Benjamin_Boenisch/breakpilot-pwa
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Restore all files lost during destructive rebase

Browse Source 
A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.

This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).

Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-02-09 09:51:32 +01:00
parent f7487ee240
commit bfdaf63ba9
2009 changed files with 749983 additions and 1731 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
backend/compliance/data/README.md Normal file
View File

@@ -0,0 +1,218 @@
# Compliance Data - Service Module Registry
Diese Dateien enthalten die Seed-Daten für das Compliance-Modul.
## Sprint 3: Service-Module Registry
### Dateien
- **`service_modules.py`**: Vollständige Registry aller 30+ Breakpilot Services mit:
- Technische Details (Port, Stack, Repository)
- Datenkategorien und PII-Verarbeitung
- Anwendbare Regulierungen (GDPR, AI Act, BSI-TR, etc.)
- Kritikalität und Ownership
### Service-Typen
| Typ | Beschreibung | Beispiele |
|-----|--------------|-----------|
| `backend` | API/Backend Services | consent-service, python-backend |
| `database` | Datenbanken | PostgreSQL, Qdrant, Valkey |
| `ai` | KI/ML Services | klausur-service, embedding-service |
| `communication` | Chat/Video | Matrix, Jitsi |
| `storage` | Speichersysteme | MinIO, DSMS |
| `infrastructure` | Infrastruktur | Vault, Mailpit, Backup |
| `monitoring` | Monitoring (geplant) | Loki, Grafana, Prometheus |
| `security` | Sicherheit | Vault |
### Relevanz-Stufen
| Stufe | Bedeutung |
|-------|-----------|
| `critical` | Non-Compliance = Shutdown |
| `high` | Hohes Risiko |
| `medium` | Mittleres Risiko |
| `low` | Geringes Risiko |
### Verwendung
```python
from compliance.data.service_modules import (
BREAKPILOT_SERVICES,
get_service_count,
get_services_by_type,
get_services_processing_pii,
get_services_with_ai,
get_critical_services
)
# Alle Services
total = get_service_count()
# Backend Services
backends = get_services_by_type("backend")
# PII-verarbeitende Services
pii_services = get_services_processing_pii()
# KI-Services
ai_services = get_services_with_ai()
# Kritische Services
critical = get_critical_services()
```
### Seeding
Services werden automatisch beim ersten Start geseedet:
```bash
# Nur Service-Module seeden
python -m compliance.scripts.seed_service_modules --mode modules
# Vollständige Compliance-DB seeden
python -m compliance.scripts.seed_service_modules --mode all
```
### Validierung
Vor dem Seeding können die Daten validiert werden:
```bash
python -m compliance.scripts.validate_service_modules
```
Prüft:
- Pflichtfelder vorhanden
- Keine Port-Konflikte
- Regulierungen existieren
- Datenkategorien bei PII-Services
## Service-Dokumentation
Jeder Service ist dokumentiert mit:
1. **Identifikation**
- `name`: Technischer Name (Docker-Container)
- `display_name`: Anzeigename
- `description`: Kurzbeschreibung
2. **Technische Details**
- `service_type`: Typ (backend, database, etc.)
- `port`: Hauptport (falls vorhanden)
- `technology_stack`: Verwendete Technologien
- `repository_path`: Pfad im Repository
- `docker_image`: Docker Image Name
3. **Datenschutz**
- `data_categories`: Welche Datenkategorien werden verarbeitet
- `processes_pii`: Verarbeitet personenbezogene Daten?
- `processes_health_data`: Verarbeitet Gesundheitsdaten?
- `ai_components`: Enthält KI-Komponenten?
4. **Compliance**
- `criticality`: Kritikalität (critical, high, medium, low)
- `owner_team`: Verantwortliches Team
- `regulations`: Liste anwendbarer Regulierungen mit Relevanz
### Beispiel: consent-service
```python
{
"name": "consent-service",
"display_name": "Go Consent Service",
"description": "Kernlogik für Consent-Management, Einwilligungsverwaltung und Versionierung",
"service_type": "backend",
"port": 8081,
"technology_stack": ["Go", "Gin", "GORM", "PostgreSQL"],
"repository_path": "/consent-service",
"docker_image": "breakpilot-pwa-consent-service",
"data_categories": ["consent_records", "user_preferences", "audit_logs"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": "critical", "notes": "Art. 7 Einwilligung, Art. 30 VVZ"},
{"code": "TDDDG", "relevance": "critical", "notes": "§ 25 Cookie-Consent"},
{"code": "BSI-TR-03161-2", "relevance": "high", "notes": "Session-Management"}
]
}
```
## Datenbank-Schema
Die Service-Module werden in folgenden Tabellen gespeichert:
### `compliance_service_modules`
Haupttabelle für Services:
- `id`, `name`, `display_name`, `description`
- `service_type`, `port`, `technology_stack`
- `data_categories`, `processes_pii`, `ai_components`
- `criticality`, `owner_team`
- `compliance_score` (berechnet)
### `compliance_module_regulations`
Mapping Service ↔ Regulation:
- `module_id`, `regulation_id`
- `relevance_level` (critical, high, medium, low)
- `notes`
- `applicable_articles` (JSON Liste)
### `compliance_module_risks`
Service-spezifische Risikobewertungen:
- `module_id`, `risk_id`
- `module_likelihood`, `module_impact`
- `module_risk_level`
- `assessment_notes`
## API Endpoints
Nach dem Seeding stehen folgende Endpoints zur Verfügung:
```
GET /api/compliance/modules
Liste aller Service-Module
GET /api/compliance/modules/{module_id}
Details zu einem Service
GET /api/compliance/modules/{module_id}/regulations
Anwendbare Regulierungen für einen Service
GET /api/compliance/modules/{module_id}/compliance-score
Compliance-Score für einen Service
```
## Erweiterung
Um einen neuen Service hinzuzufügen:
1. Service zu `BREAKPILOT_SERVICES` in `service_modules.py` hinzufügen
2. Validierung ausführen: `python -m compliance.scripts.validate_service_modules`
3. Seeding ausführen: `python -m compliance.scripts.seed_service_modules`
Oder über die API (wenn aktiviert):
```bash
POST /api/compliance/modules
{
"name": "new-service",
"display_name": "New Service",
...
}
```
## Aktueller Stand (Sprint 3)
- ✅ 30+ Services dokumentiert
- ✅ Alle docker-compose.yml Services erfasst
- ✅ Regulation Mappings definiert
- ✅ Seeder implementiert
- ✅ Validierung verfügbar
- 🔄 Compliance-Score Berechnung (geplant)
- 🔄 Gap-Analyse pro Service (geplant)

22
backend/compliance/data/__init__.py Normal file
View File

@@ -0,0 +1,22 @@
"""
Seed data for Compliance module.
Contains initial data for:
- 16 EU Regulations + 3 BSI-TR documents
- ~45 Controls across 9 domains
- Key requirements from GDPR, AI Act, CRA
- ISO 27001:2022 Annex A (93 Controls)
"""
from .regulations import REGULATIONS_SEED
from .controls import CONTROLS_SEED
from .requirements import REQUIREMENTS_SEED
from .iso27001_annex_a import ISO27001_ANNEX_A_CONTROLS, ANNEX_A_SUMMARY
__all__ = [
"REGULATIONS_SEED",
"CONTROLS_SEED",
"REQUIREMENTS_SEED",
"ISO27001_ANNEX_A_CONTROLS",
"ANNEX_A_SUMMARY",
]

