Security & Compliance Runbook

Product controls for ISO/IEC 27001 & PCI DSS v4.0.1.

Understand QueueRoom's edge security architecture, cryptographic integrity, state verification, and formal guidelines for achieving audit-ready compliance.

Architectural Standards

Four Pillars of QueueRoom Security

PCI Scope Reduction

QueueRoom strips query parameters/hashes on redirect and restricts client permissions via Permissions-Policy: payment=(), keeping all credit card details outside our Worker scope.

HMAC Integrity Trust

Config snapshots published to the Edge are validated using SHA-256 HMAC tokens with constant-time cryptographic comparison, preventing tampering or parameter injection attacks.

Zero-Trust Routing

Fail-safe configurations block un-authenticated or expired snapshots by failing closed (returning 503) instead of leaking routing parameters or origin database paths.

D1 Audit Logs

Every system modification, capacity tuning, and state change writes a permanent, queryable row to the D1 SQL database with the operator's Clerk credentials and action details.

ISMS Standard

ISO/IEC 27001:2022 Mapping

Repeated, auditable evidence mapping in our monorepo to support security audits.

Control	Control Objective	Implementation Evidence
A.5.15	Access Control	Clerk authentication wrappers in `apps/control-plane/src/routes/_authenticated/` and RBAC tiers.
A.8.12	Data Leakage Prevention	Hardened CHD scanning CI gates and `Permissions-Policy: payment=()` on edge redirects.
A.8.20	Network Security	Cloudflare edge routing, WAF policies, Turnstile validations, and HTTPS enforcement.
A.8.24	Use of Cryptography	SHA-256 HMAC digital signatures for KV updates, verified via constant-time verification.
A.8.16	Activity Logging	D1 database audit trail tables capturing all state changes and operator IDs.

Compliance Standard

PCI DSS v4.0.1 Requirement Mapping

Technical safeguards enforcing strict isolation of cardholder data from our waiting rooms.

Requirement	Description	Implementation Verification
Req 3.1 - 3.7	Protect Stored Account Data	Zero CHD storage. The Worker only records room ID, timestamp, and traffic counts. No PAN or CVV/CVC elements exist.
Req 4.1 - 4.2	Encrypt Transmission of Data	Mandatory SSL/TLS (HTTPS) required on all redirect coordinates and KV publish endpoints.
Req 6.1 - 6.5	Secure Software Lifecycle	Continuous Integration gate (`bun run audit:compliance`) and isolated Vitest run sequences.
Req 8.1 - 8.6	Identify & Authenticate Access	Full Clerk integration equipped with Session timeouts, Identity verification, and Multi-Factor Auth.
Req 10.1 - 10.7	Log & Monitor Network Access	Workers Analytics Engine recording Edge routing decisions and SQL-based incident tracking.

Audit Playbook

Compliance Officer Operational Runbook

Follow these guidelines to complete the formal organization-scoped and payment-scoped audits.

Step 01 GRC Setup

Organizational ISMS Vetting

Map QueueRoom's codebase controls into a Governance platform (e.g. Vanta, Drata). Upload policies concerning background checks, employee onboarding, access reviews, and device management.

Draft Information Security Policy

Complete annual risk assessment

Step 02 PCI Hardening

Confirm Routing Scope

Work with your network team to configure Cloudflare routing rules. Ensure that payment submission submission endpoints (e.g., /api/pay, /checkout/submit) bypass the waiting room completely to minimize CDE scope.

Confirm SAQ-A-EP eligibility

Ensure no payment script proxying

Step 03 External Audit

ASV & QSA Review

Contract an Approved Scanning Vendor (ASV) to run quarterly perimeter vulnerability scans. Retain a QSA to review the HMAC integrity and edge isolation configuration for final compliance sign-off.

Schedule quarterly ASV scans

Sign off GRC evidence folders