compliance documentation covers the idpflare-core component - the Cloudflare Worker that provides Identity Provider services.

Deployment Model

IDPFlare is deployed to your Cloudflare account and managed by you. The vendor provides software, but you are responsible for:

  • Configuring security settings appropriately
  • Managing secrets and credentials
  • Monitoring and logging
  • Complying with applicable standards
Note: This shared responsibility model means certain compliance controls are your responsibility to implement, while others are inherited from Cloudflare's platform certifications.

Shared Responsibility Model

When deploying IDPFlare, compliance is a shared effort between you, IDPFlare software, and Cloudflare platform.

Control IDPFlare (Software) Cloudflare (Platform) You (Deployer)
Application Logic - -
Encryption at Rest Partial ✓ (D1/KV) Configure
Encryption in Transit Configure HTTPS
Access Control ✓ (App-level) ✓ (Platform) Configure
Audit Logging ✓ (to D1) - Monitor/Export
Monitoring - - Implement
Backup/Recovery - - Implement

Inherited Controls

When deploying IDPFlare, you may be able to inherit certain compliance controls from Cloudflare's platform certifications:

  • ISO 27001 - Cloudflare is certified (check current status)
  • SOC 2 Type II - Cloudflare maintains reports (check current status)
  • SOC 1 - Cloudflare maintains reports (check current status)
  • PCI DSS - Cloudflare is Level 1 certified (check current status)
  • FedRAMP - Cloudflare has authorization (check current status)
Always verify Cloudflare's current compliance certifications and how they apply to your use case. Obtain current documentation directly from Cloudflare.

Claims Validation

Security controls implemented in IDPFlare source code have been validated against actual implementation. See Validation Document for detailed analysis.

Validated Security Claims

Claim Status Evidence
Password hashing (PBKDF2-SHA256) ✓ Validated src/lib/crypto.ts:65-94
JWT signing (RS256) ✓ Validated src/lib/jwt.ts:120, 154
MFA encryption (AES-GCM-256) ✓ Validated src/lib/crypto.ts:140-186
TOTP (RFC 6238) ✓ Validated src/services/mfa.service.ts:58-98
CSRF protection ✓ Validated src/middleware/csrf.ts
SSRF protection ✓ Validated src/lib/security.ts:276-333
Input validation ✓ Validated src/lib/security.ts:94-242
D1 encryption at rest ✓ Cloudflare-verified Cloudflare docs
KV encryption at rest ✓ Cloudflare-verified Cloudflare docs

Platform-Provided Controls

Security features provided by Cloudflare are documented by Cloudflare:

For Audits: Use Cloudflare documentation links as evidence. Bookmark data security pages and download current SOC 2 reports via customer portal.

ISO 27001:2022 Compliance

Complete ISO 27001:2022 (Annex A) compliance analysis, control mapping, and implementation guidance.

Summary

IDPFlare provides technical controls for many ISO 27001 requirements. Key areas include:

  • Access Control (8.2) - Built-in authentication, MFA, session management
  • Cryptography (8.5) - RS256 JWT signing, AES-GCM encryption, PBKDF2 password hashing
  • Data Protection (8.3) - Audit logging, encryption at rest (via platform)
  • Privacy (8.6) - GDPR features, data deletion, portability

Gap Analysis

Critical gaps you must address:

Control Gap Recommended Action
8.3.6, 8.8.4 No automated backup Implement D1 database export automation
8.3.9 No monitoring/alerting Integrate Cloudflare Analytics API or external monitoring
8.5.9, 8.5.10 No vulnerability scanning Add dependency scanning to CI/CD
8.7.x No incident response Implement incident management procedures

Read full ISO 27001:2022 compliance analysis →

SOC 2 Type II Compliance

Complete SOC 2 Type II compliance analysis based on AICPA Trust Services Criteria (TSC).

Summary

IDPFlare's controls map to SOC 2 Trust Services Criteria across multiple categories:

  • CC3.1.2 - Logical Access - Authentication, MFA, RBAC, session management
  • CC3.1.3 - Encryption - TLS in transit, encryption at rest, MFA secret encryption
  • CC3.1.4 - System Boundaries - SSRF protection, data transfer security
  • CC3.1.7 - Data Loss Prevention - Input validation, XSS prevention

Gap Analysis

Critical gaps for SOC 2 compliance:

SOC 2 Criteria Gap Priority
CC2.3.1 No monitoring system P0
CC3.1.2c No periodic access review P0
CC3.1.5 No change management process P0
CC3.1.6c No backup implementation P0
CC3.1.14 No incident response procedures P0

Read full SOC 2 Type II compliance analysis →

Implementation Guide

Step-by-step security configuration guidance for ISO 27001 and SOC 2 compliance.