624
backend/compliance/data/controls.py Normal file
View File

@@ -0,0 +1,624 @@
"""
Seed data for Controls.
~45 Controls across 9 domains:
- GOV: Governance & Organisation
- PRIV: Datenschutz & Privacy
- IAM: Identity & Access Management
- CRYPTO: Kryptografie
- SDLC: Secure Development Lifecycle
- OPS: Betrieb & Monitoring
- AI: KI-spezifisch
- CRA: CRA & Supply Chain
- AUD: Audit & Nachvollziehbarkeit
"""
CONTROLS_SEED = [
# =========================================================================
# GOV - Governance & Organisation
# =========================================================================
{
"control_id": "GOV-001",
"domain": "gov",
"control_type": "preventive",
"title": "ISMS Policy",
"description": "Dokumentierte Informationssicherheits-Management-System Policy mit jährlicher Überprüfung.",
"pass_criteria": "ISMS Policy vorhanden, aktuell (nicht älter als 12 Monate), von Management genehmigt.",
"implementation_guidance": "Policy erstellen nach ISO 27001 Struktur, Scope definieren, Management-Commitment dokumentieren.",
"is_automated": False,
"owner": "Security Team",
"review_frequency_days": 365,
},
{
"control_id": "GOV-002",
"domain": "gov",
"control_type": "preventive",
"title": "Rollen & Verantwortlichkeiten",
"description": "RACI-Matrix für alle sicherheitsrelevanten Prozesse dokumentiert.",
"pass_criteria": "RACI-Matrix vorhanden und aktuell, alle kritischen Rollen besetzt.",
"implementation_guidance": "RACI-Matrix erstellen für: Incident Response, Vulnerability Management, Access Management, Change Management.",
"is_automated": False,
"owner": "Security Team",
"review_frequency_days": 180,
},
{
"control_id": "GOV-003",
"domain": "gov",
"control_type": "preventive",
"title": "Security Awareness Training",
"description": "Alle Mitarbeiter absolvieren jährlich Security Awareness Training.",
"pass_criteria": "100% Completion Rate für alle aktiven Mitarbeiter, Nachweis nicht älter als 12 Monate.",
"implementation_guidance": "Training-Plattform einrichten (z.B. KnowBe4), Pflichttraining für Onboarding, jährliche Auffrischung.",
"is_automated": False,
"owner": "HR / Security Team",
"review_frequency_days": 365,
},
{
"control_id": "GOV-004",
"domain": "gov",
"control_type": "preventive",
"title": "Change Management",
"description": "Alle Code-Änderungen erfolgen über Pull Requests mit Review.",
"pass_criteria": "100% der Merges in main/master via PR, mindestens 1 Reviewer pro PR.",
"implementation_guidance": "Branch Protection Rules in GitHub aktivieren, CODEOWNERS definieren.",
"code_reference": ".github/CODEOWNERS",
"is_automated": True,
"automation_tool": "GitHub Branch Protection",
"owner": "Engineering Lead",
"review_frequency_days": 30,
},
{
"control_id": "GOV-005",
"domain": "gov",
"control_type": "corrective",
"title": "Incident Response Plan",
"description": "Dokumentierter Incident Response Plan mit Eskalationspfaden und Kontakten.",
"pass_criteria": "IRP vorhanden, getestet innerhalb der letzten 12 Monate, Kontaktdaten aktuell.",
"implementation_guidance": "IRP nach NIST SP 800-61 erstellen, Tabletop-Übungen durchführen.",
"is_automated": False,
"owner": "Security Team",
"review_frequency_days": 365,
},
# =========================================================================
# PRIV - Datenschutz & Privacy
# =========================================================================
{
"control_id": "PRIV-001",
"domain": "priv",
"control_type": "preventive",
"title": "Verarbeitungsverzeichnis (Art. 30)",
"description": "Aktuelles Verzeichnis aller Verarbeitungstätigkeiten gemäß Art. 30 DSGVO.",
"pass_criteria": "VVT vorhanden, vollständig (alle Kategorien), nicht älter als 6 Monate aktualisiert.",
"implementation_guidance": "VVT mit allen erforderlichen Feldern: Zweck, Kategorien, Empfänger, Fristen, TOMs.",
"is_automated": False,
"owner": "Datenschutzbeauftragter",
"review_frequency_days": 180,
},
{
"control_id": "PRIV-002",
"domain": "priv",
"control_type": "preventive",
"title": "DPIA durchgeführt (Art. 35)",
"description": "Datenschutz-Folgenabschätzung für Hochrisiko-Verarbeitungen durchgeführt.",
"pass_criteria": "DPIA für alle identifizierten Hochrisiko-Verarbeitungen vorhanden und dokumentiert.",
"implementation_guidance": "DPIA nach Art. 35 Abs. 7 DSGVO: Beschreibung, Notwendigkeit, Risikobewertung, Maßnahmen.",
"is_automated": False,
"owner": "Datenschutzbeauftragter",
"review_frequency_days": 365,
},
{
"control_id": "PRIV-003",
"domain": "priv",
"control_type": "preventive",
"title": "Privacy by Design (Art. 25)",
"description": "Datenschutz durch Technikgestaltung und datenschutzfreundliche Voreinstellungen.",
"pass_criteria": "PbD-Checkliste für alle neuen Features, Datensparsamkeit als Default.",
"implementation_guidance": "PbD-Review in Feature-Development-Prozess integrieren, Minimaldatenerhebung als Standard.",
"is_automated": False,
"owner": "Engineering Lead / DPO",
"review_frequency_days": 90,
},
{
"control_id": "PRIV-004",
"domain": "priv",
"control_type": "corrective",
"title": "Betroffenenrechte (Art. 15-22)",
"description": "Prozess für Betroffenenrechte (Auskunft, Löschung, Portabilität) implementiert.",
"pass_criteria": "DSR-Prozess dokumentiert, SLA < 30 Tage, Export-Funktion vorhanden.",
"implementation_guidance": "Self-Service-Portal für DSR, automatisierte Löschfunktion, Export im maschinenlesbaren Format.",
"code_reference": "backend/gdpr_api.py",
"is_automated": True,
"automation_tool": "Breakpilot GDPR Export",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
{
"control_id": "PRIV-005",
"domain": "priv",
"control_type": "preventive",
"title": "AVV mit Auftragsverarbeitern",
"description": "Auftragsverarbeitungsverträge mit allen Sub-Processors abgeschlossen.",
"pass_criteria": "AVV für alle Auftragsverarbeiter vorhanden, Art. 28 Abs. 3 konform.",
"implementation_guidance": "Liste aller Sub-Processors, AVV-Vorlagen nach Art. 28, jährliche Überprüfung.",
"is_automated": False,
"owner": "Legal / DPO",
"review_frequency_days": 365,
},
{
"control_id": "PRIV-006",
"domain": "priv",
"control_type": "preventive",
"title": "TOMs dokumentiert (Art. 32)",
"description": "Technische und organisatorische Maßnahmen gemäß Art. 32 DSGVO dokumentiert.",
"pass_criteria": "TOM-Dokument vorhanden, alle Kategorien abgedeckt, aktuell.",
"implementation_guidance": "TOMs nach Art. 32: Pseudonymisierung, Verschlüsselung, Wiederherstellung, regelmäßige Tests.",
"is_automated": False,
"owner": "Security Team / DPO",
"review_frequency_days": 180,
},
{
"control_id": "PRIV-007",
"domain": "priv",
"control_type": "preventive",
"title": "PII-Logging verhindert",
"description": "Personenbezogene Daten werden nicht in Logs geschrieben (PII Redaction).",
"pass_criteria": "PII-Redactor aktiv, keine PII in Logs (stichprobenartige Prüfung).",
"implementation_guidance": "PII-Redactor Middleware implementieren, regex-basierte Filterung für E-Mail, Namen, etc.",
"code_reference": "backend/middleware/pii_redactor.py",
"is_automated": True,
"automation_tool": "PII Redactor Middleware",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
# =========================================================================
# IAM - Identity & Access Management
# =========================================================================
{
"control_id": "IAM-001",
"domain": "iam",
"control_type": "preventive",
"title": "RBAC implementiert",
"description": "Role-Based Access Control mit dokumentierten Rollen und Berechtigungen.",
"pass_criteria": "RBAC-Modell dokumentiert, Rollen im Code enforced, keine Hardcoded-Berechtigungen.",
"implementation_guidance": "Rollen definieren (user, admin, dpo), Middleware für Berechtigungsprüfung.",
"code_reference": "consent-service/internal/middleware/auth.go",
"is_automated": True,
"automation_tool": "JWT Role Claims",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
{
"control_id": "IAM-002",
"domain": "iam",
"control_type": "preventive",
"title": "MFA für Admin-Accounts",
"description": "Multi-Faktor-Authentifizierung für alle Admin-Zugänge aktiviert.",
"pass_criteria": "100% MFA-Abdeckung für Admin-Accounts, Enforcement-Policy aktiv.",
"implementation_guidance": "MFA über Identity Provider (Auth0, Keycloak) oder TOTP-Integration.",
"is_automated": False,
"owner": "Security Team",
"review_frequency_days": 90,
},
{
"control_id": "IAM-003",
"domain": "iam",
"control_type": "preventive",
"title": "Mandantentrennung",
"description": "Strikte Tenant-Isolation zwischen verschiedenen Kunden/Schulen.",
"pass_criteria": "Tenant-ID in allen Queries, keine Cross-Tenant-Datenzugriffe möglich.",
"implementation_guidance": "Tenant-ID als Pflichtfeld, Row-Level-Security in Queries, Penetration-Test.",
"code_reference": "consent-service/internal/handlers/handlers.go",
"is_automated": True,
"automation_tool": "Database Query Filter",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
{
"control_id": "IAM-004",
"domain": "iam",
"control_type": "preventive",
"title": "Session Management",
"description": "Sichere Session-Verwaltung mit Token-Expiry und Rotation.",
"pass_criteria": "Token-Expiry < 24h, Refresh-Token-Rotation, Logout invalidiert Token.",
"implementation_guidance": "JWT mit kurzer Expiry, Refresh-Token-Flow, Token-Blacklisting bei Logout.",
"code_reference": "consent-service/internal/services/auth_service.go",
"is_automated": True,
"automation_tool": "JWT Token Management",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
{
"control_id": "IAM-005",
"domain": "iam",
"control_type": "detective",
"title": "Least Privilege",
"description": "Regelmäßige Access Reviews zur Sicherstellung minimaler Berechtigungen.",
"pass_criteria": "Vierteljährliche Access Reviews durchgeführt, überflüssige Rechte entfernt.",
"implementation_guidance": "Access Review Prozess etablieren, automatisierte Reports über Berechtigungen.",
"is_automated": False,
"owner": "Security Team",
"review_frequency_days": 90,
},
# =========================================================================
# CRYPTO - Kryptografie
# =========================================================================
{
"control_id": "CRYPTO-001",
"domain": "crypto",
"control_type": "preventive",
"title": "Encryption at Rest",
"description": "Sensible Daten sind im Ruhezustand verschlüsselt (AES-256).",
"pass_criteria": "Datenbank-Verschlüsselung aktiv, Backup-Verschlüsselung aktiv.",
"implementation_guidance": "PostgreSQL mit TDE oder pgcrypto, verschlüsselte Backups.",
"is_automated": True,
"automation_tool": "PostgreSQL Encryption",
"owner": "Infrastructure Team",
"review_frequency_days": 180,
},
{
"control_id": "CRYPTO-002",
"domain": "crypto",
"control_type": "preventive",
"title": "Encryption in Transit",
"description": "Alle Datenübertragungen sind TLS 1.3 verschlüsselt.",
"pass_criteria": "TLS 1.3 enforced, HSTS aktiv, keine unsicheren Cipher Suites.",
"implementation_guidance": "Nginx/Traefik mit TLS 1.3 Mindestversion, HSTS Header, SSL Labs A+ Rating.",
"is_automated": True,
"automation_tool": "SSL Labs / testssl.sh",
"owner": "Infrastructure Team",
"review_frequency_days": 90,
},
{
"control_id": "CRYPTO-003",
"domain": "crypto",
"control_type": "preventive",
"title": "Key Management",
"description": "Kryptografische Schlüssel sicher in Vault gespeichert mit Rotation.",
"pass_criteria": "Keys in Vault, automatische Rotation, keine Hardcoded Secrets.",
"implementation_guidance": "HashiCorp Vault oder AWS KMS, Key-Rotation alle 90 Tage.",
"code_reference": "vault/",
"is_automated": True,
"automation_tool": "HashiCorp Vault",
"owner": "Infrastructure Team",
"review_frequency_days": 90,
},
{
"control_id": "CRYPTO-004",
"domain": "crypto",
"control_type": "preventive",
"title": "Password Hashing",
"description": "Passwörter werden mit bcrypt oder Argon2 gehasht.",
"pass_criteria": "bcrypt/Argon2 verwendet, Cost Factor angemessen, keine MD5/SHA1.",
"implementation_guidance": "bcrypt mit Cost >= 10, keine eigenentwickelten Hash-Funktionen.",
"code_reference": "consent-service/internal/services/auth_service.go",
"is_automated": True,
"automation_tool": "Semgrep Rule",
"owner": "Engineering Team",
"review_frequency_days": 180,
},
