From 72ce2c5c8a6394b6b419fab5a4f212f23d69605f Mon Sep 17 00:00:00 2001
From: rudrapratik30 <pratik104agrawal@gmail.com>
Date: Tue, 21 Apr 2026 15:16:41 +0530
Subject: [PATCH] claude changes

---
 .../security/compliance/CJIS.md               | 354 ------------------
 .../security/compliance/CJIS.mdx              | 155 ++++++++
 2 files changed, 155 insertions(+), 354 deletions(-)
 delete mode 100644 docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.md
 create mode 100644 docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.mdx

diff --git a/docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.md b/docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.md
deleted file mode 100644
index 22781175aa..0000000000
--- a/docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.md
+++ /dev/null
@@ -1,354 +0,0 @@
----
-id: cjis
-title: CJIS-Aligned Internal Tooling Using ToolJet
-sidebar_label: Criminal Justice Information Services
----
-
-## Scope and Objective
-
-This guide outlines how to implement CJIS-aligned (Criminal Justice Information Services) internal tools using ToolJet within agency-controlled environments. It focuses on mapping requirements from the CJIS Security Policy to system design, infrastructure controls, and application-layer enforcement. The goal is to provide a structured approach to building internal tools that operate within CJIS expectations without introducing additional risk or complexity.
-
-Now, before getting into implementation, it helps to clarify how CJIS defines compliance in practice.
-
-## CJIS Compliance Model
-
-At a high level, CJIS compliance is about how controls are enforced across systems.
-
-- There is no CJIS certification for platforms
-- Responsibility lies with the agency
-- Systems must enforce defined controls consistently
-
-### Responsibility Model
-
-| Layer | Responsibility |
-|---|---|
-| Infrastructure | Agency |
-| Identity | Agency |
-| Application | Shared |
-| Platform | Enables enforcement |
-
-With that in place, the next step is to define how the system is structured.
-
-## System Model
-
-This is where the system model becomes important.
-
-### Components
-
-| Component | Role |
-|---|---|
-| Identity Provider | Authentication and MFA |
-| ToolJet | Application layer |
-| Data Systems | Source of CJI |
-| Logging Systems | Audit and monitoring |
-
-### Trust Boundaries
-
-- Network boundary: private VPC or on premise
-- Identity boundary: external authentication provider
-- Data boundary: systems containing CJI
-
-All boundary crossings must be authenticated, authorized, and logged. Once the system boundaries are clear, the focus shifts to control areas.
-
-## Control Areas and Implementation Focus
-
-These control areas map directly to how internal tools need to behave.
-
-| Control Area | Implementation Focus |
-|---|---|
-| Access Control | Identity and authorization |
-| Encryption | Data protection in transit and at rest |
-| Audit Logging | Traceability and monitoring |
-| Data Residency | Data location and movement control |
-| Network Security | Access restriction and segmentation |
-| System Integrity | Configuration and patching |
-
-## ToolJet Capability Mapping
-
-| Control Area | ToolJet Capability |
-|---|---|
-| Access Control | RBAC and SAML SSO |
-| Encryption | Operates within infrastructure controls |
-| Audit Logging | Built-in logging with SIEM export |
-| Data Residency | Self-hosted deployment |
-| Network Security | Private deployment support |
-| System Integrity | Configurable deployment patterns |
-
-Now, translating this into implementation requires a structured approach.
-
-## Implementation Workflow
-
-The process can be broken down into a set of configuration steps.
-
-### 1. Define Deployment Boundary
-
-- Deploy ToolJet within private infrastructure
-- Restrict public access
-- Route traffic through controlled gateways
-
-Once the deployment boundary is defined, identity becomes the next control point.
-
-### 2. Configure Identity and Authentication
-
-- Integrate SAML-based SSO
-- Enforce MFA at identity provider level
-- Ensure unique user identification as required by the CJIS Security Policy
-
-After authentication, access needs to be restricted through roles.
-
-### 3. Configure Authorization
-
-- Define RBAC roles
-- Map roles to job functions
-- Enforce least privilege access
-
-With access defined, data access patterns need to be controlled.
