Skip to main content

CC6.4 — Physical access restrictions

Status: Partially implemented (VPS access restricted to two principals; corporate-IT physical-access policy target week 22) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity restricts physical access to facilities and protected information assets (for example, data centre facilities, back-up media storage, and other sensitive locations) to authorised personnel. The control covers data-centre physical security (operated by the colocation/VPS provider on our behalf), the entity's own offices, the physical custody of backup media, and the procedure for retiring physical devices.

How ZeroAuth meets this control

The compliance roadmap §1.3 ("Geographic scope") and the threat model "Threat surface inventory" together describe the data-centre footprint.

Production VPS. A single VPS at 104.207.143.14 hosts the Caddy + Postgres + Redis + app docker-compose stack. The VPS is operated under user zeroauth-deploy (CI key for automated deploys) and root (founder's laptop key for emergency console access). Both SSH principals are documented in docs/threat_model.md "Threat surface inventory". UFW is open only on ports 22, 80, 443. Caddy terminates TLS for both api.zeroauth.dev and zeroauth.dev. The provider gives the physical-security primitives — physical-access logs at the data-centre level are the provider's responsibility under our service agreement.

Data residency. The compliance roadmap §1.3 states: "Production database, audit log, and proof archive are hosted in ap-south-1 (Mumbai) on the primary VPS and replicated to a Hyderabad DR site (Phase 4 deliverable)." The Hyderabad DR replica + failover-exercise are tracked as Phase 4 deliverables D-Q4-04 + D-Q4-05 (weeks 46 + 47). Until then, the single Mumbai VPS is the only physical-asset under our control.

Backup media. Postgres backups are encrypted at rest and written to the same Mumbai region per the data-retention policy at docs/compliance/privacy/data-retention-policy-v0.md (commit e165569). The exact off-VPS backup destination (S3-compatible Indian-region bucket) is captured in the operational runbooks. Backup retention policy lands as part of D-Q1-20 (Phase 1 first-half compliance review).

Smart-contract physical surface. The deployer wallet for DIDRegistry and (forthcoming) AuditAnchor is held by Agent #25 (blockchain engineer) on a hardware-wallet-class device — per the threat model "Threat surface inventory" entry on Base Sepolia, the deployer wallet is the single onlyOwner and rotation is via npm run wallet:rotate. The HSM-backed signer migration (compliance roadmap D-Q4-06, week 48) takes the deployer wallet out of any human-physical-custody loop.

Corporate IT physical surface. Laptops carry source code + secrets; the operational baseline mandates disk encryption (FileVault / LUKS) + auto-lock + 1Password as the password manager. SSO is Google Workspace; the directory + admin centre live in the Google administrative console. GitHub Enterprise Cloud is the source-of-truth source code host. The corporate-IT physical-access policy as a written artefact (laptop loss procedure, BYOD posture, retired-device wipe procedure) is the named gap; target week 22 (2026-10-12) per the ISO Annex A surface-coverage list.

Office physical surface. Mid-2026: ZeroAuth is remote-first; there is no fixed company office. When the GTM line (roles 42–49) is hired and a physical office is contemplated (Phase 3 / Phase 4), the office-physical-access policy will be written alongside.

Visitor management + ID cards. Not applicable today (remote-first). The policy hook is reserved for when an office is opened.

Device-retirement. Laptop offboarding procedure lands as part of corporate-IT physical-access policy. Until then, the operating norm is: re-image at offboarding; confirm 1Password + GitHub access revoked; confirm no production credentials remain on the device.

Evidence references

  • docs/threat_model.md "Threat surface inventory" — VPS access pinned to two principals, ports 22/80/443 only.
  • docs/compliance/compliance-roadmap-v1.md §1.3 — data residency (ap-south-1 Mumbai → Hyderabad DR Phase 4).
  • docs/compliance/compliance-roadmap-v1.md §3.4 — Hyderabad DR exercise week 47.
  • docs/compliance/compliance-roadmap-v1.md D-Q4-04 + D-Q4-05 — DR + mainnet schedule.
  • docs/compliance/privacy/data-retention-policy-v0.md (commit e165569) — retention + backup-storage policy.
  • Caddyfile (repository root) — TLS termination + reverse-proxy rules.
  • docker-compose.yml (repository root) — service binding (Postgres + Redis bound to docker network, app on 3000).
  • CLAUDE.md §"Never commit secrets" — secrets handling discipline.

Open gaps + remediation roadmap

  • Corporate-IT physical-access policy (laptop loss / BYOD / device retirement / disk encryption proof) — target week 22 (2026-10-12) for ISO Annex A surface coverage.
  • Hyderabad DR replica + failover exercise — D-Q4-04 + D-Q4-05, target week 46 + week 47.
  • HSM signer migration — D-Q4-06, target week 48; eliminates human-custody risk for the deployer wallet.
  • Office physical-access policy — deferred until a physical office is opened.
  • Quarterly walk-through of provider-data-centre attestation (SOC 2 reports from VPS provider) — first cycle target week 26 (2026-11-09), vendor review.

Test or audit query

ufw status on the VPS should show ports 22/80/443 only. SSH ~/.ssh/authorized_keys for zeroauth-deploy should contain exactly the CI key fingerprint; for root exactly the founder laptop key fingerprint. cat docs/compliance/privacy/data-retention-policy-v0.md shows the backup-storage location.