# =========================================================================
# SDLC - Secure Development Lifecycle
# =========================================================================
{
"control_id": "SDLC-001",
"domain": "sdlc",
"control_type": "detective",
"title": "SAST Scanning",
"description": "Static Application Security Testing in CI Pipeline integriert.",
"pass_criteria": "Semgrep in CI, 0 High/Critical Findings, Blocking bei neuen Findings.",
"implementation_guidance": "Semgrep mit OWASP Top 10 Rules, GitHub Actions Integration.",
"code_reference": ".github/workflows/security.yml",
"is_automated": True,
"automation_tool": "Semgrep",
"owner": "Engineering Team",
"review_frequency_days": 7,
},
{
"control_id": "SDLC-002",
"domain": "sdlc",
"control_type": "detective",
"title": "Dependency Scanning",
"description": "Automatische Überprüfung auf bekannte Schwachstellen in Dependencies.",
"pass_criteria": "Trivy/Grype in CI, keine kritischen CVEs in Produktion.",
"implementation_guidance": "Trivy für Container + Dependencies, Dependabot für automatische Updates.",
"code_reference": ".github/workflows/security.yml",
"is_automated": True,
"automation_tool": "Trivy / Dependabot",
"owner": "Engineering Team",
"review_frequency_days": 7,
},
{
"control_id": "SDLC-003",
"domain": "sdlc",
"control_type": "detective",
"title": "Secret Detection",
"description": "Automatische Erkennung von Secrets in Code und Commits.",
"pass_criteria": "Gitleaks in CI, Pre-Commit-Hook aktiv, 0 Findings.",
"implementation_guidance": "Gitleaks als Pre-Commit-Hook und in CI, Custom-Rules für eigene Secrets.",
"code_reference": ".github/workflows/security.yml",
"is_automated": True,
"automation_tool": "Gitleaks",
"owner": "Engineering Team",
"review_frequency_days": 7,
},
{
"control_id": "SDLC-004",
"domain": "sdlc",
"control_type": "preventive",
"title": "Code Review",
"description": "Alle Code-Änderungen werden von mindestens einem anderen Entwickler reviewed.",
"pass_criteria": "100% PR-Coverage, mindestens 1 Approval pro PR.",
"implementation_guidance": "GitHub Branch Protection, CODEOWNERS für kritische Pfade.",
"is_automated": True,
"automation_tool": "GitHub Branch Protection",
"owner": "Engineering Lead",
"review_frequency_days": 30,
},
{
"control_id": "SDLC-005",
"domain": "sdlc",
"control_type": "preventive",
"title": "SBOM Generation",
"description": "Software Bill of Materials wird automatisch generiert.",
"pass_criteria": "CycloneDX SBOM vorhanden, bei jedem Release aktualisiert.",
"implementation_guidance": "cyclonedx-cli in Release-Pipeline, SBOM in GitHub Releases.",
"is_automated": True,
"automation_tool": "CycloneDX",
"owner": "Engineering Team",
"review_frequency_days": 30,
},
{
"control_id": "SDLC-006",
"domain": "sdlc",
"control_type": "detective",
"title": "Container Scanning",
"description": "Docker Images werden auf Schwachstellen gescannt.",
"pass_criteria": "Trivy Image Scan in CI, keine Critical/High in Base Images.",
"implementation_guidance": "Trivy Image Scan vor Push zu Registry, Slim Base Images verwenden.",
"code_reference": ".github/workflows/security.yml",
"is_automated": True,
"automation_tool": "Trivy Image Scan",
"owner": "Engineering Team",
"review_frequency_days": 7,
},
# =========================================================================
# OPS - Betrieb & Monitoring
# =========================================================================
{
"control_id": "OPS-001",
"domain": "ops",
"control_type": "detective",
"title": "Audit Logging",
"description": "Alle sicherheitsrelevanten Events werden geloggt.",
"pass_criteria": "Login/Logout, Consent-Änderungen, Admin-Aktionen geloggt, Retention >= 1 Jahr.",
"implementation_guidance": "Structured Logging mit Request-ID, zentrale Log-Aggregation.",
"code_reference": "backend/audit_log.py",
"is_automated": True,
"automation_tool": "Structured Logging",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
{
"control_id": "OPS-002",
"domain": "ops",
"control_type": "corrective",
"title": "Backup & Recovery",
"description": "Tägliche Backups mit getesteter Wiederherstellung.",
"pass_criteria": "Tägliche Backups, RTO < 4h, RPO < 24h, Recovery-Test vierteljährlich.",
"implementation_guidance": "Automatisierte Backups, Offsite-Kopie, dokumentierter Recovery-Prozess.",
"code_reference": "scripts/backup.sh",
"is_automated": True,
"automation_tool": "PostgreSQL pg_dump / Docker Volumes",
"owner": "Infrastructure Team",
"review_frequency_days": 90,
},
{
"control_id": "OPS-003",
"domain": "ops",
"control_type": "detective",
"title": "Incident Response",
"description": "Mean Time to Detect (MTTD) für Security Incidents < 24h.",
"pass_criteria": "Alerting konfiguriert, MTTD < 24h, dokumentierte Incidents.",
"implementation_guidance": "Alert-Regeln für Anomalien, Pager-Rotation, Incident-Runbooks.",
"is_automated": True,
"automation_tool": "Prometheus / Alertmanager",
"owner": "Engineering Team",
"review_frequency_days": 30,
},
{
"control_id": "OPS-004",
"domain": "ops",
"control_type": "corrective",
"title": "Vulnerability Management",
"description": "Definierte Patch-SLAs für Schwachstellen nach Severity.",
"pass_criteria": "Critical < 7 Tage, High < 30 Tage, Medium < 90 Tage.",
"implementation_guidance": "Vulnerability Tracking in Issues, SLA-Monitoring, Patch-Prozess.",
"is_automated": False,
"owner": "Engineering Team",
"review_frequency_days": 30,
},
{
"control_id": "OPS-005",
"domain": "ops",
"control_type": "detective",
"title": "Monitoring & Alerting",
"description": "Uptime Monitoring mit 99.9% Verfügbarkeitsziel.",
"pass_criteria": "Uptime >= 99.9% (monatlich), Alerts bei Ausfällen < 5 Min.",
"implementation_guidance": "Health-Checks, Uptime-Monitoring (Uptime Kuma), Status Page.",
"is_automated": True,
"automation_tool": "Uptime Kuma / Prometheus",
"owner": "Infrastructure Team",
"review_frequency_days": 30,
},
# =========================================================================
# AI - KI-spezifisch (AI Act)
# =========================================================================
{
"control_id": "AI-001",
"domain": "ai",
"control_type": "preventive",
"title": "Training Data Governance",
"description": "Dokumentation aller Trainingsdatenquellen und deren Lizenzierung.",
"pass_criteria": "Datenquellen inventarisiert, Lizenzen dokumentiert, keine unlizenzierte Daten.",
"implementation_guidance": "Data Catalog mit Quellen, Lizenzen, Verarbeitungszwecken.",
"is_automated": False,
"owner": "ML Team",
"review_frequency_days": 180,
},
{
"control_id": "AI-002",
"domain": "ai",
"control_type": "detective",
"title": "Model Logging",
"description": "Alle KI-Inferenzen werden für Nachvollziehbarkeit geloggt.",
"pass_criteria": "Input/Output Logging für KI-Aufrufe, Retention >= 6 Monate.",
"implementation_guidance": "LLM-Gateway mit Request/Response Logging, Token-Tracking.",
"code_reference": "backend/llm_client.py",
"is_automated": True,
"automation_tool": "LLM Gateway Logging",
"owner": "ML Team",
"review_frequency_days": 90,
},
{
"control_id": "AI-003",
"domain": "ai",
"control_type": "preventive",
"title": "Human-in-the-Loop",
"description": "Review-Prozess für KI-generierte Inhalte vor Veröffentlichung.",
"pass_criteria": "HITL-Prozess dokumentiert, keine automatische Veröffentlichung ohne Review.",
"implementation_guidance": "Review-Queue für KI-Outputs, Freigabe-Workflow.",
"is_automated": False,
"owner": "Product Team",
"review_frequency_days": 90,
},
{
"control_id": "AI-004",
"domain": "ai",
"control_type": "detective",
"title": "Bias Monitoring",
"description": "Regelmäßige Überprüfung von KI-Outputs auf Bias.",
"pass_criteria": "Bias-Metriken definiert, vierteljährliche Überprüfung, Findings dokumentiert.",
"implementation_guidance": "Fairness-Metriken (Demographic Parity, Equalized Odds), Bias-Audits.",
"is_automated": False,
"owner": "ML Team",
"review_frequency_days": 90,
},
{
"control_id": "AI-005",
"domain": "ai",
"control_type": "preventive",
"title": "AI Act Risk Classification",
"description": "Risikoklassifizierung der KI-Systeme gemäß EU AI Act dokumentiert.",
"pass_criteria": "Alle KI-Systeme klassifiziert (minimal/limited/high/unacceptable), Dokumentation aktuell.",
"implementation_guidance": "AI Act Risk Assessment Framework, Klassifizierung pro Use Case.",
"is_automated": False,
"owner": "Legal / ML Team",
"review_frequency_days": 365,
},
# =========================================================================
# CRA - CRA & Supply Chain
# =========================================================================
{
"control_id": "CRA-001",
"domain": "cra",
"control_type": "preventive",
"title": "SBOM vorhanden",
"description": "Software Bill of Materials im CycloneDX oder SPDX Format.",
"pass_criteria": "SBOM vorhanden, automatisch generiert, bei Release aktualisiert.",
"implementation_guidance": "CycloneDX in CI, SBOM in GitHub Releases, automatische Updates.",
"is_automated": True,
"automation_tool": "CycloneDX / SPDX",
"owner": "Engineering Team",
"review_frequency_days": 30,
},
{
"control_id": "CRA-002",
"domain": "cra",
"control_type": "corrective",
"title": "Vulnerability Disclosure",
"description": "Öffentliche Vulnerability Disclosure Policy (VDP) vorhanden.",
"pass_criteria": "VDP veröffentlicht, Kontaktdaten aktuell, Prozess dokumentiert.",
"implementation_guidance": "security.txt, SECURITY.md in Repository, Responsible Disclosure Policy.",
"code_reference": "SECURITY.md",
"is_automated": False,
"owner": "Security Team",
"review_frequency_days": 365,
},
{
"control_id": "CRA-003",
"domain": "cra",
"control_type": "corrective",
"title": "Patch-SLA",
"description": "Dokumentierte und eingehaltene Patch-Zeiten für Schwachstellen.",
"pass_criteria": "SLAs definiert und kommuniziert, Einhaltung >= 95%.",
"implementation_guidance": "Patch-SLA: Critical < 7d, High < 30d, Medium < 90d.",
"is_automated": False,
"owner": "Engineering Team",
"review_frequency_days": 30,
},
{
"control_id": "CRA-004",
"domain": "cra",
"control_type": "preventive",
"title": "End-of-Support Policy",
"description": "EOL-Datum für Produktversionen kommuniziert.",
"pass_criteria": "Support-Zeiträume dokumentiert, Kunden informiert, EOL >= 24 Monate vor Ende.",
"implementation_guidance": "Support-Matrix veröffentlichen, EOL-Kommunikation an Kunden.",
"is_automated": False,
"owner": "Product Team",
"review_frequency_days": 365,
},
# =========================================================================
# AUD - Audit & Nachvollziehbarkeit
# =========================================================================
{
"control_id": "AUD-001",
"domain": "aud",
"control_type": "detective",
"title": "Traceability",
"description": "Request-ID durchgängig in allen Logs für Nachverfolgbarkeit.",
"pass_criteria": "Request-ID in allen Service-Logs, korrelierbar über Services.",
"implementation_guidance": "X-Request-ID Header, Propagation über alle Services.",
"code_reference": "backend/middleware/request_id.py",
"is_automated": True,
"automation_tool": "Request ID Middleware",
"owner": "Engineering Team",
"review_frequency_days": 90,
},
{
"control_id": "AUD-002",
"domain": "aud",
"control_type": "corrective",
"title": "Audit Export",
"description": "ZIP-Export-Funktion für externe Prüfer funktional.",
"pass_criteria": "Export-Funktion verfügbar, alle relevanten Daten enthalten, signiert.",
"implementation_guidance": "Export mit Controls, Evidence, Risks als ZIP, SHA-256 Hash.",
"code_reference": "backend/compliance/services/export_generator.py",
"is_automated": True,
"automation_tool": "Compliance Export Service",
"owner": "Engineering Team",
"review_frequency_days": 180,
},
{
"control_id": "AUD-003",
"domain": "aud",
"control_type": "detective",
"title": "Compliance Dashboard",
"description": "Echtzeit-Compliance-Score und Status-Übersicht.",
"pass_criteria": "Dashboard verfügbar, Score automatisch berechnet, Drill-Down möglich.",
"implementation_guidance": "Dashboard mit Score-Berechnung, Regulation-Coverage, Trend-Anzeige.",
"code_reference": "website/app/admin/compliance/page.tsx",
"is_automated": True,
"automation_tool": "Compliance Dashboard",
"owner": "Engineering Team",
"review_frequency_days": 30,
},
]

