| Requirement | Applicability | Notes |
|---|
| EU data subjects | Yes | Malta-based customers (EU citizens) |
| Data residency | Yes | All data stored in swedencentral (EU) |
| Right to erasure | Yes | Must support deletion of customer PII on request |
Payment is strictly cash on delivery — no cardholder data is stored, processed,
or transmitted. No network segmentation or encryption requirements under PCI-DSS.
Not required for this scope. A basic SLA is sufficient; no SOC 2 audit is planned.
No health data is handled. No BAA or HIPAA-specific audit logging required.
Not required for this scope. The environment is simple with a best-effort support model.
| Requirement | Value |
|---|
| Primary Region | swedencentral |
| Data Sovereignty | EU-only |
| Cross-region Replication | Not required |
| Requirement | Value |
|---|
| Identity Provider | Social IdPs via App Service Authentication (Easy Auth) |
| MFA Requirement | Not required |
| RBAC Model | Application-level (staff vs customer) |
| Control | Required | Notes |
|---|
| Private endpoints | ✅ | Key Vault, Storage, ACR via VNet |
| VNet integration | ✅ | App Service S1 with VNet integration |
| Public endpoints acceptable | ✅ | App Service public inbound only; backend services private |
| WAF required | ❌ | Not justified for < 1K concurrent users |
| Control | Recommended | User Confirmed | Notes |
|---|
| Managed Identity | Yes | Yes | App Service to Key Vault, Storage, and ACR |
| Private Endpoints | Yes | Yes | Key Vault, Storage Account, ACR via VNet PE |
| WAF | No | No | Low traffic; not cost-justified |
| Key Vault for Secrets | Yes | Yes | Store storage connection strings securely |
| Diagnostic Settings | Yes | — | Basic logging to Log Analytics (recommended) |
| TLS 1.2 Minimum | Yes | Yes | Enforced on all endpoints |
| Encryption at Rest | Yes | — | Platform-managed (Azure default) |
| Network Isolation | Yes | Yes | VNet integration with private endpoints |
