Disclaimer · Applies to every Control template

Beta status & disclaimer

Every template in the Control template catalog ships in v0.1.0-beta. This page explains what that means, what the templates are not, and where to go for authoritative requirements per framework. It applies to every framework page — each links here in lieu of restating the same disclaimer.

What “public beta” means

Control shapes, field names, and config schemas may change between beta versions (v0.2.0-beta, v0.3.0-beta, …). The constraint engine itself is production-stable — only the template content is evolving. Promotion to v1.0.0 (GA) requires:

External audit-firm review OR 12+ months of production-deployment evidence without auditor-surfaced gaps, AND
The per-rule positive/negative/scope test discipline shipping in CI.

No GA date is promised; the path is criteria-based.

This is not a compliance certification

Important. Every template here is an unverified reference implementation. It is not a compliance certification, an attestation, or an audit outcome.

ArchRails is not a QSA, auditor, Data Protection Authority (DPA), certified DPO, NCA, NYDFS-recognised advisor, AICPA-licensed organisation, or compliance consulting firm. We have not had these templates reviewed by any regulator or accredited body. The snippets you find under each framework represent our best-effort interpretation of the architecturally enforceable surface of that regulation — nothing more.

Referencing a template does not make your organisation compliant. Compliance with each framework is a fact-specific assessment that covers far more than architecture — legal basis, contracts, process, documentation, training, incident response, record-keeping, and the full data or transaction lifecycle. The architectural slice these templates address is one fragment of that surface. Your DPO, privacy counsel, QSA, internal audit team, or external compliance advisor makes the compliance determination.

You are responsible for assessing whether each control snippet is appropriate for your environment. Field names, retention horizons, encryption algorithms, scoping decisions, and threshold values are illustrative — your privacy or compliance function should review and tune them against your actual data flows, your Record of Processing Activities (or equivalent inventory), and your regulator’s enforcement priorities.

Authoritative sources by framework

Where a template and the underlying regulation diverge, the regulation governs. Refer to the primary source for each framework:

Framework	Authoritative source(s)
GDPR Article 32	Regulation (EU) 2016/679, EDPB Guidelines, your national DPA (CNIL / ICO / AEPD / etc.)
SOC 2 Type II	AICPA Trust Services Criteria; your CPA firm of record.
PCI DSS v4.0	PCI Security Standards Council documents; your QSA.
HIPAA Security Rule	HHS Office for Civil Rights (OCR) guidance; 45 CFR Part 164.
NIST CSF 2.0	NIST Cybersecurity Framework 2.0 publication + informative references.
ISO/IEC 27001:2022	ISO/IEC 27001:2022 + ISO/IEC 27002:2022; your accredited certification body.
DORA	Regulation (EU) 2022/2554; ESAs Joint Technical Standards.
MiFID II / RTS 22	MiFID II Directive 2014/65/EU + RTS 22; ESMA Q&A; your NCA.
NYDFS 23 NYCRR Part 500	23 NYCRR Part 500 (current amended text); NYDFS guidance.
SOX 404 ITGC	PCAOB AS 2201; SEC SOX 404 rules; your external audit firm.

What ArchRails is, and isn’t

If you need an assessed controls library — one that has been reviewed by a QSA, DPA, certified DPO, audit firm, or regulator — engage that party directly. They will tailor the controls to your environment and warrant the assessment.

If you want a deterministic enforcement engine for the architectural controls you (or your advisor) authored, that is what ArchRails is. The engine evaluates your authored config against the requirement schemas you attach, deterministically, on every PR. Engine behaviour is the same in beta and GA; only the template content is gated on the criteria above.