986
backend/compliance/data/iso27001_annex_a.py Normal file
View File

@@ -0,0 +1,986 @@
"""
ISO 27001:2022 Annex A Controls Seed Data.
Contains all 93 controls from ISO/IEC 27001:2022 Annex A, organized into 4 themes:
- A.5: Organizational controls (37 controls)
- A.6: People controls (8 controls)
- A.7: Physical controls (14 controls)
- A.8: Technological controls (34 controls)
This data is used to populate the Statement of Applicability (SoA),
which is MANDATORY for ISO 27001 certification.
"""
from typing import List, Dict, Any, Optional
# ISO 27001:2022 Annex A Controls
ISO27001_ANNEX_A_CONTROLS: List[Dict[str, Any]] = [
# ==========================================================================
# A.5 ORGANIZATIONAL CONTROLS (37 controls)
# ==========================================================================
{
"control_id": "A.5.1",
"title": "Policies for information security",
"category": "organizational",
"description": "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.",
"iso_chapter": "5.2",
"breakpilot_controls": ["GOV-001", "GOV-002"],
"default_applicable": True,
"implementation_guidance": "Create and maintain an ISMS Master Policy and supporting policies for key topics (access control, cryptography, etc.)."
},
{
"control_id": "A.5.2",
"title": "Information security roles and responsibilities",
"category": "organizational",
"description": "Information security roles and responsibilities shall be defined and allocated according to the organization needs.",
"iso_chapter": "5.3",
"breakpilot_controls": ["GOV-003"],
"default_applicable": True,
"implementation_guidance": "Define RACI matrix for security responsibilities, appoint Information Security Officer."
},
{
"control_id": "A.5.3",
"title": "Segregation of duties",
"category": "organizational",
"description": "Conflicting duties and conflicting areas of responsibility shall be segregated.",
"iso_chapter": "5.3",
"breakpilot_controls": ["IAM-003"],
"default_applicable": True,
"implementation_guidance": "Implement role-based access control, separate development/test/production environments."
},
{
"control_id": "A.5.4",
"title": "Management responsibilities",
"category": "organizational",
"description": "Management shall require all personnel to apply information security in accordance with the established information security policy and topic-specific policies and procedures of the organization.",
"iso_chapter": "5.1",
"breakpilot_controls": ["GOV-001"],
"default_applicable": True,
"implementation_guidance": "Management commitment documented in ISMS policy, security training mandatory."
},
{
"control_id": "A.5.5",
"title": "Contact with authorities",
"category": "organizational",
"description": "The organization shall establish and maintain contact with relevant authorities.",
"iso_chapter": "4.2",
"breakpilot_controls": ["GOV-004"],
"default_applicable": True,
"implementation_guidance": "Maintain contact list for BSI, Datenschutzbehörde, CERT-Bund, law enforcement."
},
{
"control_id": "A.5.6",
"title": "Contact with special interest groups",
"category": "organizational",
"description": "The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.",
"iso_chapter": "4.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Participate in ISACA, ISC2, industry security forums, BSI security advisories."
},
{
"control_id": "A.5.7",
"title": "Threat intelligence",
"category": "organizational",
"description": "Information relating to information security threats shall be collected and analysed to produce threat intelligence.",
"iso_chapter": "6.1",
"breakpilot_controls": ["OPS-006"],
"default_applicable": True,
"implementation_guidance": "Subscribe to threat feeds (BSI, MITRE ATT&CK), integrate with SIEM."
},
{
"control_id": "A.5.8",
"title": "Information security in project management",
"category": "organizational",
"description": "Information security shall be integrated into project management.",
"iso_chapter": "6.1",
"breakpilot_controls": ["SDLC-001"],
"default_applicable": True,
"implementation_guidance": "Security requirements in all project charters, security review gates."
},
{
"control_id": "A.5.9",
"title": "Inventory of information and other associated assets",
"category": "organizational",
"description": "An inventory of information and other associated assets, including owners, shall be developed and maintained.",
"iso_chapter": "7.5",
"breakpilot_controls": ["GOV-005"],
"default_applicable": True,
"implementation_guidance": "Maintain asset register with classification, owner, location for all IT assets."
},
{
"control_id": "A.5.10",
"title": "Acceptable use of information and other associated assets",
"category": "organizational",
"description": "Rules for the acceptable use of information and other associated assets shall be identified, documented and implemented.",
"iso_chapter": "5.2",
"breakpilot_controls": ["GOV-002"],
"default_applicable": True,
"implementation_guidance": "Create Acceptable Use Policy, communicate to all employees."
},
{
"control_id": "A.5.11",
"title": "Return of assets",
"category": "organizational",
"description": "Personnel and other interested parties as appropriate shall return all the organization's assets in their possession upon change or termination of their employment, contract or agreement.",
"iso_chapter": "7.3",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Offboarding checklist includes asset return, access revocation within 24h."
},
{
"control_id": "A.5.12",
"title": "Classification of information",
"category": "organizational",
"description": "Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-001"],
"default_applicable": True,
"implementation_guidance": "Define classification levels: Public, Internal, Confidential, Strictly Confidential."
},
{
"control_id": "A.5.13",
"title": "Labelling of information",
"category": "organizational",
"description": "An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-001"],
"default_applicable": True,
"implementation_guidance": "Document headers/footers with classification, email subject prefixes."
},
{
"control_id": "A.5.14",
"title": "Information transfer",
"category": "organizational",
"description": "Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.",
"iso_chapter": "7.5",
"breakpilot_controls": ["CRYPTO-002"],
"default_applicable": True,
"implementation_guidance": "Encrypted file transfer, secure email, NDA for external transfers."
},
{
"control_id": "A.5.15",
"title": "Access control",
"category": "organizational",
"description": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001", "IAM-002"],
"default_applicable": True,
"implementation_guidance": "Access Control Policy, least privilege principle, need-to-know basis."
},
{
"control_id": "A.5.16",
"title": "Identity management",
"category": "organizational",
"description": "The full life cycle of identities shall be managed.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001"],
"default_applicable": True,
"implementation_guidance": "Unique user IDs, no shared accounts, regular access reviews."
},
{
"control_id": "A.5.17",
"title": "Authentication information",
"category": "organizational",
"description": "Allocation and management of authentication information shall be controlled by a management process including advising personnel on appropriate handling of authentication information.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-002", "IAM-004"],
"default_applicable": True,
"implementation_guidance": "Password policy, MFA enrollment process, credential management."
},
{
"control_id": "A.5.18",
"title": "Access rights",
"category": "organizational",
"description": "Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001", "IAM-003"],
"default_applicable": True,
"implementation_guidance": "Access request workflow, quarterly access reviews, privileged access management."
},
{
"control_id": "A.5.19",
"title": "Information security in supplier relationships",
"category": "organizational",
"description": "Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier's products or services.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-005"],
"default_applicable": True,
"implementation_guidance": "Supplier security assessment, DPA for data processors, vendor risk management."
},
{
"control_id": "A.5.20",
"title": "Addressing information security within supplier agreements",
"category": "organizational",
"description": "Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-005"],
"default_applicable": True,
"implementation_guidance": "Security clauses in contracts, audit rights, incident notification requirements."
},
{
"control_id": "A.5.21",
"title": "Managing information security in the ICT supply chain",
"category": "organizational",
"description": "Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.",
"iso_chapter": "8.1",
"breakpilot_controls": ["CRA-001", "SDLC-005"],
"default_applicable": True,
"implementation_guidance": "SBOM management, dependency scanning, supply chain security assessment."
},
{
"control_id": "A.5.22",
"title": "Monitoring, review and change management of supplier services",
"category": "organizational",
"description": "The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Annual supplier security reviews, SLA monitoring, change notification process."
},
{
"control_id": "A.5.23",
"title": "Information security for use of cloud services",
"category": "organizational",
"description": "Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization's information security requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Cloud security policy, CSP due diligence, data residency requirements."
},
{
"control_id": "A.5.24",
"title": "Information security incident management planning and preparation",
"category": "organizational",
"description": "The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Incident Response Plan, IR team roles, communication templates."
},
{
"control_id": "A.5.25",
"title": "Assessment and decision on information security events",
"category": "organizational",
"description": "The organization shall assess information security events and decide if they are to be categorized as information security incidents.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Event triage procedure, severity classification matrix, escalation criteria."
},
{
"control_id": "A.5.26",
"title": "Response to information security incidents",
"category": "organizational",
"description": "Information security incidents shall be responded to in accordance with the documented procedures.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Playbooks for common incidents, containment procedures, communication plan."
},
{
"control_id": "A.5.27",
"title": "Learning from information security incidents",
"category": "organizational",
"description": "Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Post-incident reviews, lessons learned documentation, control improvements."
},
{
"control_id": "A.5.28",
"title": "Collection of evidence",
"category": "organizational",
"description": "The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Chain of custody procedures, forensic imaging, log preservation."
},
{
"control_id": "A.5.29",
"title": "Information security during disruption",
"category": "organizational",
"description": "The organization shall plan how to maintain information security at an appropriate level during disruption.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "BCP/DRP with security considerations, alternate processing sites."
},
{
"control_id": "A.5.30",
"title": "ICT readiness for business continuity",
"category": "organizational",
"description": "ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "ICT continuity plan, RTO/RPO definitions, DR testing."
},
{
"control_id": "A.5.31",
"title": "Legal, statutory, regulatory and contractual requirements",
"category": "organizational",
"description": "Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date.",
"iso_chapter": "4.2",
"breakpilot_controls": ["GOV-004"],
"default_applicable": True,
"implementation_guidance": "Compliance register (GDPR, AI Act, CRA, NIS2), legal requirements tracking."
},
{
"control_id": "A.5.32",
"title": "Intellectual property rights",
"category": "organizational",
"description": "The organization shall implement appropriate procedures to protect intellectual property rights.",
"iso_chapter": "4.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "License management, software inventory, OSS compliance."
},
{
"control_id": "A.5.33",
"title": "Protection of records",
"category": "organizational",
"description": "Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release in accordance with legal, statutory, regulatory and contractual requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-001"],
"default_applicable": True,
"implementation_guidance": "Records retention policy, secure storage, access controls, audit trails."
},
{
"control_id": "A.5.34",
"title": "Privacy and protection of PII",
"category": "organizational",
"description": "The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.",
"iso_chapter": "4.2",
"breakpilot_controls": ["PRIV-001", "PRIV-003", "PRIV-006", "PRIV-007"],
"default_applicable": True,
"implementation_guidance": "GDPR compliance, privacy by design, DPIA, consent management."
},
{
"control_id": "A.5.35",
"title": "Independent review of information security",
"category": "organizational",
"description": "The organization's approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.",
"iso_chapter": "9.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Annual internal audit, external penetration testing, ISO 27001 certification audit."
},
{
"control_id": "A.5.36",
"title": "Compliance with policies, rules and standards for information security",
"category": "organizational",
"description": "Compliance with the organization's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.",
"iso_chapter": "9.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Policy compliance monitoring, automated configuration checks, exception management."
},
{
"control_id": "A.5.37",
"title": "Documented operating procedures",
"category": "organizational",
"description": "Operating procedures for information processing facilities shall be documented and made available to personnel who need them.",
"iso_chapter": "7.5",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Runbooks, SOPs, operational documentation in wiki/Confluence."
},
# ==========================================================================
# A.6 PEOPLE CONTROLS (8 controls)
# ==========================================================================
{
"control_id": "A.6.1",
"title": "Screening",
"category": "people",
"description": "Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Background checks for employees with access to sensitive data/systems."
},
{
"control_id": "A.6.2",
"title": "Terms and conditions of employment",
"category": "people",
"description": "The employment contractual agreements shall state the personnel's and the organization's responsibilities for information security.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Security clauses in employment contracts, NDA, acceptable use acknowledgment."
},
{
"control_id": "A.6.3",
"title": "Information security awareness, education and training",
"category": "people",
"description": "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.",
"iso_chapter": "7.2",
"breakpilot_controls": ["GOV-006"],
"default_applicable": True,
"implementation_guidance": "Annual security training, phishing simulations, role-specific training."
},
{
"control_id": "A.6.4",
"title": "Disciplinary process",
"category": "people",
"description": "A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Security policy violation consequences documented, HR process defined."
},
{
"control_id": "A.6.5",
"title": "Responsibilities after termination or change of employment",
"category": "people",
"description": "Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.",
"iso_chapter": "7.3",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Exit interview, NDA reminder, continued confidentiality obligations."
},
{
"control_id": "A.6.6",
"title": "Confidentiality or non-disclosure agreements",
"category": "people",
"description": "Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.",
"iso_chapter": "7.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "NDA for all employees and contractors, annual review."
},
{
"control_id": "A.6.7",
"title": "Remote working",
"category": "people",
"description": "Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-005"],
"default_applicable": True,
"implementation_guidance": "VPN, endpoint protection, secure home office guidelines."
},
{
"control_id": "A.6.8",
"title": "Information security event reporting",
"category": "people",
"description": "The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.",
"iso_chapter": "10.2",
"breakpilot_controls": ["OPS-003"],
"default_applicable": True,
"implementation_guidance": "Security incident reporting portal, hotline, no-blame culture."
},
# ==========================================================================
# A.7 PHYSICAL CONTROLS (14 controls)
# ==========================================================================
{
"control_id": "A.7.1",
"title": "Physical security perimeters",
"category": "physical",
"description": "Security perimeters shall be defined and used to protect areas that contain information and other associated assets.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Define secure areas (server rooms, offices), physical barriers."
},
{
"control_id": "A.7.2",
"title": "Physical entry",
"category": "physical",
"description": "Secure areas shall be protected by appropriate entry controls and access points.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Access cards, visitor management, entry logs."
},
{
"control_id": "A.7.3",
"title": "Securing offices, rooms and facilities",
"category": "physical",
"description": "Physical security for offices, rooms and facilities shall be designed and implemented.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Secure server rooms, locked cabinets, clean desk policy."
},
{
"control_id": "A.7.4",
"title": "Physical security monitoring",
"category": "physical",
"description": "Premises shall be continuously monitored for unauthorized physical access.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "CCTV, intrusion detection, security guards for sensitive areas."
},
{
"control_id": "A.7.5",
"title": "Protecting against physical and environmental threats",
"category": "physical",
"description": "Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Fire suppression, UPS, climate control, flood protection."
},
{
"control_id": "A.7.6",
"title": "Working in secure areas",
"category": "physical",
"description": "Security measures for working in secure areas shall be designed and implemented.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Access restrictions, supervision requirements, no photography policy."
},
{
"control_id": "A.7.7",
"title": "Clear desk and clear screen",
"category": "physical",
"description": "Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Clear desk policy, screen lock after inactivity, secure document disposal."
},
{
"control_id": "A.7.8",
"title": "Equipment siting and protection",
"category": "physical",
"description": "Equipment shall be sited securely and protected.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Secure server room location, rack security, cable management."
},
{
"control_id": "A.7.9",
"title": "Security of assets off-premises",
"category": "physical",
"description": "Off-site assets shall be protected.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Laptop encryption, mobile device policy, asset tracking."
},
{
"control_id": "A.7.10",
"title": "Storage media",
"category": "physical",
"description": "Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements.",
"iso_chapter": "7.5",
"breakpilot_controls": ["CRYPTO-003"],
"default_applicable": True,
"implementation_guidance": "Media inventory, secure transport, cryptographic erasure."
},
{
"control_id": "A.7.11",
"title": "Supporting utilities",
"category": "physical",
"description": "Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "UPS, redundant power, generator backup for critical systems."
},
{
"control_id": "A.7.12",
"title": "Cabling security",
"category": "physical",
"description": "Cables carrying power and data or supporting information services shall be protected from interception, interference or damage.",
"iso_chapter": "7.5",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Secure cable routing, conduits, labeled and documented cabling."
},
{
"control_id": "A.7.13",
"title": "Equipment maintenance",
"category": "physical",
"description": "Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Maintenance schedules, authorized service personnel, maintenance logs."
},
{
"control_id": "A.7.14",
"title": "Secure disposal or re-use of equipment",
"category": "physical",
"description": "Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.",
"iso_chapter": "7.5",
"breakpilot_controls": ["CRYPTO-003"],
"default_applicable": True,
"implementation_guidance": "Secure data destruction, certificates of destruction, verified erasure."
},
# ==========================================================================
# A.8 TECHNOLOGICAL CONTROLS (34 controls)
# ==========================================================================
{
"control_id": "A.8.1",
"title": "User endpoint devices",
"category": "technological",
"description": "Information stored on, processed by or accessible via user endpoint devices shall be protected.",
"iso_chapter": "8.1",
"breakpilot_controls": ["IAM-005"],
"default_applicable": True,
"implementation_guidance": "MDM, endpoint protection, device encryption, remote wipe capability."
},
{
"control_id": "A.8.2",
"title": "Privileged access rights",
"category": "technological",
"description": "The allocation and use of privileged access rights shall be restricted and managed.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-003"],
"default_applicable": True,
"implementation_guidance": "PAM solution, just-in-time access, admin account monitoring."
},
{
"control_id": "A.8.3",
"title": "Information access restriction",
"category": "technological",
"description": "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-001", "IAM-002"],
"default_applicable": True,
"implementation_guidance": "RBAC implementation, need-to-know enforcement, data classification."
},
{
"control_id": "A.8.4",
"title": "Access to source code",
"category": "technological",
"description": "Read and write access to source code, development tools and software libraries shall be appropriately managed.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-004"],
"default_applicable": True,
"implementation_guidance": "Git access controls, branch protection, code review requirements."
},
{
"control_id": "A.8.5",
"title": "Secure authentication",
"category": "technological",
"description": "Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.",
"iso_chapter": "7.5",
"breakpilot_controls": ["IAM-002", "IAM-004"],
"default_applicable": True,
"implementation_guidance": "MFA, SSO, OAuth 2.0/OIDC, password hashing (Argon2)."
},
{
"control_id": "A.8.6",
"title": "Capacity management",
"category": "technological",
"description": "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Resource monitoring, capacity planning, auto-scaling policies."
},
{
"control_id": "A.8.7",
"title": "Protection against malware",
"category": "technological",
"description": "Protection against malware shall be implemented and supported by appropriate user awareness.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-002"],
"default_applicable": True,
"implementation_guidance": "Antivirus/EDR, email filtering, sandboxing, user awareness training."
},
{
"control_id": "A.8.8",
"title": "Management of technical vulnerabilities",
"category": "technological",
"description": "Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-003", "OPS-005"],
"default_applicable": True,
"implementation_guidance": "Vulnerability scanning, patch management, CVE monitoring."
},
{
"control_id": "A.8.9",
"title": "Configuration management",
"category": "technological",
"description": "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "IaC, configuration baselines, drift detection, hardening guides."
},
{
"control_id": "A.8.10",
"title": "Information deletion",
"category": "technological",
"description": "Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-006"],
"default_applicable": True,
"implementation_guidance": "Data retention policies, automated deletion, right to erasure compliance."
},
{
"control_id": "A.8.11",
"title": "Data masking",
"category": "technological",
"description": "Data masking shall be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.",
"iso_chapter": "7.5",
"breakpilot_controls": ["PRIV-007"],
"default_applicable": True,
"implementation_guidance": "PII masking in logs, test data anonymization, dynamic data masking."
},
{
"control_id": "A.8.12",
"title": "Data leakage prevention",
"category": "technological",
"description": "Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-007"],
"default_applicable": True,
"implementation_guidance": "DLP tools, email scanning, USB restrictions, cloud access security."
},
{
"control_id": "A.8.13",
"title": "Information backup",
"category": "technological",
"description": "Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "3-2-1 backup strategy, encrypted backups, regular restore testing."
},
{
"control_id": "A.8.14",
"title": "Redundancy of information processing facilities",
"category": "technological",
"description": "Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-004"],
"default_applicable": True,
"implementation_guidance": "High availability clusters, multi-region deployment, load balancing."
},
{
"control_id": "A.8.15",
"title": "Logging",
"category": "technological",
"description": "Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.",
"iso_chapter": "9.1",
"breakpilot_controls": ["OPS-002"],
"default_applicable": True,
"implementation_guidance": "Centralized logging, log retention, tamper protection, SIEM integration."
},
{
"control_id": "A.8.16",
"title": "Monitoring activities",
"category": "technological",
"description": "Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.",
"iso_chapter": "9.1",
"breakpilot_controls": ["OPS-002", "OPS-006"],
"default_applicable": True,
"implementation_guidance": "SIEM, IDS/IPS, application monitoring, alerting thresholds."
},
{
"control_id": "A.8.17",
"title": "Clock synchronization",
"category": "technological",
"description": "The clocks of information processing systems used by the organization shall be synchronized to approved time sources.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "NTP configuration, consistent timezone, GPS/atomic clock sources."
},
{
"control_id": "A.8.18",
"title": "Use of privileged utility programs",
"category": "technological",
"description": "The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.",
"iso_chapter": "8.1",
"breakpilot_controls": ["IAM-003"],
"default_applicable": True,
"implementation_guidance": "Restricted admin tools, logging of privileged actions, approval workflow."
},
{
"control_id": "A.8.19",
"title": "Installation of software on operational systems",
"category": "technological",
"description": "Procedures and measures shall be implemented to securely manage software installation on operational systems.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-002"],
"default_applicable": True,
"implementation_guidance": "Approved software list, installation controls, change management."
},
{
"control_id": "A.8.20",
"title": "Networks security",
"category": "technological",
"description": "Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Network segmentation, firewall rules, VPN, network monitoring."
},
{
"control_id": "A.8.21",
"title": "Security of network services",
"category": "technological",
"description": "Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "SLA monitoring, network service security assessments, DDoS protection."
},
{
"control_id": "A.8.22",
"title": "Segregation of networks",
"category": "technological",
"description": "Groups of information services, users and information systems shall be segregated in the organization's networks.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "VLANs, network zones, micro-segmentation, DMZ for public services."
},
{
"control_id": "A.8.23",
"title": "Web filtering",
"category": "technological",
"description": "Access to external websites shall be managed to reduce exposure to malicious content.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "URL filtering, category-based blocking, SSL inspection."
},
{
"control_id": "A.8.24",
"title": "Use of cryptography",
"category": "technological",
"description": "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.",
"iso_chapter": "8.1",
"breakpilot_controls": ["CRYPTO-001", "CRYPTO-002", "CRYPTO-004"],
"default_applicable": True,
"implementation_guidance": "Cryptography policy, approved algorithms, key management procedures."
},
{
"control_id": "A.8.25",
"title": "Secure development life cycle",
"category": "technological",
"description": "Rules for the secure development of software and systems shall be established and applied.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001", "SDLC-002"],
"default_applicable": True,
"implementation_guidance": "SSDLC policy, secure coding guidelines, security requirements."
},
{
"control_id": "A.8.26",
"title": "Application security requirements",
"category": "technological",
"description": "Information security requirements shall be identified, specified and approved when developing or acquiring applications.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001"],
"default_applicable": True,
"implementation_guidance": "Security requirements checklist, threat modeling, security acceptance criteria."
},
{
"control_id": "A.8.27",
"title": "Secure system architecture and engineering principles",
"category": "technological",
"description": "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001", "GOV-001"],
"default_applicable": True,
"implementation_guidance": "Security architecture principles, defense in depth, least privilege."
},
{
"control_id": "A.8.28",
"title": "Secure coding",
"category": "technological",
"description": "Secure coding principles shall be applied to software development.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-001", "SDLC-006"],
"default_applicable": True,
"implementation_guidance": "OWASP guidelines, secure coding training, code review checklists."
},
{
"control_id": "A.8.29",
"title": "Security testing in development and acceptance",
"category": "technological",
"description": "Security testing processes shall be defined and implemented in the development life cycle.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-002", "SDLC-003"],
"default_applicable": True,
"implementation_guidance": "SAST, DAST, penetration testing, security acceptance testing."
},
{
"control_id": "A.8.30",
"title": "Outsourced development",
"category": "technological",
"description": "The organization shall direct, monitor and review the activities related to outsourced system development.",
"iso_chapter": "8.1",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Vendor security requirements, code review rights, security testing."
},
{
"control_id": "A.8.31",
"title": "Separation of development, test and production environments",
"category": "technological",
"description": "Development, testing and production environments shall be separated and secured.",
"iso_chapter": "8.1",
"breakpilot_controls": ["SDLC-002"],
"default_applicable": True,
"implementation_guidance": "Separate environments, access controls, data anonymization in test."
},
{
"control_id": "A.8.32",
"title": "Change management",
"category": "technological",
"description": "Changes to information processing facilities and information systems shall be subject to change management procedures.",
"iso_chapter": "8.1",
"breakpilot_controls": ["OPS-001"],
"default_applicable": True,
"implementation_guidance": "Change advisory board, change request workflow, rollback procedures."
},
{
"control_id": "A.8.33",
"title": "Test information",
"category": "technological",
"description": "Test information shall be appropriately selected, protected and managed.",
"iso_chapter": "8.1",
"breakpilot_controls": ["PRIV-007"],
"default_applicable": True,
"implementation_guidance": "Synthetic test data, PII removal, test data management policy."
},
{
"control_id": "A.8.34",
"title": "Protection of information systems during audit testing",
"category": "technological",
"description": "Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.",
"iso_chapter": "9.2",
"breakpilot_controls": [],
"default_applicable": True,
"implementation_guidance": "Audit planning, system access controls during audits, audit trails."
},
]
def get_annex_a_by_category(category: str) -> List[Dict[str, Any]]:
"""Get Annex A controls filtered by category."""
return [c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == category]
def get_annex_a_control(control_id: str) -> Optional[Dict[str, Any]]:
"""Get a specific Annex A control by ID."""
for control in ISO27001_ANNEX_A_CONTROLS:
if control["control_id"] == control_id:
return control
return None
# Summary statistics
ANNEX_A_SUMMARY = {
"total_controls": len(ISO27001_ANNEX_A_CONTROLS),
"organizational_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "organizational"]),
"people_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "people"]),
"physical_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "physical"]),
"technological_controls": len([c for c in ISO27001_ANNEX_A_CONTROLS if c["category"] == "technological"]),
}

