ISO/IEC 27001:2022

What it requires

Organisations must define and implement controls for the acquisition, use, management, and exit from cloud services, including documenting data transfers to cloud providers.

How Svalin addresses it

Captures every API call made to external AI providers (Anthropic, Google, OpenAI) including data transferred. Produces audit-ready logs of cloud service usage that satisfy A.5.23 evidence requirements.

What it requires

DLP measures must be applied to systems, networks, and devices that process, store, or transmit sensitive information. Organisations must detect and prevent unauthorised disclosure.

How Svalin addresses it

Policy engine acts as a DLP enforcement point for AI tool data flows — detecting sensitive data categories (PII, credentials, health data, confidential IP) in MCP server calls and blocking or alerting in real time.

What it requires

Security requirements for accessing organisational assets must be agreed with suppliers and documented, including third-party AI providers processing organisational data.

How Svalin addresses it

Provides continuous evidence of what data was shared with each AI provider — Anthropic, Google, OpenAI — at what time, by which user, and under which policy. Turns a static contractual control into a live operational one.

What it requires

Data masking, pseudonymisation, or anonymisation must be applied to sensitive data in processing or transfer where appropriate, based on access control policy.

How Svalin addresses it

Detects sensitive data categories in MCP server payloads before they reach external models. Policy engine can warn or block calls where unmasked PII or confidential data is detected. Audit trail shows which calls were governed.