-
-### 4. Configure Data Access
-
-- Connect to databases using secure connections
-- Enforce TLS
-- Avoid duplication of CJI
-
-At this stage, all actions must be logged for auditability.
-
-### 5. Enable Audit Logging
-
-- Capture user actions and queries
-- Export logs to SIEM systems such as Splunk or the Elastic Stack
-- Define retention policies aligned with CJIS requirements
-
-In parallel, network-level restrictions should be enforced.
-
-### 6. Enforce Network Controls
-
-- Restrict ingress and egress traffic
-- Use reverse proxies and firewalls
-- Segment workloads
-
-Next, encryption ensures data remains protected in all states.
-
-### 7. Configure Encryption
-
-- Enforce TLS 1.2 or higher for all communications
-- Enable encryption at rest in databases and storage systems
-- Use cryptographic modules validated under FIPS 140-2
-
-### 8. Maintain System Integrity
-
-- Apply regular patches to operating systems and containers
-- Harden configurations using benchmarks from the Center for Internet Security
-- Perform vulnerability scanning on infrastructure
-
-### 9. Configure AI Controls (Optional)
-
-- Disable AI features for workflows involving CJI
-- Restrict usage to approved or internal models
-- Prevent logging of sensitive prompts or responses
-
-## Architecture That Aligns with CJIS Expectations
-
-A CJIS-aligned deployment using ToolJet typically includes a private network layer such as a VPC or on premise setup, controlled access through VPN or zero trust gateways, and no direct public exposure.
-
-<img className="screenshot-full img-full" src="/img/compliance/cjis.png" alt="CJIS" />
-
-The application layer runs in containerized environments with hardened configurations, supported by reverse proxies enforcing TLS and request validation. Identity is managed through SAML based SSO with MFA, while data remains in agency-controlled systems with strict database level permissions.
-
-Observability is handled through centralized logging systems integrated with SIEM and SOC workflows.
-
-## Compliance Positioning
-
-ToolJet operates as an application-layer system within environments handling Criminal Justice Information (CJI). It does not provide CJIS certification and does not act as a system of record. Instead, it enables enforcement of access control, audit logging, and secure data access patterns when deployed within agency-controlled infrastructure.
-
-Compliance with the CJIS Security Policy is achieved through correct configuration of infrastructure, identity systems, and application-layer controls. ToolJet participates in this model by enforcing user-level access, integrating with identity providers, and supporting auditability across workflows.
-
-### Shared Responsibility Model
-
-CJIS alignment follows a shared responsibility model across infrastructure, identity, and application layers.
-
-| Layer | Responsibility | Description |
-|---|---|---|
-| Infrastructure | Agency | Network isolation, encryption at rest, system patching |
-| Identity | Agency | User authentication, MFA enforcement, access lifecycle |
-| Data Systems | Agency | Storage, classification, and protection of CJI |
-| Application | Shared | Access enforcement, query control, audit logging |
-| ToolJet Platform | Enables enforcement | Provides RBAC, SSO integration, and logging capabilities |
-
-In this model, ToolJet does not replace underlying security controls but operates within them to enforce application-level restrictions.
-
-## Deployment and Trust Boundaries
-
-A CJIS-aligned deployment requires clear separation of trust zones and controlled interaction between components.
-
-- ToolJet is deployed within a private network boundary (VPC or on premise)
-- Identity providers may exist outside the network but are treated as trusted federated systems
-- Data systems containing CJI remain isolated and are accessed through controlled connections
-- All communication across boundaries must be authenticated, authorized, and encrypted
-
-This separation ensures that CJI does not traverse uncontrolled paths and that each access point is governed by policy.
-
-### Security and Compliance Characteristics
-
-The following characteristics define how ToolJet aligns with CJIS expectations at the application layer:
-
-- Operates as a stateless interface layer without requiring persistence of CJI
-- Integrates with enterprise identity providers for SAML-based authentication and MFA
-- Enforces role-based access control mapped to organizational roles
-- Supports centralized audit logging and export to SIEM systems such as Splunk
-- Runs within agency-controlled infrastructure, supporting data residency and isolation requirements
-- Relies on underlying systems for encryption, including support for FIPS 140-2 aligned environments
-
-These characteristics allow ToolJet to operate within regulated environments without introducing additional data exposure risk.