247
backend/compliance/data/regulations.py Normal file
View File

@@ -0,0 +1,247 @@
"""
Seed data for Regulations.
16 EU Regulations + 3 BSI-TR documents covering:
- A. Datenschutz & Datenübermittlung
- B. KI-Regulierung
- C. Cybersecurity & Produktsicherheit
- D. Datenökonomie & Interoperabilität
- E. Plattform-Pflichten
- F. Barrierefreiheit
- G. IP & Urheberrecht
- H. Produkthaftung
- I. BSI-Standards (Deutschland)
"""
from datetime import date
REGULATIONS_SEED = [
# =========================================================================
# A. Datenschutz & Datenübermittlung
# =========================================================================
{
"code": "GDPR",
"name": "DSGVO",
"full_name": "Verordnung (EU) 2016/679 - Datenschutz-Grundverordnung",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng",
"effective_date": date(2018, 5, 25),
"description": "Grundverordnung zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten. Kernstück der EU-Datenschutzgesetzgebung.",
"is_active": True,
},
{
"code": "EPRIVACY",
"name": "ePrivacy-Richtlinie",
"full_name": "Richtlinie 2002/58/EG - Datenschutz in der elektronischen Kommunikation",
"regulation_type": "eu_directive",
"source_url": "https://eur-lex.europa.eu/eli/dir/2002/58/oj/eng",
"effective_date": date(2002, 7, 31),
"description": "Regelt den Datenschutz in der elektronischen Kommunikation, insbesondere Cookies, Tracking und elektronisches Marketing.",
"is_active": True,
},
{
"code": "TDDDG",
"name": "TDDDG",
"full_name": "Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (ehem. TTDSG)",
"regulation_type": "de_law",
"source_url": "https://www.gesetze-im-internet.de/ttdsg/",
"effective_date": date(2021, 12, 1),
"description": "Deutsche Umsetzung der ePrivacy-Richtlinie. Regelt Datenschutz bei Telemedien und Telekommunikation.",
"is_active": True,
},
{
"code": "SCC",
"name": "Standardvertragsklauseln",
"full_name": "Durchführungsbeschluss (EU) 2021/914 - Standardvertragsklauseln für Drittlandtransfers",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj/eng",
"effective_date": date(2021, 6, 27),
"description": "Standardvertragsklauseln für die Übermittlung personenbezogener Daten an Drittländer gemäß DSGVO.",
"is_active": True,
},
{
"code": "DPF",
"name": "EU-US Data Privacy Framework",
"full_name": "Durchführungsbeschluss (EU) 2023/1795 - Angemessenheitsbeschluss EU-US",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj",
"effective_date": date(2023, 7, 10),
"description": "Angemessenheitsbeschluss für Datenübermittlungen in die USA unter dem EU-US Data Privacy Framework.",
"is_active": True,
},
# =========================================================================
# B. KI-Regulierung
# =========================================================================
{
"code": "AIACT",
"name": "EU AI Act",
"full_name": "Verordnung (EU) 2024/1689 - Verordnung zur Festlegung harmonisierter Vorschriften für KI",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng",
"effective_date": date(2024, 8, 1),
"description": "EU-Verordnung zur Regulierung von KI-Systemen. Klassifiziert KI-Systeme nach Risikostufen und definiert Anforderungen für Hochrisiko-KI.",
"is_active": True,
},
# =========================================================================
# C. Cybersecurity & Produktsicherheit
# =========================================================================
{
"code": "CRA",
"name": "Cyber Resilience Act",
"full_name": "Verordnung (EU) 2024/2847 - Horizontale Cybersicherheitsanforderungen für Produkte",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng",
"effective_date": date(2024, 12, 10),
"description": "Cybersicherheitsanforderungen für Produkte mit digitalen Elementen. Verpflichtet zu SBOM, Vulnerability Disclosure und Support-Zeiträumen.",
"is_active": True,
},
{
"code": "NIS2",
"name": "NIS2-Richtlinie",
"full_name": "Richtlinie (EU) 2022/2555 - Maßnahmen für hohes Cybersicherheitsniveau",
"regulation_type": "eu_directive",
"source_url": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng",
"effective_date": date(2024, 10, 17),
"description": "Richtlinie zur Stärkung der Cybersicherheit wesentlicher und wichtiger Einrichtungen in der EU.",
"is_active": True,
},
{
"code": "EUCSA",
"name": "EU Cybersecurity Act",
"full_name": "Verordnung (EU) 2019/881 - ENISA und Cybersicherheitszertifizierung",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng",
"effective_date": date(2019, 6, 27),
"description": "Stärkt ENISA und etabliert einen EU-weiten Rahmen für Cybersicherheitszertifizierung von IKT-Produkten.",
"is_active": True,
},
# =========================================================================
# D. Datenökonomie & Interoperabilität
# =========================================================================
{
"code": "DATAACT",
"name": "Data Act",
"full_name": "Verordnung (EU) 2023/2854 - Harmonisierte Vorschriften für fairen Datenzugang",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng",
"effective_date": date(2025, 9, 12),
"description": "Regelt den fairen Zugang zu und die Nutzung von Daten. Betrifft IoT-Daten, Cloud-Wechsel und B2B-Datenfreigabe.",
"is_active": True,
},
{
"code": "DGA",
"name": "Data Governance Act",
"full_name": "Verordnung (EU) 2022/868 - Europäische Daten-Governance",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2022/868/oj/eng",
"effective_date": date(2023, 9, 24),
"description": "Rahmenwerk für die Weiterverwendung öffentlicher Daten und Datenvermittlungsdienste.",
"is_active": True,
},
# =========================================================================
# E. Plattform-Pflichten
# =========================================================================
{
"code": "DSA",
"name": "Digital Services Act",
"full_name": "Verordnung (EU) 2022/2065 - Binnenmarkt für digitale Dienste",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng",
"effective_date": date(2024, 2, 17),
"description": "Reguliert digitale Dienste und Plattformen. Transparenzpflichten, Content Moderation, Beschwerdemechanismen.",
"is_active": True,
},
# =========================================================================
# F. Barrierefreiheit
# =========================================================================
{
"code": "EAA",
"name": "European Accessibility Act",
"full_name": "Richtlinie (EU) 2019/882 - Barrierefreiheitsanforderungen für Produkte und Dienstleistungen",
"regulation_type": "eu_directive",
"source_url": "https://eur-lex.europa.eu/eli/dir/2019/882/oj/eng",
"effective_date": date(2025, 6, 28),
"description": "Barrierefreiheitsanforderungen für digitale Produkte und Dienstleistungen. Relevant für Web, Mobile Apps, E-Commerce.",
"is_active": True,
},
# =========================================================================
# G. IP & Urheberrecht
# =========================================================================
{
"code": "DSM",
"name": "DSM-Urheberrechtsrichtlinie",
"full_name": "Richtlinie (EU) 2019/790 - Urheberrecht im digitalen Binnenmarkt",
"regulation_type": "eu_directive",
"source_url": "https://eur-lex.europa.eu/eli/dir/2019/790/oj/eng",
"effective_date": date(2021, 6, 7),
"description": "Modernisiert das Urheberrecht für den digitalen Binnenmarkt. Betrifft Text- und Data-Mining, Upload-Filter.",
"is_active": True,
},
# =========================================================================
# H. Produkthaftung
# =========================================================================
{
"code": "PLD",
"name": "Produkthaftungsrichtlinie",
"full_name": "Richtlinie (EU) 2024/2853 - Haftung für fehlerhafte Produkte",
"regulation_type": "eu_directive",
"source_url": "https://eur-lex.europa.eu/eli/dir/2024/2853/oj/eng",
"effective_date": date(2026, 12, 9),
"description": "Neue Produkthaftungsrichtlinie. Erweitert Haftung auf Software und KI-Systeme.",
"is_active": True,
},
{
"code": "GPSR",
"name": "General Product Safety Regulation",
"full_name": "Verordnung (EU) 2023/988 - Allgemeine Produktsicherheit",
"regulation_type": "eu_regulation",
"source_url": "https://eur-lex.europa.eu/eli/reg/2023/988/oj/eng",
"effective_date": date(2024, 12, 13),
"description": "Allgemeine Produktsicherheitsverordnung. Sicherheitsanforderungen für Verbraucherprodukte inkl. digitaler Produkte.",
"is_active": True,
},
# =========================================================================
# I. BSI-Standards (Deutschland)
# =========================================================================
{
"code": "BSI-TR-03161-1",
"name": "BSI-TR-03161 Teil 1",
"full_name": "BSI Technische Richtlinie - Anforderungen an Anwendungen im Gesundheitswesen - Teil 1: Mobile Anwendungen",
"regulation_type": "bsi_standard",
"source_url": "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03161/BSI-TR-03161-1.html",
"local_pdf_path": "/docs/BSI-TR-03161-1.pdf",
"effective_date": date(2022, 1, 1),
"description": "BSI Richtlinie für mobile Anwendungen. Teil 1: Allgemeine Sicherheitsanforderungen.",
"is_active": True,
},
{
"code": "BSI-TR-03161-2",
"name": "BSI-TR-03161 Teil 2",
"full_name": "BSI Technische Richtlinie - Anforderungen an Anwendungen im Gesundheitswesen - Teil 2: Web-Anwendungen",
"regulation_type": "bsi_standard",
"source_url": "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03161/BSI-TR-03161-2.html",
"local_pdf_path": "/docs/BSI-TR-03161-2.pdf",
"effective_date": date(2022, 1, 1),
"description": "BSI Richtlinie für Web-Anwendungen. Teil 2: Sicherheitsanforderungen für Web-Frontends und APIs.",
"is_active": True,
},
{
"code": "BSI-TR-03161-3",
"name": "BSI-TR-03161 Teil 3",
"full_name": "BSI Technische Richtlinie - Anforderungen an Anwendungen im Gesundheitswesen - Teil 3: Hintergrundsysteme",
"regulation_type": "bsi_standard",
"source_url": "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03161/BSI-TR-03161-3.html",
"local_pdf_path": "/docs/BSI-TR-03161-3.pdf",
"effective_date": date(2022, 1, 1),
"description": "BSI Richtlinie für Hintergrundsysteme. Teil 3: Anforderungen an Backend-Systeme und Infrastruktur.",
"is_active": True,
},
]

391
backend/compliance/data/requirements.py Normal file
View File

@@ -0,0 +1,391 @@
"""
Seed data for Requirements.
Key requirements from:
- GDPR: Art. 5, 25, 28, 30, 32, 35 (Core Articles)
- AI Act: Art. 6, 9, 13, 14, 15 (High-Risk Requirements)
- CRA: Art. 10-15 (Vulnerability Handling)
- BSI-TR-03161: Security Requirements
"""
REQUIREMENTS_SEED = [
# =========================================================================
# GDPR - Datenschutz-Grundverordnung
# =========================================================================
{
"regulation_code": "GDPR",
"article": "Art. 5",
"paragraph": "(1)(a)",
"title": "Rechtmäßigkeit, Verarbeitung nach Treu und Glauben, Transparenz",
"description": "Personenbezogene Daten müssen rechtmäßig, nach Treu und Glauben und transparent verarbeitet werden.",
"requirement_text": "Personenbezogene Daten müssen auf rechtmäßige Weise, nach Treu und Glauben und in einer für die betroffene Person nachvollziehbaren Weise verarbeitet werden.",
"breakpilot_interpretation": "Breakpilot verarbeitet Daten nur mit gültiger Rechtsgrundlage (Einwilligung, Vertrag). Transparente Datenschutzerklärung und Consent-Management.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 5",
"paragraph": "(1)(b)",
"title": "Zweckbindung",
"description": "Daten dürfen nur für festgelegte, eindeutige und legitime Zwecke erhoben werden.",
"requirement_text": "Personenbezogene Daten müssen für festgelegte, eindeutige und legitime Zwecke erhoben werden und dürfen nicht in einer mit diesen Zwecken nicht zu vereinbarenden Weise weiterverarbeitet werden.",
"breakpilot_interpretation": "Jeder Verarbeitungszweck ist im Consent-System klar definiert. Keine Zweckänderung ohne neue Einwilligung.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 5",
"paragraph": "(1)(c)",
"title": "Datenminimierung",
"description": "Datenerhebung muss auf das notwendige Maß beschränkt sein.",
"requirement_text": "Personenbezogene Daten müssen dem Zweck angemessen und erheblich sowie auf das für die Zwecke der Verarbeitung notwendige Maß beschränkt sein.",
"breakpilot_interpretation": "Privacy by Design: Nur erforderliche Daten werden erhoben. Keine überschüssigen Profilfelder.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 5",
"paragraph": "(1)(f)",
"title": "Integrität und Vertraulichkeit",
"description": "Daten müssen vor unbefugter Verarbeitung und Verlust geschützt sein.",
"requirement_text": "Personenbezogene Daten müssen in einer Weise verarbeitet werden, die eine angemessene Sicherheit gewährleistet, einschließlich Schutz vor unbefugter oder unrechtmäßiger Verarbeitung und vor unbeabsichtigtem Verlust, Zerstörung oder Schädigung.",
"breakpilot_interpretation": "Verschlüsselung at Rest und in Transit, RBAC, Audit Logging, regelmäßige Backups.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 25",
"paragraph": "(1)",
"title": "Datenschutz durch Technikgestaltung",
"description": "Privacy by Design - Datenschutz muss in die Entwicklung eingebaut werden.",
"requirement_text": "Der Verantwortliche trifft sowohl zum Zeitpunkt der Festlegung der Mittel als auch zum Zeitpunkt der Verarbeitung geeignete technische und organisatorische Maßnahmen.",
"breakpilot_interpretation": "PbD-Checkliste für neue Features, Datenschutz-Review im Development-Prozess, Standard-Datenschutzeinstellungen.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 25",
"paragraph": "(2)",
"title": "Datenschutzfreundliche Voreinstellungen",
"description": "Privacy by Default - Standardeinstellungen müssen datenschutzfreundlich sein.",
"requirement_text": "Der Verantwortliche trifft geeignete Maßnahmen, die sicherstellen, dass durch Voreinstellung nur personenbezogene Daten verarbeitet werden, deren Verarbeitung für den jeweiligen bestimmten Verarbeitungszweck erforderlich ist.",
"breakpilot_interpretation": "Opt-In statt Opt-Out, minimale Default-Datenerhebung, Consent granular einholbar.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 28",
"paragraph": "(1)",
