Aligned, not certified · DORA, Solvency II, HIPAA, FedRAMP · Honest about gaps
Element34 does not claim certifications it does not hold. SBOX claims architectural capabilities that survive a serious due-diligence review. Single-tenant inside the customer perimeter, customer-controlled keys, audit logs to your SIEM. The page below shows what we deliver, what stays with the customer, and where we say no.
“Element34 does not claim SOC 2, ISO 27001, HIPAA, or FedRAMP certifications. SBOX claims architectural capabilities that survive a banking security review and a DORA third-party ICT risk assessment.”
An honest matrix. Per framework, the posture, what SBOX delivers architecturally, and what stays the customer's responsibility.
| Framework | Posture | What SBOX provides | Customer responsibility |
|---|---|---|---|
| GDPR | Aligned by architecture | Region pinning across EU-Central, EU-West, UK, Switzerland. Customer-managed encryption keys. RBAC via SSO. Audit logs to customer SIEM. Customer-defined retention. | Customer selects region, configures retention, owns IdP and key material. |
| HIPAA (PHI residency) | Aligned by architecture | PHI stays inside the customer environment. SBOX never touches PHI. Encryption in transit and at rest with customer keys. Customer-defined audit retention. | Customer owns BAA scoping, PHI handling outside the SBOX session boundary, and IdP integration. |
| DORA | Aligned by architecture | Deploys inside the financial entity's regulated environment. Architecture documentation supports ICT third-party risk assessment under Article 28 and 29. License-and-support contract structure, not Pillar III ICT outsourcing. | Customer runs the ICT third-party risk assessment with Element34 documentation as input. |
| PSD2 | Aligned by architecture | Single-tenant inside the customer perimeter. Customer-controlled keys for payment-flow test data. EU region pinning. | Customer scopes payment data residency and key material policy. |
| Solvency II | Aligned by architecture | Solvency II-aligned by architecture. Testing data, prompts, and audit events stay inside the regulated insurance entity. EU region pinning. Customer SIEM integration. | Insurer owns scope mapping. SBOX does not become a Pillar III ICT outsourcing dependency. |
| NAIC Insurance Data Security | Aligned by architecture | NAIC-aligned by architecture. Encryption in transit and at rest with customer-controlled keys. Audit logs to customer SIEM. No transfer of regulated insurance data to Element34. | Insurer owns Model Law scope mapping and incident response. |
| FedRAMP | Aligned, not authorized | FedRAMP-aligned architecture for federal customers. Single-tenant by default, customer-controlled keys, region pinning to US or GovCloud. | Federal customer procures through Carahsoft and runs the FedRAMP-aligned review with the authorizing official. |
| GovCloud | Compatible in Managed + VPC | Managed Private Cloud deploys to AWS GovCloud. VPC deployment runs in the customer GovCloud account. | Customer cloud account team owns GovCloud configuration. |
| SOC 2 | Not certified | Element34 does not currently hold SOC 2 attestation. SBOX architecture is designed to meet the controls SOC 2 reviewers check for. | Architecture documentation is available under NDA for customer security reviews. |
| ISO 27001 | Not certified | Element34 does not currently hold ISO 27001 certification. SBOX architecture is designed to meet ISO 27001 control families relevant to the test automation workload. | Architecture documentation is available under NDA for customer security reviews. |
| Zero-trust | Zero-trust posture | Zero-trust posture, not zero-trust certification. No VPN tunnels, customer IdP for identity, customer KMS for keys, customer SIEM for audit. | Customer enforces zero-trust policy across IdP, network, and key material. |
| SBOM / supply-chain | Shared under NDA | SBOM artifact shared under NDA during architecture review. Format and refresh cadence confirmed during procurement scoping. | Customer security review owns SBOM ingest and CVE triage integration. |
SBOX runs the same architecture for each regulated buyer. The framework lists below reflect the language each industry's compliance, audit, and procurement teams use during review.
DORA-aligned by architecture, GDPR-aligned by design. EU region pinning, single-tenant, customer-controlled keys.
Solvency II and NAIC aligned by architecture, GDPR-aligned. Region pinning for EU insurers, US deployments for NAIC scope.
FedRAMP-aligned architecture, GovCloud-compatible. Carahsoft is a preferred channel partner; other procurement paths are also available.
HIPAA-aligned by architecture, GDPR-aligned. SBOX never touches PHI; PHI stays inside the customer environment.
HIPAA-aligned for medical-device test platforms, GDPR-aligned, hybrid cloud for connected-device fleets.
SBOX is in production at Tier-1 European banks, global reinsurers, and U.S. federal agencies. Each customer completed an independent security review of the SBOX architecture before deployment. References are available under NDA.
We will walk your compliance, audit, and procurement teams through the matrix, share the architecture documentation under NDA, and answer the framework-specific questions your reviewers raise.