-
-### CJIS Compliance Checklist with Policy Mapping
-
-All section references and excerpts are derived from the CJIS Security Policy published by the Federal Bureau of Investigation.
-
-### Access Control and Authentication
-
-| Control | CJIS Section | Policy Excerpt | Implementation |
-|---|---|---|---|
-| Unique user identification | 5.6.2.1 | Each user must be uniquely identified. Shared or group accounts are not permitted for access to CJI systems. | SAML based SSO |
-| Multi-factor authentication | 5.6.2.2 | MFA is required for all remote access to CJI systems and must include at least two authentication factors. | Enforced via IdP |
-| Least privilege access | 5.5.2 | Access to CJI must be limited to authorized users based on job responsibilities and need-to-know principles. | RBAC configuration |
-| Session management | 5.5.6 | Systems must enforce session timeouts and re-authentication to reduce risk of unauthorized access. | IdP and proxy policies |
-
-### Encryption and Data Protection
-
-| Control | CJIS Section | Policy Excerpt | Implementation |
-|---|---|---|---|
-| Data in transit | 5.10.1.2 | CJI transmitted outside secure boundaries must be encrypted using FIPS-validated cryptographic mechanisms. | TLS enforcement |
-| Data at rest | 5.10.1.1 | CJI stored electronically must be protected using encryption or equally effective safeguards. | Infrastructure encryption |
-| FIPS compliance | 5.10.1.2 | Cryptographic modules used must be validated under FIPS 140-2 or equivalent standards. | Environment configuration |
-
-### Audit and Accountability
-
-| Control | CJIS Section | Policy Excerpt | Implementation |
-|---|---|---|---|
-| Activity logging | 5.10.1 | Systems must generate audit records for events including user access, queries, and administrative actions. | ToolJet logs |
-| Data access tracking | 5.10.1.3 | Audit logs must capture sufficient detail to identify who accessed CJI, what actions were performed, and when. | Query logging |
-| Log retention | 5.10.4 | Audit records must be retained for a defined period consistent with CJIS and organizational requirements. | SIEM integration |
-| Log integrity | 5.10.5 | Audit logs must be protected from unauthorized modification or deletion. | Centralized logging |
-
-### Network and System Integrity
-
-| Control | CJIS Section | Policy Excerpt | Implementation |
-|---|---|---|---|
-| Network isolation | 5.5.1 | CJI must be protected through network segmentation and controlled access boundaries. | Private deployment |
-| Patch management | 5.7.1.5 | Systems must be regularly updated to address vulnerabilities and maintain security posture. | Infrastructure processes |
-| Secure configuration | 5.7.1 | Systems must be configured securely using industry-recognized standards and practices. | Hardened environments |
-
-## Technical Considerations
-
-### Data Flow
-
-- Data is retrieved in real time from source systems
-- No mandatory persistence within ToolJet
-- Access controlled at query level
-
-### Encryption Model
-
-- ToolJet operates within infrastructure encryption model
-- No independent cryptographic layer introduced
-- Supports environments with FIPS requirements
-
-### Audit Model
-
-- Centralized logging across applications
-- Supports integration with SIEM systems
-- Enables consistent audit trails
-
-### AI Control Model
-
-- AI features are optional
-- Must be explicitly configured
-- Should not process CJI without safeguards
-
-## Failure Modes and Risk Considerations
-
-In practice, CJIS alignment often breaks down not at the infrastructure level, but at the configuration and operational layers.
-
-The following failure modes are commonly observed in internal tooling systems:
-
-### Misconfigured Authorization
-
-- Overly broad RBAC roles expose CJI beyond intended users\
-- Lack of role segmentation between administrative and operational users
-- Failure to update roles as responsibilities change
-
-This typically violates least privilege expectations defined in the CJIS Security Policy.