What's Covered

  • Phase 1: Initial secure configuration
  • Phase 2: Deploy and initialize
  • Phase 3: Monitoring and logging setup
  • Phase 4: Backup and recovery
  • Phase 5: Access management
  • Phase 6: Change management
  • Phase 7: Incident response
  • Phase 8: Vulnerability management
  • Phase 9: Compliance documentation
  • Phase 10: Pre-assessment checklist

Quick Start Configuration

# SOC 2 / ISO 27001 Recommended Settings

[vars]
# --- Authentication ---
PASSWORD_MIN_LENGTH = "12"
REQUIRE_EMAIL_VERIFICATION = "true"
MFA_MODE = "required"  # Critical for SOC 2

# --- Session Management ---
SESSION_DURATION_SECONDS = "28800"      # 8 hours
REFRESH_TOKEN_DURATION_SECONDS = "604800" # 7 days
ACCESS_TOKEN_DURATION_SECONDS = "3600"    # 1 hour

# --- Rate Limiting ---
RATE_LIMIT_LOGIN_ATTEMPTS = "5"
RATE_LIMIT_WINDOW_SECONDS = "900"

Read full implementation guide →

Audit Checklist

Comprehensive checklist for auditors and compliance officers to verify alignment with ISO 27001 and SOC 2.

Sections Covered

  • Access Control (SOC 2 CC3.1.2, ISO 8.2)
  • Authentication (SOC 2 CC3.1.2)
  • Encryption (SOC 2 CC3.1.3, ISO 8.5.1)
  • Logging and Monitoring (SOC 2 CC3.1.6, ISO 8.3.8)
  • Input Validation and Security (SOC 2 CC3.1.6)
  • Data Protection (SOC 2 CC3.1.7, ISO 8.3)
  • Change Management (SOC 2 CC3.1.5)
  • Backup and Recovery (SOC 2 CC3.1.6c, ISO 8.3.6)
  • Incident Response (SOC 2 CC3.1.14)
  • Vendor Management (SOC 2 CC3.1.9)
  • Vulnerability Management (SOC 2 CC3.1.6)
  • Training and Awareness (ISO 6.5)
  • Policies and Documentation

View full audit checklist →

Quick Reference

Security configuration quick reference for common compliance tasks.

What's Included

  • wrangler.toml security settings
  • Secret keys reference
  • Database (D1) critical tables
  • KV namespace usage
  • Audit log events reference
  • API key scopes reference
  • Common audit queries
  • Security checklists
  • Cryptographic summary
  • Emergency response commands

Cryptographic Summary

Purpose Algorithm Key Size
JWT Signing RS256 2048-bit RSA
Password Hashing PBKDF2-SHA256 100,000 iterations
MFA Secret Storage AES-GCM 256-bit
D1/KV at rest Platform 256-bit AES-GCM

View full quick reference →

Cloudflare Platform Controls

Many compliance controls are inherited from Cloudflare's certified platform.

Platform Security

  • Physical Security: Cloudflare data centers with access controls
  • Network Security: DDoS protection, WAF, edge security
  • Encryption: D1 and KV encryption at rest (256-bit AES-GCM)
  • Availability: Global edge network with 99.99%+ SLA

Encryption Documentation

Important: For compliance audits, reference Cloudflare's official documentation as evidence of platform-provided encryption:

Available Certifications

Verify current status and obtain documentation directly from Cloudflare:

  • ISO 27001 Certificate
  • SOC 2 Type II Report
  • SOC 1 Report
  • PCI DSS Attestation
  • FedRAMP Authorization

Support Resources

For Questions About

IDPFlare Software

Contact the vendor through official channels.

Cloudflare Platform

Contact Cloudflare support or access Cloudflare compliance documentation.

Compliance Requirements

Consult your compliance officer or qualified auditor for guidance on your specific requirements.

Useful Links

Need help with compliance? Open an issue on GitHub or consult your compliance officer.