IRAP

Nebula targets IRAP (Information Security Registered Assessors

Program) PROTECTED for the defence pack. The data-handling matrix

lives in docs/IRAP_MATRIX.md; this page summarises the controls.

In scope

The defence pack: classification atoms, classification-aware UI,

LLM gating for OFFICIAL: SENSITIVE projects, separate signing-key

policy.

Out of scope (this run)

The standalone PROTECTED enclave is a future deployment target. The

current single-tenant deployment is OFFICIAL-only.

Controls summary

• All data at rest and in transit encrypted (see

/docs/security/encryption)

• LLM disabled by default for OFFICIAL: SENSITIVE atoms
• Audit logs retained 7 years
• MFA enforced on admin accounts
• Hardware-key signing keys in production

Cross links

• /docs/security/residency: where data lives
• /docs/compliance/soc2: cross-walk