-
-### Incomplete Audit Logging
-
-- Missing logs for read operations on CJI
-- Logs not forwarded to centralized systems
-- Insufficient log retention policies
-
-These gaps can make it difficult to reconstruct access patterns during audits.
-
-### Improper Network Exposure
-
-- ToolJet instances exposed directly to the public internet
-- Lack of VPN or zero trust enforcement
-- Weak ingress and egress controls
-
-This increases the risk of unauthorized access to application interfaces.
-
-### Data Handling Misconfigurations
-
-- Caching or persisting CJI within the application layer
-- Use of temporary storage without encryption
-- Improper handling of query results
-
-ToolJet should operate as a stateless layer without retaining CJI wherever possible.
-
-### Weak Encryption Enforcement
-
-- TLS not enforced across all internal connections
-- Use of non-compliant cryptographic modules instead of FIPS 140-2 validated modules
-- Misconfigured certificates or outdated protocols
-
-### External Service Leakage (AI / APIs)
-
-- Sending CJI to external APIs or AI services
-- Lack of visibility into third-party data handling
-- Logging sensitive prompts or responses
-
-This is especially relevant when integrating AI features into internal tools.
-
-Addressing these risks requires continuous validation of configurations, not just initial setup.
-
-## Summary
-
-CJIS alignment requires coordinated implementation across infrastructure, identity, application, and operations. ToolJet provides application-layer capabilities that support access control, audit logging, and secure data access patterns within controlled environments. Final compliance depends on correct configuration and enforcement by the agency.
-
-## Common Audit Questions
-
-During CJIS audits or internal security reviews, the following questions are typically raised. These should be addressed explicitly during implementation.
-
-1. **Where is CJI stored?**
-    CJI should remain within agency-controlled data systems. ToolJet should not persist CJI and should retrieve data in real time from source systems.
-2. **Does ToolJet store or cache sensitive data?**
-    ToolJet can be configured to operate without persistent storage of CJI. Any caching mechanisms should be disabled or restricted to non-sensitive data.
-3. **How is access to CJI controlled?**
-    Access is enforced through:
-        - SAML-based authentication
-        - MFA at the identity provider
-        - RBAC policies within ToolJet
-        - Database-level access controls
-4. **How are user actions audited?**
-    User interactions, queries, and API calls should be logged and forwarded to SIEM systems such as Splunk. Logs should be retained and protected according to CJIS requirements.
-5. **How is access revoked?**
-    Access is revoked through the identity provider by disabling user accounts or removing group memberships. Changes propagate to ToolJet via SSO enforcement.
-6. **What happens during system failure?**
-    - ToolJet does not act as a system of record
-    - Failure does not result in loss of CJI
-    - Access is temporarily unavailable but data integrity remains intact
-7. **How is data protected in transit and at rest?**
-    - TLS is enforced for all communications
-    - Data at rest is protected using infrastructure-level encryption
-    - Cryptographic controls align with FIPS 140-2 requirements
-8. **Are external integrations restricted?**
-    External services, including APIs and AI models, should not process CJI unless explicitly approved and controlled. All outbound data flows should be audited.
-
-These questions are typically used to validate whether controls are not only implemented, but also consistently enforced.
diff --git a/docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.mdx b/docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.mdx
new file mode 100644
index 0000000000..49b59d9fe1
--- /dev/null
+++ b/docs/versioned_docs/version-3.16.0-LTS/security/compliance/CJIS.mdx
@@ -0,0 +1,155 @@
+---
+id: cjis
+title: CJIS - Aligned Internal Tooling Using ToolJet
+sidebar_label: Criminal Justice Information Services
+---
+
+ToolJet can be deployed within agency-controlled environments to build internal tools that handle Criminal Justice Information (CJI). This guide maps CJIS Security Policy requirements to infrastructure controls, identity configuration, and application-layer enforcement.
+
+:::info Key Principle
+There is no CJIS certification for platforms. Compliance is the agency's responsibility — ToolJet enables enforcement through correct configuration.