"title": "Auftragsverarbeiter",
"description": "Nur Auftragsverarbeiter mit hinreichenden Garantien dürfen beauftragt werden.",
"requirement_text": "Erfolgt eine Verarbeitung im Auftrag eines Verantwortlichen, so arbeitet dieser nur mit Auftragsverarbeitern, die hinreichend Garantien dafür bieten.",
"breakpilot_interpretation": "AVV mit allen Sub-Processors, regelmäßige Überprüfung der Garantien, Sub-Processor-Liste gepflegt.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "GDPR",
"article": "Art. 28",
"paragraph": "(3)",
"title": "AVV-Pflichtinhalte",
"description": "Auftragsverarbeitungsverträge müssen bestimmte Mindestinhalte haben.",
"requirement_text": "Die Verarbeitung durch einen Auftragsverarbeiter erfolgt auf der Grundlage eines Vertrags, der Gegenstand, Dauer, Art und Zweck der Verarbeitung, Art der Daten und Kategorien betroffener Personen festlegt.",
"breakpilot_interpretation": "AVV-Template nach Art. 28 Abs. 3, alle Pflichtklauseln enthalten, rechtliche Prüfung.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "GDPR",
"article": "Art. 30",
"paragraph": "(1)",
"title": "Verarbeitungsverzeichnis",
"description": "Führung eines Verzeichnisses aller Verarbeitungstätigkeiten.",
"requirement_text": "Jeder Verantwortliche führt ein Verzeichnis aller Verarbeitungstätigkeiten, die seiner Zuständigkeit unterliegen.",
"breakpilot_interpretation": "VVT gepflegt mit allen Verarbeitungen, regelmäßige Aktualisierung, alle Pflichtangaben enthalten.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 32",
"paragraph": "(1)(a)",
"title": "Pseudonymisierung und Verschlüsselung",
"description": "Technische Maßnahmen zur Pseudonymisierung und Verschlüsselung.",
"requirement_text": "Die Pseudonymisierung und Verschlüsselung personenbezogener Daten.",
"breakpilot_interpretation": "AES-256 Encryption at Rest, TLS 1.3 in Transit, Pseudonymisierung wo möglich.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 32",
"paragraph": "(1)(b)",
"title": "Vertraulichkeit und Integrität der Systeme",
"description": "Fähigkeit, Vertraulichkeit, Integrität und Verfügbarkeit sicherzustellen.",
"requirement_text": "Die Fähigkeit, die Vertraulichkeit, Integrität, Verfügbarkeit und Belastbarkeit der Systeme und Dienste im Zusammenhang mit der Verarbeitung auf Dauer sicherzustellen.",
"breakpilot_interpretation": "RBAC, Audit Logging, DDoS-Schutz, Monitoring & Alerting, redundante Infrastruktur.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 32",
"paragraph": "(1)(c)",
"title": "Wiederherstellbarkeit",
"description": "Fähigkeit zur raschen Wiederherstellung nach Zwischenfällen.",
"requirement_text": "Die Fähigkeit, die Verfügbarkeit der personenbezogenen Daten und den Zugang zu ihnen bei einem physischen oder technischen Zwischenfall rasch wiederherzustellen.",
"breakpilot_interpretation": "Tägliche Backups, dokumentierter Recovery-Plan, RTO < 4h, getestete Wiederherstellung.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "GDPR",
"article": "Art. 32",
"paragraph": "(1)(d)",
"title": "Regelmäßige Überprüfung",
"description": "Regelmäßige Überprüfung und Bewertung der Wirksamkeit der TOMs.",
"requirement_text": "Ein Verfahren zur regelmäßigen Überprüfung, Bewertung und Evaluierung der Wirksamkeit der technischen und organisatorischen Maßnahmen.",
"breakpilot_interpretation": "Jährliche Sicherheitsaudits, Penetration Tests, Control Reviews, Compliance Dashboard.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "GDPR",
"article": "Art. 35",
"paragraph": "(1)",
"title": "Datenschutz-Folgenabschätzung",
"description": "DPIA bei voraussichtlich hohem Risiko für Betroffene.",
"requirement_text": "Hat eine Form der Verarbeitung voraussichtlich ein hohes Risiko für die Rechte und Freiheiten natürlicher Personen zur Folge, so führt der Verantwortliche vorab eine Abschätzung der Folgen durch.",
"breakpilot_interpretation": "DPIA für KI-Verarbeitung und Schülerdaten durchgeführt, Risiken bewertet, Maßnahmen dokumentiert.",
"is_applicable": True,
"priority": 1,
},
# =========================================================================
# AI Act - KI-Verordnung
# =========================================================================
{
"regulation_code": "AIACT",
"article": "Art. 6",
"paragraph": "(1)",
"title": "Klassifizierungsregeln für Hochrisiko-KI-Systeme",
"description": "KI-Systeme müssen nach Risiko klassifiziert werden.",
"requirement_text": "Ein KI-System wird als Hochrisiko-KI-System eingestuft, wenn es als Sicherheitskomponente eines Produkts verwendet wird oder selbst ein Produkt ist, das unter bestimmte Harmonisierungsrechtsvorschriften fällt.",
"breakpilot_interpretation": "Breakpilot KI-Systeme klassifiziert als Limited Risk (Bildungsunterstützung). Keine High-Risk-Klassifizierung, da keine Bewertung/Prüfung mit rechtlicher Wirkung.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "AIACT",
"article": "Art. 9",
"paragraph": "(1)",
"title": "Risikomanagement für High-Risk-KI",
"description": "Risikomanagement-System für Hochrisiko-KI etablieren.",
"requirement_text": "Für Hochrisiko-KI-Systeme wird ein Risikomanagementsystem eingerichtet, umgesetzt, dokumentiert und aufrechterhalten.",
"breakpilot_interpretation": "Obwohl nicht High-Risk: Risikobewertung für KI-Use-Cases durchgeführt, Mitigationsmaßnahmen dokumentiert.",
"is_applicable": True,
"applicability_reason": "Best Practice auch für Limited Risk KI",
"priority": 2,
},
{
"regulation_code": "AIACT",
"article": "Art. 13",
"paragraph": "(1)",
"title": "Transparenz",
"description": "KI-Systeme müssen so konzipiert sein, dass Nutzer sie verstehen können.",
"requirement_text": "Hochrisiko-KI-Systeme werden so konzipiert und entwickelt, dass ihr Betrieb hinreichend transparent ist, damit die Nutzer die Ausgaben des Systems interpretieren und angemessen nutzen können.",
"breakpilot_interpretation": "KI-generierte Inhalte sind als solche gekennzeichnet. Erklärbare KI-Outputs wo möglich.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "AIACT",
"article": "Art. 14",
"paragraph": "(1)",
"title": "Menschliche Aufsicht",
"description": "Hochrisiko-KI-Systeme müssen menschliche Aufsicht ermöglichen.",
"requirement_text": "Hochrisiko-KI-Systeme werden so konzipiert und entwickelt, dass sie während der Zeit ihrer Nutzung wirksam von natürlichen Personen beaufsichtigt werden können.",
"breakpilot_interpretation": "Human-in-the-Loop für KI-generierte Arbeitsblätter. Lehrer können KI-Vorschläge prüfen und anpassen.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "AIACT",
"article": "Art. 15",
"paragraph": "(1)",
"title": "Genauigkeit, Robustheit und Cybersicherheit",
"description": "KI-Systeme müssen ein angemessenes Maß an Genauigkeit erreichen.",
"requirement_text": "Hochrisiko-KI-Systeme werden so konzipiert und entwickelt, dass sie in Bezug auf ihre Zweckbestimmung ein angemessenes Maß an Genauigkeit, Robustheit und Cybersicherheit erreichen.",
"breakpilot_interpretation": "LLM-Outputs werden auf Qualität geprüft. Feedback-Loop für kontinuierliche Verbesserung.",
"is_applicable": True,
"priority": 2,
},
{
"regulation_code": "AIACT",
"article": "Art. 50",
"paragraph": "(1)",
"title": "Kennzeichnungspflicht für KI-generierte Inhalte",
"description": "Nutzer müssen informiert werden, dass sie mit KI interagieren.",
"requirement_text": "Anbieter stellen sicher, dass KI-Systeme, die für die Interaktion mit natürlichen Personen bestimmt sind, so konzipiert werden, dass natürliche Personen darüber informiert werden, dass sie mit einem KI-System interagieren.",
"breakpilot_interpretation": "KI-Features sind klar als solche gekennzeichnet. KI-Icon und Hinweistexte implementiert.",
"is_applicable": True,
"priority": 1,
},
# =========================================================================
# CRA - Cyber Resilience Act
# =========================================================================
{
"regulation_code": "CRA",
"article": "Art. 10",
"paragraph": "(1)",
"title": "Wesentliche Cybersicherheitsanforderungen",
"description": "Produkte müssen ohne bekannte ausnutzbare Schwachstellen ausgeliefert werden.",
"requirement_text": "Produkte mit digitalen Elementen werden so konzipiert, entwickelt und hergestellt, dass sie ein angemessenes Cybersicherheitsniveau gewährleisten.",
"breakpilot_interpretation": "Secure-by-Design Entwicklung, SAST/DAST in CI, keine bekannten Critical/High CVEs bei Release.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "CRA",
"article": "Art. 11",
"paragraph": "(1)",
"title": "Meldung ausgenutzter Schwachstellen",
"description": "Aktiv ausgenutzte Schwachstellen müssen innerhalb von 24h gemeldet werden.",
"requirement_text": "Der Hersteller meldet dem CSIRT und der ENISA jede aktiv ausgenutzte Schwachstelle innerhalb von 24 Stunden nach Kenntnisnahme.",
"breakpilot_interpretation": "Incident Response Plan enthält 24h-Meldepflicht. Kontakt zu BSI/CERT-Bund etabliert.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "CRA",
"article": "Art. 13",
"paragraph": "(1)",
"title": "Software Bill of Materials",
"description": "SBOM muss für alle Produkte erstellt werden.",
"requirement_text": "Hersteller ermitteln und dokumentieren Komponenten, die in dem Produkt enthalten sind, unter anderem durch Erstellung einer Software-Stückliste.",
"breakpilot_interpretation": "CycloneDX SBOM wird automatisch bei jedem Release generiert und veröffentlicht.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "CRA",
"article": "Art. 14",
"paragraph": "(1)",
"title": "Sicherheitsupdates",
"description": "Sicherheitsupdates müssen kostenlos und zeitnah bereitgestellt werden.",
"requirement_text": "Hersteller stellen sicher, dass Schwachstellen durch kostenlose Sicherheitsupdates behoben werden können, die unverzüglich bereitgestellt werden.",
"breakpilot_interpretation": "Patch-SLA: Critical < 7 Tage, High < 30 Tage. Updates automatisch verteilt.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "CRA",
"article": "Art. 15",
"paragraph": "(1)",
"title": "Support-Zeitraum",
"description": "Mindest-Support-Zeitraum für Sicherheitsupdates.",
"requirement_text": "Der Support-Zeitraum beträgt mindestens fünf Jahre, es sei denn, die Lebensdauer des Produkts ist kürzer.",
"breakpilot_interpretation": "Breakpilot garantiert 5 Jahre Sicherheitsupdates ab Produktversion. EOL-Policy kommuniziert.",
"is_applicable": True,
"priority": 2,
},
# =========================================================================
# BSI-TR-03161 - Mobile Application Security
# =========================================================================
{
"regulation_code": "BSI-TR-03161-1",
"article": "O.Arch_1",
"paragraph": None,
"title": "Sichere Architektur",
"description": "Anwendung muss nach Prinzipien sicherer Architektur entwickelt werden.",
"requirement_text": "Die Architektur der Anwendung MUSS nach anerkannten Prinzipien sicherer Software-Architektur entwickelt werden.",
"breakpilot_interpretation": "Defense in Depth, Least Privilege, Fail Secure implementiert in Backend und Mobile App.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-1",
"article": "O.Auth_1",
"paragraph": None,
"title": "Starke Authentisierung",
"description": "Sichere Authentisierungsmechanismen müssen implementiert sein.",
"requirement_text": "Die Anwendung MUSS sichere Authentisierungsmechanismen implementieren.",
"breakpilot_interpretation": "JWT-basierte Authentifizierung, MFA für Admin-Accounts, sichere Session-Verwaltung.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-1",
"article": "O.Cryp_1",
"paragraph": None,
"title": "Sichere Kryptographie",
"description": "Nur sichere kryptographische Verfahren dürfen verwendet werden.",
"requirement_text": "Die Anwendung MUSS ausschließlich als sicher anerkannte kryptographische Verfahren verwenden.",
"breakpilot_interpretation": "TLS 1.3, AES-256, bcrypt für Passwörter. Keine schwachen Algorithmen (MD5, SHA1, DES).",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-1",
"article": "O.Data_1",
"paragraph": None,
"title": "Datensicherheit",
"description": "Sensible Daten müssen angemessen geschützt werden.",
"requirement_text": "Die Anwendung MUSS sensible Daten sowohl bei der Übertragung als auch bei der Speicherung angemessen schützen.",
"breakpilot_interpretation": "Encryption at Rest und in Transit, keine PII in Logs, sichere Key-Speicherung in Vault.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-2",
"article": "O.Auth_2",
"paragraph": None,
"title": "Session Management",
"description": "Sichere Session-Verwaltung für Web-Anwendungen.",
"requirement_text": "Web-Anwendungen MÜSSEN ein sicheres Session-Management implementieren.",
"breakpilot_interpretation": "JWT mit kurzer Expiry, Refresh-Token-Rotation, CSRF-Schutz, Secure/HttpOnly Cookies.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-2",
"article": "O.Source_1",
"paragraph": None,
"title": "Input-Validierung",
"description": "Alle Eingaben müssen validiert werden.",
"requirement_text": "Alle Eingaben MÜSSEN vor der Verarbeitung auf Gültigkeit geprüft werden.",
"breakpilot_interpretation": "Server-side Validation für alle Inputs, Sanitization, Protection gegen Injection-Angriffe.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-3",
"article": "O.Back_1",
"paragraph": None,
"title": "Sichere Backend-Kommunikation",
"description": "Kommunikation zwischen Komponenten muss abgesichert sein.",
"requirement_text": "Die Kommunikation zwischen Frontend und Backend MUSS über sichere Kanäle erfolgen.",
"breakpilot_interpretation": "TLS 1.3 für alle internen Verbindungen, mTLS für Service-to-Service wo möglich.",
"is_applicable": True,
"priority": 1,
},
{
"regulation_code": "BSI-TR-03161-3",
"article": "O.Ops_1",
"paragraph": None,
"title": "Sichere Konfiguration",
"description": "Backend-Systeme müssen sicher konfiguriert sein.",
"requirement_text": "Backend-Systeme MÜSSEN nach Security-Best-Practices konfiguriert werden.",
"breakpilot_interpretation": "Hardened Container Images, keine Default-Credentials, Secrets in Vault, minimale Ports.",
"is_applicable": True,
"priority": 1,
},
]

