Vendor-Backed (Single Vendor)
The project is open source, but the copyright and roadmap are controlled 100% by a single for-profit company (e.g., Vercel, MongoDB Inc., Hashicorp). They effectively dictate the future of the software.
Kai A. Hartung
SOC 2 Type II: Security & Continuous Monitoring
SOC 2 Type II is the de facto security standard for B2B SaaS in North America. In 2026, it has evolved into a continuous control monitoring (CCM) framework.
ISO/IEC 27001:2022: Global Information Security Management
ISO 27001:2022 is the international gold standard for Information Security Management Systems (ISMS), now including cloud and privacy extensions.
GDPR: Data Privacy & Sovereignty
The General Data Protection Regulation (GDPR) is the EU's strict privacy framework, mandating data-sharing-by-design and real-time user data portability.
HIPAA: Health Data Portability & Accountability
HIPAA sets the standard for protecting sensitive patient data. Open source tools must be HIPAA Eligible to be used in US healthcare environments.
eIDAS: EU Electronic Identification & Trust Services
eIDAS is the EU regulation establishing a cross-border legal framework for electronic signatures, seals, and trust services across all 27 member states.
ESIGN Act: US Electronic Signature Law
The ESIGN Act is the US federal law granting electronic signatures the same legal validity as handwritten signatures across interstate and foreign commerce.
FERPA: US Student Privacy & Education Records Law
FERPA is the US federal law governing student education record privacy. Any open source tool deployed in K-12 or higher education handling student data must be FERPA-eligible.
PCI DSS v4.0: Payment Card Industry Data Security Standard
PCI DSS v4.0 is the mandatory security standard for any organization handling card payments. Self-hosting payment infrastructure can radically reduce your compliance scope — or expand it.
FedRAMP 20x: US Federal Cloud Authorization
FedRAMP 20x is the modernized US government standard for cloud security, focusing on automated validation and machine-readable authorization packages.
CMMC 2.0: Cybersecurity Maturity Model Certification
CMMC 2.0 is the US Department of Defense's mandatory cybersecurity certification framework for defense contractors and suppliers handling Federal Contract Information or Controlled Unclassified Information.
Cyber Essentials Plus: UK Government Cybersecurity Certification
Cyber Essentials Plus is the UK government's independently verified cybersecurity certification, required for MOD contracts and central government suppliers handling sensitive data.
FIPS 140-3: Cryptographic Module Validation
FIPS 140-3 is the NIST standard validating cryptographic modules for US federal use. Software handling sensitive government data must use FIPS-validated cryptography — not just claim encryption.
WCAG 2.2 AA: Web Accessibility Standard
WCAG 2.2 AA is the current W3C web accessibility standard, superseding 2.1 with new criteria for authentication, mobile interaction, and cognitive accessibility.
EU Cyber Resilience Act (CRA): Software Supply Chain
The EU CRA mandates security requirements for software products in the EU market, focusing on SBOMs and rapid vulnerability reporting.