Security engineering
Security & Governance
AISERV treats security as an engineering discipline—not a list of controls added after delivery. The aim is to limit exposure, enforce least privilege, and keep sensitive operations under human authority and institutional review.
Design starts with service boundaries, access models, and evidence paths before production scope expands. Public surfaces stay minimal: no unnecessary runtime on open routes, hardened perimeter transport, and no secrets in public repositories. Inside the platform, authenticated limits, explicit state-change policy, and segregated trust between operators, services, and integrations define how work proceeds.
Records are append-oriented and correlated across delivery, access, and lifecycle transitions—so teams can reconstruct events when assessment, incident response, or internal review requires it. Recipient verification remains separate from content stores; outcomes are logged before exposure.
These criteria inform work often discussed alongside ENS, CCN-STIC, GDPR, and eIDAS. AISERV makes no certification claim unless formally accredited. Vulnerability reports: security@aiserv.es (see SECURITY.md). This text is technical context, not legal advice.
-
01 Security-first architecture
Service boundaries, access models, and evidence paths are defined before production scope expands—compatible with ENS-oriented assessment discussions, not retrofitted controls.
-
02 Reduced public attack surface
Static delivery without an application runtime on the public path; no secrets in the repository; hardened transport at the edge. Inspired by high-security hardening patterns used in institutional perimeter design.
-
03 Governed platform boundaries
Authenticated service limits, explicit state-change policy, and logged side-effects on sensitive operations. Boundaries shaped for technical evaluation and institutional review.
-
04 Controlled access paths
Verification isolated from content stores; bounded attempts and logged outcomes before exposure. Governed paths for patient-facing and operator-facing access—aligned with high-level access-control expectations without opening internal systems.
-
05 Lifecycle evidence
Correlated, append-oriented events across delivery, access, and lifecycle—built for reconstruction when assessment or incident response requires proof.
-
06 Least privilege
Scoped roles, tokens, and integration credentials with policy enforced before routing. Segregated trust between operators, services, and integration endpoints.
-
07 End-to-end visibility
One coherent chain from request through handoff, access, and storage—an engineering default where silent failure is unacceptable.
-
08 Deployment discipline
Protected secrets, verified dependencies, and documented security headers in production. Deployment discipline so access policies and evidence retention remain enforceable after release.
-
09 Responsible disclosure
Report suspected vulnerabilities in AISERV SYSTEMS infrastructure or supported deployments privately before public disclosure. See SECURITY.md for scope and coordination. AISERV does not operate a paid bug bounty programme.
Engineering evaluation context
Authoritative Spanish and EU sources that inform how AISERV shapes control design, access models, and evidence expectations in regulated and institutional settings.
-
ENS — National Security Scheme
Real Decreto 311/2022 and CCN-CNI normativa—engineering context for service categorisation, security measures, and operational evidence in ENS-oriented assessment work.
-
CCN-STIC guidance
CCN catalogues and STIC implementation guides—reference for hardening patterns, operational security controls, and technical evaluation narratives.
-
GDPR / LOPDGDD
EU and Spanish data protection framework for minimisation, purpose limitation in logs, and accountability-oriented processing design.
-
eIDAS
EU electronic trust framework—context for strong recipient-verification and signature patterns where institutional policy requires them.
-
Patient autonomy and clinical documentation
Ley 41/2002—Spanish framework for patient-facing information, clinical documentation handling, and proportionate access in healthcare workflows.
-
AEPD healthcare data protection guidance
AEPD sector guide on health-data handling, proportionality, and operational accountability in clinical environments.
These references are used as engineering context and evaluation criteria, not as a public claim of certification.
This website provides technical and operational information, not legal advice.
AISERV SYSTEMS is not claiming third-party security certification unless explicitly stated.