Compliance and security questionnaires¶
OntoSQL is MIT-licensed open-source library software, not a hosted service. This page helps security and compliance teams complete vendor questionnaires honestly.
Not certified
OntoSQL has no SOC 2, ISO 27001, HIPAA BAA, FedRAMP, or PCI attestation. Your application inherits compliance obligations for data storage, access control, and logging.
What OntoSQL is responsible for¶
| Area | OntoSQL role |
|---|---|
| SQL compilation | Bound parameters for filter/save values; rejects raw text() in semantic filters — SECURITY.md |
| HTTP scaffold | OntoRouter validates bodies and caps size; does not provide authn/authz |
| RDF import | Optional byte/triple/nesting limits; untrusted=True defaults |
| Graph sync | Post-commit queue; no two-phase commit |
What your application is responsible for¶
| Area | Your responsibility |
|---|---|
| Authentication / authorization | Required before public OntoRouter exposure |
| Data at rest / in transit | Database TLS, encryption, backups — OntoSQL uses your SQLAlchemy engine |
| Audit logging | Who accessed which {entity_id} — not built into OntoRouter |
| PII / PHI handling | Your semantic models and retention policies |
| Network perimeter | Rate limits, WAF, private networking |
| Schema migrations | Alembic and DBA processes — Alembic guide |
| Supply chain | Pin ontosql and transitive deps; scan your lockfile |
Common framework mappings¶
These are informative, not certifications.
SOC 2 (Trust Services Criteria)¶
| Criterion | OntoSQL contribution | Gap |
|---|---|---|
| CC6 Logical access | None — host app implements IAM | Full CC6 in your app + infra |
| CC7 System operations | Basic ontosql logger hooks |
No SIEM integration; OTel planned 0.7 |
| CC8 Change management | Semver from 1.0 only | Pre-1.0 API may change — pin versions |
HIPAA¶
OntoSQL is not a Business Associate by itself. If you process PHI:
- Run OntoSQL inside your HIPAA-compliant environment
- Do not expose
OntoRouterwithout auth and audit trails - Document mapper and export paths that serialize PHI to RDF/JSON-LD
FedRAMP / government cloud¶
No FedRAMP authorization. Evaluate as third-party open-source dependency in your ATO package; include SECURITY.md and dependency SBOM from your build.
GDPR / data residency¶
OntoSQL does not store data. Residency is determined by your SQL database and graph targets. RDF export may duplicate personal data into graph stores — design retention and erasure in both SQL and graph layers.
Data processing locations¶
| Component | Where data lives |
|---|---|
OntoSession |
Your configured SQL database |
StoreSyncTarget / graph sync |
In-process or SparqlModel store you configure |
PyLD (ontosql[jsonld]) |
May fetch remote @context URLs — SSRF risk on untrusted input |
| Read the Docs | Documentation only — not runtime |
Vulnerability management¶
Report via GitHub Security Advisories. No published SLA for fix or disclosure timelines in 0.5.x — see SECURITY.md.
Third-party dependencies¶
Core: SQLModel, TripleModel (RDF), typing-extensions. Optional: FastAPI, PyLD, SparqlModel, pySHACL. See DEPS.md and COMPATIBILITY.md.
SQL-only apps still install TripleModel as a core dependency for CURIE expansion and optional export.
Questionnaire quick answers¶
| Question | Answer |
|---|---|
| Is OntoSQL production-ready? | No — 0.5.x beta; GA at 1.0 |
| Is there commercial support? | No — community/GitHub only — SUPPORT.md |
| Where is data stored? | Your SQL DB and optional graph — not OntoSQL servers |
| Is multi-tenant isolation provided? | No — single-tenant library in your process |
| Penetration test available? | No published report |
| Performance SLA? | None — benchmarks planned 0.9 |
Enterprise evaluation¶
Complete the enterprise adoption checklist before procurement approval.