+:::
+
+## Shared Responsibility Model
+
+| Layer | Owner | What They Control |
+|:---|:---|:---|
+| Infrastructure | Agency | Network isolation, encryption at rest, patching |
+| Identity | Agency | Authentication, MFA, access lifecycle |
+| Data Systems | Agency | CJI storage, classification, protection |
+| Application | Shared | Access enforcement, query control, audit logging |
+| ToolJet Platform | Enables enforcement | RBAC, SSO integration, logging capabilities |
+
+## ToolJet Capability Mapping
+
+| Control Area | CJIS Requirement | ToolJet Capability |
+|:---|:---|:---|
+| Access Control | Unique IDs, least privilege | RBAC and SAML SSO |
+| Audit Logging | Activity tracking, retention | Built-in logging with SIEM export |
+| Data Residency | Agency-controlled storage | Self-hosted deployment |
+| Network Security | Isolation, segmentation | Private deployment support |
+| Encryption | TLS, FIPS 140-2 | Operates within infrastructure controls |
+| AI Controls | Restrict CJI from AI systems | Configurable, can be disabled |
+
+## Implementation Workflow
+
+### 1. Define Deployment Boundary
+- Deploy ToolJet within a private VPC or on-premise setup
+- Restrict all public internet access
+- Route traffic through controlled gateways
+
+### 2. Configure Identity and Authentication
+- Integrate SAML-based SSO
+- Enforce MFA at the identity provider level
+- Ensure unique user identification per CJIS Security Policy §5.6.2.1
+
+### 3. Configure Authorization
+- Define RBAC roles mapped to job functions
+- Enforce least privilege access
+- Segment administrative and operational roles
+
+### 4. Configure Data Access
+- Connect to databases using TLS-secured connections
+- Avoid caching or persisting CJI within ToolJet
+- Enforce database-level access controls
+
+### 5. Enable Audit Logging
+- Capture all user actions and queries
+- Export logs to SIEM (Splunk, Elastic Stack)
+- Define retention policies per CJIS requirements
+
+### 6. Enforce Network Controls
+- Restrict ingress and egress traffic
+- Use reverse proxies and firewalls
+- Segment workloads
+
+### 7. Configure Encryption
+- Enforce TLS 1.2+ for all communications
+- Enable encryption at rest in databases and storage
+- Use FIPS 140-2 validated cryptographic modules
+
+### 8. Maintain System Integrity
+- Apply regular patches to OS and containers
+- Harden configurations using CIS benchmarks
+- Perform vulnerability scanning on infrastructure
+
+### 9. Configure AI Controls (Optional)
+- Disable AI features for workflows involving CJI
+- Restrict usage to approved or internal models
+- Prevent logging of sensitive prompts or responses
+
+## Architecture
+
+A CJIS-aligned deployment includes a private network layer (VPC or on-premise), controlled access via VPN or zero trust gateways, and no direct public exposure. The application layer runs in containerized environments with hardened configurations, supported by reverse proxies enforcing TLS. Identity is managed through SAML-based SSO with MFA, and observability is handled through SIEM-integrated centralized logging.
