The Straitjacket Audit
Bauxite is engineered to simplify the compliance burden for organizations handling sensitive data. Our Straitjacket Architecture provides a technical “Proof of Non-Existence”—proving to auditors that sensitive data is neither stored nor leaked.
Regulatory Mapping
Bauxite directly addresses key controls in major security frameworks. Use the table below to support your internal compliance documentation.
| Framework | Requirement | Bauxite Implementation |
|---|---|---|
| SOC 2 | CC6.1: Logical Access | Zero-Trust Mode: Enforces mandatory mTLS and prevents unauthorized disk access. |
| SOC 2 | CC7.2: Monitoring | Audit Logging: Real-time logging of redaction events without leaking the PII itself. |
| HIPAA | 164.312(a)(1): Access Control | PII Janitor: Automatically scrubs ePHI before it leaves the secure network boundary. |
| HIPAA | 164.312(e)(1): Transmission Security | Stream Scrubbing: Real-time redaction of SSE streams ensures no PHI “leaks” in transit. |
| GDPR | Art. 25: Privacy by Design | Volatile-Only Memory: Data is structurally incapable of persisting beyond the request lifecycle. |
Technical “Straitjacket” Guarantees
When an auditor asks, “How do you know the data isn’t being saved?”, point to these three structural barriers:
1. The Disk-Write Barrier
Bauxite is compiled without persistent storage drivers (e.g., SQLite, LevelDB). In Zero-Trust Mode, the binary effectively operates as a “read-only” entity. Any attempt by the process to write to the local filesystem results in an immediate SIGKILL (Fail-Closed).
2. Request-Scoped Memory Isolation
Each request lives in its own isolated memory context.
- Wipe-on-Close: Once a request is finished, the PII Janitor zeroes out the memory buffers.
- No Side-Channel Leaks: By strictly enforcing a 20MB memory limit, Bauxite prevents the operating system from “swapping” memory pages to the disk, where data might linger.
3. Redacted Audit Trails
Traditional proxies log “Everything” to help with debugging. Bauxite logs “Metadata only.”
- Bad Log:
User [John] asked [What is my SSN 123-456-789?] - Bauxite Log:
User [REDACTED_ID] sent request [Type: PII_MATCH_SSN] [Tokens: 42]
Auditor Verification Steps
You can demonstrate Bauxite’s compliance in real-time during a “Walk-through” audit using these commands:
Verify No Disk Usage
# While running a high-load test, check for any files in the app directory
find /app -type f -not -name "bauxite-binary"Verify PII redaction
# Tail the logs while sending sensitive data
kubectl logs -f bauxite-intercept | grep "REDACTED"Business Associate Agreements (BAA)
When deploying Bauxite as a Sidecar, Bauxite acts as a Business Associate under HIPAA. Because it never stores data, it reduces the “Scope of Audit” for your primary database and application servers, as the PII is scrubbed before it reaches the external LLM providers.