309
backend/compliance/data/risks.py Normal file
View File

@@ -0,0 +1,309 @@
"""
Compliance Risks Seed Data.
Contains potential risks for Breakpilot PWA based on regulatory requirements.
Each risk is assessed with likelihood (1-5) and impact (1-5).
Risk Categories:
- data_breach: Potential data breaches or unauthorized access
- compliance_gap: Non-compliance with regulations
- vendor_risk: Third-party/vendor related risks
- operational: Operational and availability risks
- legal: Legal and contractual risks
- reputational: Reputation and trust risks
"""
from typing import List, Dict, Any
# Likelihood Scale:
# 1 = Very Unlikely (< 5% chance per year)
# 2 = Unlikely (5-20% chance per year)
# 3 = Possible (20-50% chance per year)
# 4 = Likely (50-80% chance per year)
# 5 = Very Likely (> 80% chance per year)
# Impact Scale:
# 1 = Negligible (< 1.000 EUR, no operational impact)
# 2 = Minor (1.000-10.000 EUR, minor disruption)
# 3 = Moderate (10.000-100.000 EUR, significant disruption)
# 4 = Major (100.000-1.000.000 EUR, severe impact)
# 5 = Critical (> 1.000.000 EUR, existential threat)
RISKS_SEED: List[Dict[str, Any]] = [
# ========================================================================
# Datenschutz-Risiken (DSGVO)
# ========================================================================
{
"risk_id": "RISK-001",
"title": "Unbefugter Zugriff auf Schueler-PII",
"description": "Angreifer oder unbefugte Mitarbeiter koennten auf personenbezogene Daten von Schuelern zugreifen (Namen, Noten, Lernfortschritt). Dies wuerde eine meldepflichtige Datenpanne nach Art. 33 DSGVO darstellen.",
"category": "data_breach",
"likelihood": 2,
"impact": 4,
"mitigating_controls": ["IAM-001", "IAM-003", "CRYPTO-001", "OPS-001"],
"owner": "Datenschutzbeauftragter",
"treatment_plan": "RBAC strikt umsetzen, Mandantentrennung pruefen, regelmaessige Access Reviews durchfuehren, Logging aller Zugriffe auf PII.",
"related_regulations": ["GDPR", "BDSG"],
},
{
"risk_id": "RISK-002",
"title": "Fehlende oder ungueltige Einwilligungen",
"description": "Verarbeitung von Daten ohne gueltige Einwilligung oder Rechtsgrundlage. Insbesondere bei minderjaehrigen Schuelern ist die Einwilligung der Erziehungsberechtigten erforderlich.",
"category": "compliance_gap",
"likelihood": 3,
"impact": 3,
"mitigating_controls": ["PRIV-001", "PRIV-003", "GOV-001"],
"owner": "Datenschutzbeauftragter",
"treatment_plan": "Consent-Management-System implementieren, Altersverifikation, Double-Opt-In fuer Eltern, Dokumentation aller Einwilligungen.",
"related_regulations": ["GDPR", "TDDDG"],
},
{
"risk_id": "RISK-003",
"title": "Unvollstaendige Betroffenenrechte-Umsetzung",
"description": "Art. 15-22 DSGVO Anfragen (Auskunft, Loeschung, Berichtigung, Portabilitaet) werden nicht fristgerecht oder unvollstaendig beantwortet.",
"category": "compliance_gap",
"likelihood": 2,
"impact": 3,
"mitigating_controls": ["PRIV-004", "GOV-005"],
"owner": "Datenschutzbeauftragter",
"treatment_plan": "DSR-Workflow automatisieren, Fristen-Tracking implementieren, Export-Funktion fuer alle Nutzerdaten bereitstellen.",
"related_regulations": ["GDPR"],
},
{
"risk_id": "RISK-004",
"title": "PII in Logs und Fehlerberichten",
"description": "Personenbezogene Daten werden versehentlich in Logs, Fehlerberichten oder Analytics-Daten erfasst und koennten durch Dritte eingesehen werden.",
"category": "data_breach",
"likelihood": 3,
"impact": 2,
"mitigating_controls": ["PRIV-007", "OPS-001", "SDLC-001"],
"owner": "Engineering Lead",
"treatment_plan": "PII-Redactor in allen Logging-Pipelines, SAST-Regeln fuer PII-Leaks, Log-Retention-Policy (max 30 Tage).",
"related_regulations": ["GDPR"],
},
# ========================================================================
# KI-Risiken (AI Act)
# ========================================================================
{
"risk_id": "RISK-005",
"title": "Bias in KI-generierten Lerninhalten",
"description": "KI-Modelle koennten verzerrte oder diskriminierende Inhalte generieren, die bestimmte Schuelergruppen benachteiligen.",
"category": "compliance_gap",
"likelihood": 3,
"impact": 3,
"mitigating_controls": ["AI-001", "AI-003", "AI-004"],
"owner": "AI/ML Lead",
"treatment_plan": "Bias-Monitoring implementieren, Human-in-the-Loop fuer alle KI-Outputs, regelmaessige Audits der Trainingsdaten.",
"related_regulations": ["AIACT"],
},
{
"risk_id": "RISK-006",
"title": "Fehlende KI-Transparenz gegenueber Nutzern",
"description": "Nutzer werden nicht ausreichend darueber informiert, wenn KI-Systeme Entscheidungen treffen oder Inhalte generieren (Art. 13 AI Act).",
"category": "compliance_gap",
"likelihood": 2,
"impact": 3,
"mitigating_controls": ["AI-002", "AI-005", "GOV-001"],
"owner": "Product Owner",
"treatment_plan": "KI-Disclosure in UI implementieren, Model Cards erstellen, Transparenzbericht veroeffentlichen.",
"related_regulations": ["AIACT"],
},
{
"risk_id": "RISK-007",
"title": "Unzureichende KI-Risikobewertung",
"description": "Bildungs-KI koennte als High-Risk nach AI Act klassifiziert werden, ohne dass die entsprechenden Anforderungen (Art. 9-15) erfuellt sind.",
"category": "compliance_gap",
"likelihood": 3,
"impact": 4,
"mitigating_controls": ["AI-005", "GOV-001", "AUD-001"],
"owner": "Compliance Officer",
"treatment_plan": "AI Act Impact Assessment durchfuehren, Risikoklassifizierung dokumentieren, Konformitaetsbewertung vorbereiten.",
"related_regulations": ["AIACT"],
},
# ========================================================================
# Cybersecurity-Risiken (CRA, NIS2)
# ========================================================================
{
"risk_id": "RISK-008",
"title": "Schwachstellen in Abhaengigkeiten",
"description": "Bekannte CVEs in Third-Party-Libraries werden nicht zeitnah gepatcht und koennten ausgenutzt werden.",
"category": "operational",
"likelihood": 4,
"impact": 4,
"mitigating_controls": ["SDLC-002", "SDLC-005", "OPS-004"],
"owner": "Engineering Lead",
"treatment_plan": "Trivy/Grype in CI/CD, automatische Dependency-Updates (Dependabot), SLA: Critical CVEs < 7 Tage patchen.",
"related_regulations": ["CRA", "NIS2"],
},
{
"risk_id": "RISK-009",
"title": "Fehlende SBOM fuer CRA-Compliance",
"description": "Ohne Software Bill of Materials (SBOM) koennen Schwachstellen nicht effektiv verfolgt werden. CRA verlangt SBOM ab 2027.",
"category": "compliance_gap",
"likelihood": 2,
"impact": 3,
"mitigating_controls": ["CRA-001", "SDLC-005"],
"owner": "Engineering Lead",
"treatment_plan": "CycloneDX SBOM in CI generieren, SBOM-Repository aufbauen, VEX (Vulnerability Exploitability eXchange) implementieren.",
"related_regulations": ["CRA"],
},
{
"risk_id": "RISK-010",
"title": "Unzureichende Incident Response",
"description": "Bei einem Sicherheitsvorfall fehlen klare Prozesse, was zu verzoegerter Reaktion und erhoehtem Schaden fuehrt.",
"category": "operational",
"likelihood": 2,
"impact": 4,
"mitigating_controls": ["GOV-005", "OPS-003"],
"owner": "Security Lead",
"treatment_plan": "Incident Response Plan dokumentieren, Runbooks erstellen, Tabletop-Uebungen durchfuehren, Notfall-Kontakte pflegen.",
"related_regulations": ["NIS2", "GDPR"],
},
{
"risk_id": "RISK-011",
"title": "Secrets in Code oder Logs",
"description": "API-Keys, Passwoerter oder andere Secrets werden versehentlich ins Repository committed oder in Logs geschrieben.",
"category": "data_breach",
"likelihood": 3,
"impact": 4,
"mitigating_controls": ["SDLC-003", "CRYPTO-003"],
"owner": "Engineering Lead",
"treatment_plan": "Gitleaks/TruffleHog in Pre-Commit-Hooks, Vault fuer Secrets, automatische Key-Rotation.",
"related_regulations": ["CRA"],
},
# ========================================================================
# Vendor & Supply Chain Risiken
# ========================================================================
{
"risk_id": "RISK-012",
"title": "Drittanbieter-Datenweitergabe ohne AVV",
"description": "Personenbezogene Daten werden an Cloud-Provider oder Subunternehmer uebermittelt, ohne dass ein Auftragsverarbeitungsvertrag (AVV) vorliegt.",
"category": "vendor_risk",
"likelihood": 2,
"impact": 3,
"mitigating_controls": ["PRIV-005"],
"owner": "Datenschutzbeauftragter",
"treatment_plan": "Vendor-Register fuehren, AVVs mit allen Auftragsverarbeitern abschliessen, regelmaessige Ueberpruefung.",
"related_regulations": ["GDPR"],
},
{
"risk_id": "RISK-013",
"title": "US-Cloud-Dienste ohne angemessene Garantien",
"description": "Nutzung von US-Cloud-Diensten ohne EU-US Data Privacy Framework Zertifizierung oder SCCs, was nach Schrems II problematisch ist.",
"category": "vendor_risk",
"likelihood": 2,
"impact": 4,
"mitigating_controls": ["PRIV-005", "GOV-001"],
"owner": "Datenschutzbeauftragter",
"treatment_plan": "Cloud-Provider auf DPF-Zertifizierung pruefen, Transfer Impact Assessment durchfuehren, EU-Hosting bevorzugen.",
"related_regulations": ["GDPR", "SCC", "DPF"],
},
{
"risk_id": "RISK-014",
"title": "LLM-Provider Datennutzung fuer Training",
"description": "LLM-Anbieter (OpenAI, Anthropic) koennten Nutzerdaten zum Training verwenden, was ohne Einwilligung problematisch waere.",
"category": "vendor_risk",
"likelihood": 2,
"impact": 3,
"mitigating_controls": ["PRIV-005", "AI-001"],
"owner": "AI/ML Lead",
"treatment_plan": "Opt-Out fuer Training bei allen LLM-Providern, Enterprise-Agreements mit No-Training-Klausel, PII-Filtering vor API-Calls.",
"related_regulations": ["GDPR", "AIACT"],
},
# ========================================================================
# Betriebliche Risiken
# ========================================================================
{
"risk_id": "RISK-015",
"title": "Datenverlust durch fehlende Backups",
"description": "Kritische Daten gehen durch Hardware-Ausfall, Ransomware oder menschliches Versagen verloren.",
"category": "operational",
"likelihood": 2,
"impact": 5,
"mitigating_controls": ["OPS-002"],
"owner": "DevOps Lead",
"treatment_plan": "Taegliche automatische Backups, geografisch redundante Speicherung, regelmaessige Restore-Tests (quartalsweise).",
"related_regulations": ["GDPR"],
},
{
"risk_id": "RISK-016",
"title": "Verfuegbarkeitsausfall waehrend Unterricht",
"description": "System ist waehrend des Unterrichts nicht verfuegbar, was den Lehrbetrieb stoert und Vertrauen beschaedigt.",
"category": "operational",
"likelihood": 3,
"impact": 3,
"mitigating_controls": ["OPS-005"],
"owner": "DevOps Lead",
"treatment_plan": "99.9% SLA definieren, Monitoring mit Alerting, Runbooks fuer haeufige Ausfaelle, Status-Page einrichten.",
"related_regulations": [],
},
# ========================================================================
# Rechtliche Risiken
# ========================================================================
{
"risk_id": "RISK-017",
"title": "DSGVO-Bussgeld wegen Compliance-Verstoss",
"description": "Aufsichtsbehoerde verhaengt Bussgeld wegen Datenschutzverstoss (bis zu 20 Mio EUR oder 4% Jahresumsatz).",
"category": "legal",
"likelihood": 1,
"impact": 5,
"mitigating_controls": ["PRIV-001", "PRIV-002", "PRIV-006", "GOV-001"],
"owner": "Geschaeftsfuehrung",
"treatment_plan": "Datenschutz-Audit jaehrlich, DPIA fuer neue Verarbeitungen, enge Zusammenarbeit mit DSB.",
"related_regulations": ["GDPR"],
},
{
"risk_id": "RISK-018",
"title": "Haftung bei KI-verursachten Schaeden",
"description": "Neue Produkthaftungsrichtlinie macht Hersteller fuer KI-verursachte Schaeden haftbar (fehlerhafte Lerninhalte, falsche Bewertungen).",
"category": "legal",
"likelihood": 2,
"impact": 4,
"mitigating_controls": ["AI-003", "AI-004", "AUD-001"],
"owner": "Geschaeftsfuehrung",
"treatment_plan": "Human-in-the-Loop fuer kritische Entscheidungen, Disclaimer in UI, Haftpflichtversicherung pruefen.",
"related_regulations": ["PLD", "AIACT"],
},
# ========================================================================
# Barrierefreiheit
# ========================================================================
{
"risk_id": "RISK-019",
"title": "Nicht barrierefreie Anwendung (EAA)",
"description": "European Accessibility Act verlangt ab 2025 Barrierefreiheit. Nicht-konforme Software kann vom Markt ausgeschlossen werden.",
"category": "compliance_gap",
"likelihood": 3,
"impact": 3,
"mitigating_controls": ["GOV-001"],
"owner": "Product Owner",
"treatment_plan": "WCAG 2.1 AA Audit durchfuehren, Accessibility-Tests in CI, Screenreader-Kompatibilitaet sicherstellen.",
"related_regulations": ["EAA"],
},
# ========================================================================
# Reputationsrisiken
# ========================================================================
{
"risk_id": "RISK-020",
"title": "Reputationsschaden durch Datenpanne",
"description": "Oeffentlich bekannt gewordene Datenpanne fuehrt zu Vertrauensverlust bei Schulen, Eltern und Schuelern.",
"category": "reputational",
"likelihood": 2,
"impact": 4,
"mitigating_controls": ["GOV-005", "OPS-003"],
"owner": "Geschaeftsfuehrung",
"treatment_plan": "Kommunikationsplan fuer Krisenfaelle, transparente Kommunikation, schnelle Behebung und Information Betroffener.",
"related_regulations": ["GDPR"],
},
]
def get_risks_for_seeding() -> List[Dict[str, Any]]:
"""Return all risks for database seeding."""
return RISKS_SEED