+
+<img className="screenshot-full img-full" src="/img/compliance/cjis.png" alt="CJIS Architecture Diagram" />
+
+## Compliance Checklist
+
+### Access Control and Authentication
+
+| Control | CJIS Section | Policy Excerpt | Implementation |
+|---|---|---|---|
+| Unique user identification | 5.6.2.1 | Each user must be uniquely identified. Shared or group accounts are not permitted. | SAML-based SSO |
+| Multi-factor authentication | 5.6.2.2 | MFA is required for all remote access to CJI systems. | Enforced via IdP |
+| Least privilege access | 5.5.2 | Access must be limited based on job responsibilities and need-to-know. | RBAC configuration |
+| Session management | 5.5.6 | Systems must enforce session timeouts and re-authentication. | IdP and proxy policies |
+
+### Encryption and Data Protection
+
+| Control | CJIS Section | Policy Excerpt | Implementation |
+|---|---|---|---|
+| Data in transit | 5.10.1.2 | CJI transmitted outside secure boundaries must use FIPS-validated encryption. | TLS enforcement |
+| Data at rest | 5.10.1.1 | CJI stored electronically must be protected using encryption or equivalent safeguards. | Infrastructure encryption |
+| FIPS compliance | 5.10.1.2 | Cryptographic modules must be validated under FIPS 140-2 or equivalent. | Environment configuration |
+
+### Audit and Accountability
+
+| Control | CJIS Section | Policy Excerpt | Implementation |
+|---|---|---|---|
+| Activity logging | 5.10.1 | Systems must generate audit records for user access, queries, and admin actions. | ToolJet logs |
+| Data access tracking | 5.10.1.3 | Logs must capture who accessed CJI, what actions were performed, and when. | Query logging |
+| Log retention | 5.10.4 | Records must be retained per CJIS and organizational requirements. | SIEM integration |
+| Log integrity | 5.10.5 | Logs must be protected from unauthorized modification or deletion. | Centralized logging |
+
+### Network and System Integrity
+
+| Control | CJIS Section | Policy Excerpt | Implementation |
+|---|---|---|---|
+| Network isolation | 5.5.1 | CJI must be protected through segmentation and controlled access boundaries. | Private deployment |
+| Patch management | 5.7.1.5 | Systems must be regularly updated to address vulnerabilities. | Infrastructure processes |
+| Secure configuration | 5.7.1 | Systems must follow industry-recognized hardening standards. | Hardened environments |
+
+## Failure Modes to Avoid
+
+:::warning
+CJIS alignment commonly breaks down at the configuration and operational layers, not infrastructure. Watch for these failure modes.
+:::
+
+| Failure Mode | Risk | What to Do |
+|---|---|---|
+| Misconfigured Authorization | Overly broad RBAC exposes CJI beyond intended users | Segment admin and operational roles; review on responsibility changes |
+| Incomplete Audit Logging | Gaps in read-operation logs or missing SIEM forwarding make audits impossible | Ensure all query types are logged and forwarded with defined retention |
+| Improper Network Exposure | Public-facing ToolJet instances without VPN or zero trust | Route all access through controlled gateways; no direct internet exposure |
+| Data Handling Misconfigurations | Caching CJI within the app layer | Operate stateless; disable caching or restrict to non-sensitive data |
+| Weak Encryption Enforcement | Non-FIPS modules or outdated TLS across internal connections | Enforce TLS 1.2+ everywhere; validate certificate and module compliance |
+| External Service Leakage | CJI sent to external APIs or AI services | Audit all outbound integrations; block unapproved external data flows |
+
+## Common Audit Questions
+
+1. **Where is CJI stored?** <br/>
+    CJI should remain within agency-controlled data systems. ToolJet does not persist CJI — data is retrieved in real time from source systems. <br/>
+2. **Does ToolJet store or cache sensitive data?** <br/>
+    ToolJet can be configured to operate without persistent storage. Any caching mechanisms should be disabled or restricted to non-sensitive data. <br/>
+3. **How is access to CJI controlled?** <br/>
+    Through SAML-based authentication, MFA at the identity provider, RBAC policies within ToolJet, and database-level access controls. <br/>
+4. **How are user actions audited?** <br/>
+    User interactions, queries, and API calls are logged and forwarded to SIEM systems such as Splunk, retained and protected per CJIS requirements. <br/>
+5. **How is access revoked?** <br/>
+    Through the identity provider by disabling user accounts or removing group memberships. Changes propagate to ToolJet immediately via SSO enforcement. <br/>
+6. **What happens during system failure?** <br/>
+    ToolJet does not act as a system of record. Failure results in temporary unavailability — no loss of CJI or data integrity impact. <br/>
+7. **How is data protected in transit and at rest?** <br/>
+    TLS is enforced for all communications. Data at rest is protected using infrastructure-level encryption aligned with FIPS 140-2. <br/>
+8. **Are external integrations restricted?** <br/>
+    External services including APIs and AI models should not process CJI unless explicitly approved. All outbound data flows should be audited. <br/>