Effective November 20, 2025, our enhanced Compliance Vault protocols are live across all production systems. These updates strengthen data security, improve audit capabilities, and ensure continued regulatory compliance. Here's what changed and what you need to know.

What Changed

1. Encryption at Rest Upgraded to AES-256-GCM
Previous system used AES-256-CBC. New implementation provides authenticated encryption, protecting against tampering and certain attack vectors. All existing data re-encrypted during November 18-19 maintenance window. Zero user-visible impact.

2. Role-Based Access Control (RBAC) Granularity Increased
Prior system offered 8 permission levels. New system provides 24 distinct permission scopes. This enables finer control over who accesses what data. Administrative users must review and update team member permissions to match new granularity. Default settings preserve existing access patterns.

3. Audit Logging Enhanced
System now captures additional metadata for compliance events: timestamp, user identity, IP address, action taken, resources affected, and success/failure status. Logs retained for 7 years per regulatory requirements. New dashboard provides audit trail visualization.

4. Two-Factor Authentication Required for Vault Access
Any user accessing compliance vault data must complete 2FA verification. This applies to API access and web interface equally. Time-based one-time passwords (TOTP) or hardware security keys accepted. SMS-based 2FA deprecated for security reasons.

5. Data Retention Policies Automated
Compliance regulations require specific retention periods for different data types. New system enforces these automatically. Financial records: 10 years. Communication logs: 7 years. Temporary working files: 90 days. System handles expiration and secure deletion without manual intervention.

Why This Matters

These changes serve three objectives:

Regulatory Compliance: Updated protocols meet requirements from GDPR, DPDPA, SOC 2, and ISO 27001. External audit completed August 2025 identified gaps. These updates close all identified issues.

Security Hardening: Threat landscape evolves constantly. Authenticated encryption prevents classes of attacks that regular encryption permits. Enhanced RBAC reduces insider threat surface area. Comprehensive audit logs enable faster incident response.

Operational Efficiency: Automated retention policies reduce manual administration workload. Granular permissions mean fewer blanket access grants. Audit dashboards surface compliance issues proactively rather than during crisis response.

Required Actions

All Users: Enable 2FA on your account within 7 days. Access to compliance vault will be restricted after November 27 for accounts without 2FA enabled. Setup instructions sent via email.

Administrative Users: Review team member permissions using new granular controls. Default mappings preserve existing access, but you may want tighter restrictions based on principle of least privilege. Permission review dashboard available in admin panel.

API Integration Owners: API authentication now requires 2FA for vault endpoints. Update integration workflows to include TOTP generation. Documentation updated with code examples for common platforms.