834
backend/compliance/data/service_modules.py Normal file
View File

@@ -0,0 +1,834 @@
"""
Breakpilot Service Module Registry - Seed Data
Contains all 51+ Breakpilot services with:
- Technical details (port, stack, repository)
- Data categories processed
- Applicable regulations
"""
from typing import Dict, List, Any
# Service Type Constants
BACKEND = "backend"
DATABASE = "database"
AI = "ai"
COMMUNICATION = "communication"
STORAGE = "storage"
INFRASTRUCTURE = "infrastructure"
MONITORING = "monitoring"
SECURITY = "security"
# Relevance Level Constants
CRITICAL = "critical"
HIGH = "high"
MEDIUM = "medium"
LOW = "low"
BREAKPILOT_SERVICES: List[Dict[str, Any]] = [
# =========================================================================
# CORE BACKEND SERVICES
# =========================================================================
{
"name": "python-backend",
"display_name": "Python Backend (FastAPI)",
"description": "Hauptbackend für API, Frontend-Serving, GDPR-Export und alle Core-Funktionen",
"service_type": BACKEND,
"port": 8000,
"technology_stack": ["Python", "FastAPI", "SQLAlchemy", "PostgreSQL"],
"repository_path": "/backend",
"docker_image": "breakpilot-pwa-backend",
"data_categories": ["user_data", "consent_records", "documents", "learning_data"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Verarbeitet alle personenbezogenen Daten"},
{"code": "AIACT", "relevance": HIGH, "notes": "Orchestriert KI-Services"},
{"code": "DSA", "relevance": MEDIUM, "notes": "Content-Moderation"},
{"code": "NIS2", "relevance": HIGH, "notes": "Kritische Infrastruktur"},
]
},
{
"name": "consent-service",
"display_name": "Go Consent Service",
"description": "Kernlogik für Consent-Management, Einwilligungsverwaltung und Versionierung",
"service_type": BACKEND,
"port": 8081,
"technology_stack": ["Go", "Gin", "GORM", "PostgreSQL"],
"repository_path": "/consent-service",
"docker_image": "breakpilot-pwa-consent-service",
"data_categories": ["consent_records", "user_preferences", "audit_logs"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Art. 7 Einwilligung, Art. 30 VVZ"},
{"code": "TDDDG", "relevance": CRITICAL, "notes": "§ 25 Cookie-Consent"},
{"code": "BSI-TR-03161-2", "relevance": HIGH, "notes": "Session-Management"},
]
},
{
"name": "billing-service",
"display_name": "Billing Service",
"description": "Zahlungsabwicklung, Abonnements und Rechnungsstellung",
"service_type": BACKEND,
"port": 8083,
"technology_stack": ["Python", "FastAPI", "Stripe API"],
"repository_path": "/billing-service",
"docker_image": "breakpilot-pwa-billing",
"data_categories": ["payment_data", "subscriptions", "invoices"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Zahlungsdaten = besonders schützenswert"},
{"code": "DSA", "relevance": LOW, "notes": "Transparenz bei Gebühren"},
]
},
{
"name": "school-service",
"display_name": "School Service",
"description": "Schulverwaltung, Klassen, Noten und Zeugnisse",
"service_type": BACKEND,
"port": 8084,
"technology_stack": ["Python", "FastAPI", "PostgreSQL"],
"repository_path": "/school-service",
"docker_image": "breakpilot-pwa-school-service",
"data_categories": ["student_data", "grades", "certificates", "class_data"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Education Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Schülerdaten = besonderer Schutz"},
{"code": "BSI-TR-03161-1", "relevance": HIGH, "notes": "Sicherheit für Bildungsanwendungen"},
]
},
{
"name": "calendar-service",
"display_name": "Calendar Service",
"description": "Kalender, Termine und Stundenplanung",
"service_type": BACKEND,
"port": 8085,
"technology_stack": ["Python", "FastAPI", "PostgreSQL"],
"repository_path": "/calendar-service",
"docker_image": "breakpilot-pwa-calendar",
"data_categories": ["schedule_data", "appointments"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Terminbezogene Daten"},
]
},
# =========================================================================
# AI / ML SERVICES
# =========================================================================
{
"name": "klausur-service",
"display_name": "Klausur Service (AI Correction)",
"description": "KI-gestützte Klausurbewertung, PDF-Analyse und Feedback-Generierung",
"service_type": AI,
"port": 8086,
"technology_stack": ["Python", "FastAPI", "Claude API", "PyMuPDF"],
"repository_path": "/klausur-service",
"docker_image": "breakpilot-pwa-klausur-service",
"data_categories": ["exam_papers", "corrections", "student_submissions"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": True,
"criticality": "high",
"owner_team": "AI Team",
"regulations": [
{"code": "AIACT", "relevance": CRITICAL, "notes": "High-Risk KI im Bildungsbereich Art. 6"},
{"code": "GDPR", "relevance": CRITICAL, "notes": "Automatisierte Entscheidung Art. 22"},
{"code": "BSI-TR-03161-2", "relevance": HIGH, "notes": "Input-Validierung für Uploads"},
]
},
{
"name": "embedding-service",
"display_name": "Embedding Service",
"description": "Vektor-Embeddings für semantische Suche und RAG",
"service_type": AI,
"port": 8087,
"technology_stack": ["Python", "FastAPI", "SentenceTransformers", "Qdrant"],
"repository_path": "/embedding-service",
"docker_image": "breakpilot-pwa-embedding-service",
"data_categories": ["document_embeddings", "search_queries"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": True,
"criticality": "medium",
"owner_team": "AI Team",
"regulations": [
{"code": "AIACT", "relevance": MEDIUM, "notes": "General-Purpose AI System"},
{"code": "GDPR", "relevance": LOW, "notes": "Keine direkten personenbezogenen Daten"},
]
},
{
"name": "transcription-worker",
"display_name": "Transcription Worker",
"description": "Whisper-basierte Audio-Transkription für Meetings und Videos",
"service_type": AI,
"port": None,
"technology_stack": ["Python", "Whisper", "FFmpeg"],
"repository_path": "/transcription-service",
"docker_image": "breakpilot-pwa-transcription",
"data_categories": ["audio_recordings", "transcripts"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": True,
"criticality": "medium",
"owner_team": "AI Team",
"regulations": [
{"code": "AIACT", "relevance": MEDIUM, "notes": "Audio-Analyse"},
{"code": "GDPR", "relevance": HIGH, "notes": "Sprachaufnahmen = biometrische Daten"},
]
},
{
"name": "llm-gateway",
"display_name": "LLM Gateway",
"description": "Zentraler Gateway für alle LLM-Anfragen (Claude, OpenAI, Self-Hosted)",
"service_type": AI,
"port": 8088,
"technology_stack": ["Python", "FastAPI", "LiteLLM"],
"repository_path": "/llm-gateway",
"docker_image": "breakpilot-pwa-llm-gateway",
"data_categories": ["llm_prompts", "llm_responses"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": True,
"criticality": "high",
"owner_team": "AI Team",
"regulations": [
{"code": "AIACT", "relevance": CRITICAL, "notes": "Orchestrierung von KI-Systemen"},
{"code": "GDPR", "relevance": HIGH, "notes": "Daten an externe APIs"},
]
},
# =========================================================================
# DATABASES
# =========================================================================
{
"name": "postgresql",
"display_name": "PostgreSQL Database",
"description": "Primäre relationale Datenbank für alle persistenten Daten",
"service_type": DATABASE,
"port": 5432,
"technology_stack": ["PostgreSQL 15"],
"repository_path": None,
"docker_image": "postgres:15",
"data_categories": ["all_persistent_data"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Art. 32 Sicherheit der Verarbeitung"},
{"code": "BSI-TR-03161-3", "relevance": CRITICAL, "notes": "Datenbank-Sicherheit"},
{"code": "NIS2", "relevance": HIGH, "notes": "Kritische Infrastruktur"},
]
},
{
"name": "qdrant",
"display_name": "Qdrant Vector DB",
"description": "Vektordatenbank für Embeddings und semantische Suche",
"service_type": DATABASE,
"port": 6333,
"technology_stack": ["Qdrant"],
"repository_path": None,
"docker_image": "qdrant/qdrant",
"data_categories": ["vector_embeddings", "document_metadata"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "AI Team",
"regulations": [
{"code": "GDPR", "relevance": LOW, "notes": "Keine direkten PII"},
{"code": "BSI-TR-03161-3", "relevance": MEDIUM, "notes": "Datenbank-Sicherheit"},
]
},
{
"name": "valkey",
"display_name": "Valkey (Redis Fork)",
"description": "In-Memory Cache und Message Queue",
"service_type": DATABASE,
"port": 6379,
"technology_stack": ["Valkey"],
"repository_path": None,
"docker_image": "valkey/valkey",
"data_categories": ["session_data", "cache_data", "job_queues"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Session-Daten"},
{"code": "BSI-TR-03161-2", "relevance": HIGH, "notes": "Session-Management"},
]
},
# =========================================================================
# STORAGE
# =========================================================================
{
"name": "minio",
"display_name": "MinIO Object Storage",
"description": "S3-kompatibler Object Storage für Dateien, Bilder und Backups",
"service_type": STORAGE,
"port": 9000,
"technology_stack": ["MinIO"],
"repository_path": None,
"docker_image": "minio/minio",
"data_categories": ["uploaded_files", "recordings", "backups", "exports"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Speicherung von Nutzerdaten"},
{"code": "BSI-TR-03161-3", "relevance": HIGH, "notes": "Speichersicherheit"},
]
},
# =========================================================================
# COMMUNICATION SERVICES
# =========================================================================
{
"name": "matrix-synapse",
"display_name": "Matrix Synapse",
"description": "Dezentraler Chat-Server für Messaging",
"service_type": COMMUNICATION,
"port": 8008,
"technology_stack": ["Python", "Matrix Protocol", "PostgreSQL"],
"repository_path": None,
"docker_image": "matrixdotorg/synapse",
"data_categories": ["messages", "chat_history", "user_presence"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Communication Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Chat-Inhalte"},
{"code": "DSA", "relevance": HIGH, "notes": "Content-Moderation"},
]
},
{
"name": "jitsi-meet",
"display_name": "Jitsi Meet",
"description": "WebRTC-basierte Videokonferenzen",
"service_type": COMMUNICATION,
"port": 8443,
"technology_stack": ["JavaScript", "WebRTC", "Prosody"],
"repository_path": None,
"docker_image": "jitsi/web",
"data_categories": ["video_streams", "audio_streams", "screen_shares"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Communication Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Video-/Audiodaten"},
{"code": "BSI-TR-03161-2", "relevance": HIGH, "notes": "WebRTC-Sicherheit"},
]
},
{
"name": "jitsi-prosody",
"display_name": "Jitsi Prosody (XMPP)",
"description": "XMPP-Server für Jitsi Signaling",
"service_type": COMMUNICATION,
"port": 5222,
"technology_stack": ["Lua", "Prosody", "XMPP"],
"repository_path": None,
"docker_image": "jitsi/prosody",
"data_categories": ["signaling_data", "presence"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Communication Team",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Signaling-Metadaten"},
]
},
{
"name": "jitsi-jicofo",
"display_name": "Jitsi Jicofo",
"description": "Jitsi Focus Component für Konferenzkoordination",
"service_type": COMMUNICATION,
"port": None,
"technology_stack": ["Java"],
"repository_path": None,
"docker_image": "jitsi/jicofo",
"data_categories": ["conference_metadata"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Communication Team",
"regulations": [
{"code": "GDPR", "relevance": LOW, "notes": "Nur Metadaten"},
]
},
{
"name": "jitsi-jvb",
"display_name": "Jitsi JVB (Video Bridge)",
"description": "Video Bridge für Multi-Party Konferenzen",
"service_type": COMMUNICATION,
"port": 10000,
"technology_stack": ["Java", "WebRTC"],
"repository_path": None,
"docker_image": "jitsi/jvb",
"data_categories": ["video_streams"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Communication Team",
"regulations": [
{"code": "GDPR", "relevance": HIGH, "notes": "Video-Routing"},
{"code": "BSI-TR-03161-2", "relevance": MEDIUM, "notes": "WebRTC-Sicherheit"},
]
},
{
"name": "jibri",
"display_name": "Jitsi Jibri (Recording)",
"description": "Meeting-Aufzeichnung und Streaming",
"service_type": COMMUNICATION,
"port": None,
"technology_stack": ["Java", "FFmpeg", "Chrome"],
"repository_path": None,
"docker_image": "jitsi/jibri",
"data_categories": ["recordings", "video_files"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Communication Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Video-Aufzeichnungen"},
]
},
# =========================================================================
# CONTENT SERVICES
# =========================================================================
{
"name": "h5p-service",
"display_name": "H5P Content Service",
"description": "Interaktive Lerninhalte (H5P)",
"service_type": BACKEND,
"port": 8082,
"technology_stack": ["PHP", "H5P Framework"],
"repository_path": "/h5p-service",
"docker_image": "breakpilot-pwa-h5p",
"data_categories": ["learning_content", "user_progress"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Education Team",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Lernfortschritt"},
]
},
{
"name": "content-db",
"display_name": "Content Database",
"description": "Dedizierte DB für Content-Services",
"service_type": DATABASE,
"port": 5433,
"technology_stack": ["PostgreSQL 15"],
"repository_path": None,
"docker_image": "postgres:15",
"data_categories": ["content_metadata"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Infrastructure",
"regulations": [
{"code": "BSI-TR-03161-3", "relevance": MEDIUM, "notes": "Datenbank-Sicherheit"},
]
},
# =========================================================================
# SECURITY SERVICES
# =========================================================================
{
"name": "vault",
"display_name": "HashiCorp Vault",
"description": "Secrets Management und Encryption as a Service",
"service_type": SECURITY,
"port": 8200,
"technology_stack": ["Vault"],
"repository_path": "/vault",
"docker_image": "hashicorp/vault",
"data_categories": ["secrets", "encryption_keys", "api_credentials"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Security Team",
"regulations": [
{"code": "GDPR", "relevance": HIGH, "notes": "Art. 32 Verschlüsselung"},
{"code": "BSI-TR-03161-1", "relevance": CRITICAL, "notes": "Schlüsselverwaltung"},
{"code": "BSI-TR-03161-3", "relevance": CRITICAL, "notes": "O.Cryp Prüfaspekte"},
]
},
# =========================================================================
# INFRASTRUCTURE
# =========================================================================
{
"name": "traefik",
"display_name": "Traefik Reverse Proxy",
"description": "Reverse Proxy, Load Balancer und TLS Termination",
"service_type": INFRASTRUCTURE,
"port": 443,
"technology_stack": ["Traefik", "Let's Encrypt"],
"repository_path": None,
"docker_image": "traefik",
"data_categories": ["access_logs", "request_metadata"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Infrastructure",
"regulations": [
{"code": "NIS2", "relevance": HIGH, "notes": "Netzwerksicherheit"},
{"code": "BSI-TR-03161-2", "relevance": HIGH, "notes": "TLS-Konfiguration"},
]
},
# =========================================================================
# MONITORING
# =========================================================================
{
"name": "loki",
"display_name": "Grafana Loki",
"description": "Log-Aggregation und -Analyse",
"service_type": MONITORING,
"port": 3100,
"technology_stack": ["Loki", "Grafana"],
"repository_path": None,
"docker_image": "grafana/loki",
"data_categories": ["logs", "audit_trails"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Log-Retention"},
{"code": "BSI-TR-03161-3", "relevance": HIGH, "notes": "O.Log Prüfaspekte"},
]
},
{
"name": "grafana",
"display_name": "Grafana",
"description": "Dashboards und Visualisierung",
"service_type": MONITORING,
"port": 3000,
"technology_stack": ["Grafana"],
"repository_path": None,
"docker_image": "grafana/grafana",
"data_categories": ["metrics", "dashboards"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Infrastructure",
"regulations": [
{"code": "BSI-TR-03161-3", "relevance": MEDIUM, "notes": "Monitoring"},
]
},
{
"name": "prometheus",
"display_name": "Prometheus",
"description": "Metrics Collection und Alerting",
"service_type": MONITORING,
"port": 9090,
"technology_stack": ["Prometheus"],
"repository_path": None,
"docker_image": "prom/prometheus",
"data_categories": ["metrics", "alerts"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Infrastructure",
"regulations": [
{"code": "NIS2", "relevance": MEDIUM, "notes": "Incident Detection"},
]
},
# =========================================================================
# WEBSITE / FRONTEND
# =========================================================================
{
"name": "website",
"display_name": "Next.js Website",
"description": "Frontend-Anwendung für Nutzer und Admin-Panel",
"service_type": BACKEND,
"port": 3000,
"technology_stack": ["Next.js", "React", "TypeScript", "TailwindCSS"],
"repository_path": "/website",
"docker_image": "breakpilot-pwa-website",
"data_categories": ["frontend_state", "ui_preferences"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Frontend Team",
"regulations": [
{"code": "GDPR", "relevance": HIGH, "notes": "Cookie-Consent UI"},
{"code": "TDDDG", "relevance": CRITICAL, "notes": "Cookie-Banner"},
{"code": "DSA", "relevance": MEDIUM, "notes": "Transparenz-Anforderungen"},
{"code": "BSI-TR-03161-2", "relevance": HIGH, "notes": "XSS-Prävention, CSRF"},
]
},
# =========================================================================
# ERP / BUSINESS
# =========================================================================
{
"name": "erpnext",
"display_name": "ERPNext",
"description": "Enterprise Resource Planning für Schulverwaltung",
"service_type": BACKEND,
"port": 8080,
"technology_stack": ["Python", "Frappe", "MariaDB"],
"repository_path": None,
"docker_image": "frappe/erpnext",
"data_categories": ["business_data", "employee_data", "financial_data"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Business Team",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Mitarbeiterdaten"},
]
},
{
"name": "erpnext-db",
"display_name": "ERPNext Database (MariaDB)",
"description": "Dedizierte MariaDB für ERPNext",
"service_type": DATABASE,
"port": 3306,
"technology_stack": ["MariaDB"],
"repository_path": None,
"docker_image": "mariadb",
"data_categories": ["erp_data"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "high",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": HIGH, "notes": "ERP-Daten"},
{"code": "BSI-TR-03161-3", "relevance": HIGH, "notes": "Datenbank-Sicherheit"},
]
},
# =========================================================================
# COMPLIANCE SERVICE (Self-Reference)
# =========================================================================
{
"name": "compliance-module",
"display_name": "Compliance & Audit Module",
"description": "Dieses Modul - Compliance-Management, Audit-Vorbereitung, Risiko-Tracking",
"service_type": BACKEND,
"port": None,
"technology_stack": ["Python", "FastAPI", "SQLAlchemy"],
"repository_path": "/backend/compliance",
"docker_image": None,
"data_categories": ["compliance_data", "audit_records", "risk_assessments"],
"processes_pii": False,
"processes_health_data": False,
"ai_components": True,
"criticality": "high",
"owner_team": "Compliance Team",
"regulations": [
{"code": "GDPR", "relevance": HIGH, "notes": "Art. 30 VVZ, Art. 35 DPIA"},
{"code": "AIACT", "relevance": MEDIUM, "notes": "KI-Interpretations-Feature"},
]
},
# =========================================================================
# DSMS - Dezentrales Speichersystem (Private IPFS)
# =========================================================================
{
"name": "dsms-node",
"display_name": "DSMS Node (IPFS)",
"description": "Dezentraler IPFS-Node für verteiltes Speichersystem",
"service_type": STORAGE,
"port": 5001,
"technology_stack": ["IPFS", "Go"],
"repository_path": "/dsms-node",
"docker_image": "breakpilot-pwa-dsms-node",
"data_categories": ["distributed_files", "content_hashes"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": HIGH, "notes": "Dezentrale Datenspeicherung"},
{"code": "BSI-TR-03161-3", "relevance": MEDIUM, "notes": "Speichersicherheit"},
]
},
{
"name": "dsms-gateway",
"display_name": "DSMS Gateway",
"description": "REST API Gateway für DSMS/IPFS Zugriff",
"service_type": BACKEND,
"port": 8082,
"technology_stack": ["Python", "FastAPI"],
"repository_path": "/dsms-gateway",
"docker_image": "breakpilot-pwa-dsms-gateway",
"data_categories": ["file_metadata", "access_logs"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "API für Dateizugriff"},
]
},
# =========================================================================
# ADDITIONAL INFRASTRUCTURE
# =========================================================================
{
"name": "mailpit",
"display_name": "Mailpit (Development Mail Server)",
"description": "Lokaler E-Mail-Server für Entwicklung und Testing",
"service_type": INFRASTRUCTURE,
"port": 8025,
"technology_stack": ["Go"],
"repository_path": None,
"docker_image": "axllent/mailpit",
"data_categories": ["test_emails"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "low",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": LOW, "notes": "Nur für Entwicklung"},
]
},
{
"name": "backup",
"display_name": "Database Backup Service",
"description": "Automatisches PostgreSQL Backup (täglich 2 Uhr)",
"service_type": INFRASTRUCTURE,
"port": None,
"technology_stack": ["PostgreSQL Tools"],
"repository_path": None,
"docker_image": "postgres:16-alpine",
"data_categories": ["database_backups"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "critical",
"owner_team": "Infrastructure",
"regulations": [
{"code": "GDPR", "relevance": CRITICAL, "notes": "Art. 32 Backup-Pflicht"},
{"code": "BSI-TR-03161-3", "relevance": CRITICAL, "notes": "O.Back_1 Datensicherung"},
]
},
# =========================================================================
# BREAKPILOT DRIVE - Unity WebGL Lernspiel
# =========================================================================
{
"name": "breakpilot-drive",
"display_name": "Breakpilot Drive (Unity Game)",
"description": "Unity WebGL Lernspiel mit LLM-Integration",
"service_type": BACKEND,
"port": 3001,
"technology_stack": ["Unity", "WebGL", "Nginx"],
"repository_path": "/breakpilot-drive",
"docker_image": "breakpilot-pwa-drive",
"data_categories": ["game_progress", "player_data", "leaderboards"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": True,
"criticality": "medium",
"owner_team": "Education Team",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Spieldaten und Fortschritt"},
{"code": "AIACT", "relevance": MEDIUM, "notes": "LLM-Integration"},
]
},
# =========================================================================
# CAMUNDA - BPMN Workflow Engine
# =========================================================================
{
"name": "camunda",
"display_name": "Camunda BPMN Platform",
"description": "Workflow Engine für Business Process Automation",
"service_type": BACKEND,
"port": 8089,
"technology_stack": ["Java", "Camunda", "PostgreSQL"],
"repository_path": None,
"docker_image": "camunda/camunda-bpm-platform",
"data_categories": ["workflow_instances", "process_variables"],
"processes_pii": True,
"processes_health_data": False,
"ai_components": False,
"criticality": "medium",
"owner_team": "Backend Team",
"regulations": [
{"code": "GDPR", "relevance": MEDIUM, "notes": "Workflow-Daten können PII enthalten"},
]
},
]
def get_service_count() -> int:
"""Returns the number of registered services."""
return len(BREAKPILOT_SERVICES)
def get_services_by_type(service_type: str) -> List[Dict[str, Any]]:
"""Returns all services of a specific type."""
return [s for s in BREAKPILOT_SERVICES if s["service_type"] == service_type]
def get_services_processing_pii() -> List[Dict[str, Any]]:
"""Returns all services that process PII."""
return [s for s in BREAKPILOT_SERVICES if s["processes_pii"]]
def get_services_with_ai() -> List[Dict[str, Any]]:
"""Returns all services with AI components."""
return [s for s in BREAKPILOT_SERVICES if s["ai_components"]]
def get_critical_services() -> List[Dict[str, Any]]:
"""Returns all critical services."""
return [s for s in BREAKPILOT_SERVICES if s["criticality"] == "critical"]