Authentication:
  From: Supabase Auth
  To: AWS Cognito User Pools
  Status: ✅ Complete
 
Database:
  From: Supabase PostgreSQL
  To: Aurora Serverless v2
  Status: ✅ Complete
 
Storage:
  From: Supabase Storage
  To: Amazon S3
  Status: ✅ Complete
 
Functions:
  From: Supabase Edge Functions
  To: AWS Lambda
  Status: ✅ Complete
 
AI/ML:
  From: Third-party APIs
  To: AWS Rekognition + Custom Lambda
  Status: ✅ Complete

Status: ✅ ACTIVE
Signed Date: October 15, 2025
Coverage: All AWS services used by Mind Measure
Services Covered:
  - Amazon Aurora Serverless v2
  - AWS Lambda
  - Amazon S3
  - AWS Cognito
  - Amazon CloudWatch
  - AWS CloudTrail
  - Amazon Rekognition

Compute:
  - AWS Lambda: ✅ Covered
  - Amazon EC2: ✅ Available (not used)
 
Storage:
  - Amazon S3: ✅ Covered
  - Amazon EBS: ✅ Available (not used)
 
Database:
  - Amazon Aurora: ✅ Covered
  - Amazon RDS: ✅ Available (not used)
 
Security:
  - AWS IAM: ✅ Covered
  - AWS KMS: ✅ Covered
  - AWS CloudTrail: ✅ Covered
 
Analytics:
  - Amazon CloudWatch: ✅ Covered
  - AWS X-Ray: ✅ Covered

Primary Region: eu-west-2 (London)
Backup Region: eu-west-1 (Ireland)
Data Processing: EU only
Data Transfer: No cross-border transfers outside EU

Data Controller: Individual Universities
Data Processor: Mind Measure Ltd
Processing Purpose: Mental health monitoring and support
Data Categories:
  - Personal identifiers (name, email, student ID)
  - Health data (mental health assessments, scores)
  - Technical data (usage logs, performance metrics)
Legal Basis: Consent + Legitimate Interest
Retention Period: 7 years (configurable per university)

VPC: mindmeasure-production-vpc
CIDR: 10.0.0.0/16
Region: eu-west-2
 
Subnets:
  Private Subnets:
    - 10.0.1.0/24 (Lambda functions)
    - 10.0.2.0/24 (RDS Aurora)
    - 10.0.3.0/24 (Reserved)
  
  Public Subnets:
    - 10.0.101.0/24 (NAT Gateway)
    - 10.0.102.0/24 (Load Balancer)
 
Security Groups:
  Lambda-SG:
    - Outbound: HTTPS (443) to anywhere
    - Outbound: PostgreSQL (5432) to RDS-SG
  
  RDS-SG:
    - Inbound: PostgreSQL (5432) from Lambda-SG
    - No outbound rules (default deny)
 
Network ACLs:
  - Default allow for internal traffic
  - Explicit deny for known malicious IPs
  - Logging enabled for all denied traffic

WAF Rules:
  - AWS Managed Rules (OWASP Top 10)
  - Rate limiting (100 requests/minute per IP)
  - Geographic restrictions (EU + UK only)
  - SQL injection protection
  - Cross-site scripting (XSS) protection
  - Known bad inputs protection
 
Custom Rules:
  - Block requests without proper User-Agent
  - Rate limit API endpoints (per user)
  - Block requests with suspicious patterns

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LambdaExecutionRole",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "rds-data:ExecuteStatement",
        "rds-data:BatchExecuteStatement",
        "rekognition:DetectFaces",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:logs:eu-west-2:*:*",
        "arn:aws:rds:eu-west-2:*:cluster:mindmeasure-aurora",
        "arn:aws:s3:::mindmeasure-*/*"
      ]
    }
  ]
}

Roles:
  SuperUser:
    Permissions:
      - Full system access
      - University management
      - User management
      - System configuration
    Users: [CTO, Lead Developer]
 
  UniversityAdmin:
    Permissions:
      - University data access (own university only)
      - Student data access (own university only)
      - CMS management
      - Analytics access
    Users: [University IT staff, Wellbeing coordinators]
 
  Student:
    Permissions:
      - Own profile access
      - Assessment participation
      - Dashboard access
      - Buddy system access
    Users: [All registered students]
 
  Clinician:
    Permissions:
      - Student data access (assigned students only)
      - Assessment results access
      - Intervention recommendations
      - Crisis escalation
    Users: [University counselors, Mental health professionals]

Database (Aurora):
  Encryption: AES-256
  Key Management: AWS KMS
  Key Rotation: Automatic (annual)
  Backup Encryption: Enabled
 
Storage (S3):
  Encryption: SSE-S3 (AES-256)
  Key Management: AWS managed
  Bucket Policies: Enforce encryption
  Access Logging: Enabled
 
Lambda Environment Variables:
  Encryption: AWS KMS
  Key: Customer managed
  Access: Function execution role only

API Gateway:
  TLS Version: 1.3 minimum
  Certificate: AWS Certificate Manager
  HSTS: Enabled
  Perfect Forward Secrecy: Enabled
 
Database Connections:
  SSL/TLS: Required
  Certificate Validation: Enabled
  Encryption: AES-256
 
Internal Communications:
  Lambda to RDS: TLS 1.3
  Lambda to S3: HTTPS only
  Lambda to Rekognition: HTTPS only

Public:
  Description: Information that can be freely shared
  Examples: University branding, public resources
  Protection: Standard web security
  Retention: Indefinite
 
Internal:
  Description: Information for internal use only
  Examples: System configurations, analytics aggregates
  Protection: Access controls, encryption
  Retention: 7 years
 
Confidential:
  Description: Sensitive business information
  Examples: University contracts, system architecture
  Protection: Strong access controls, encryption, audit logging
  Retention: 7 years
 
Restricted:
  Description: Highly sensitive personal/health data
  Examples: Mental health assessments, personal identifiers
  Protection: Strongest controls, encryption, comprehensive audit
  Retention: 7 years (or as required by law)

// Data minimization example
interface StudentProfile {
  // Required fields only
  user_id: string;
  first_name: string;
  last_name: string;
  email: string;
  university_id: string;
  
  // Optional fields with explicit consent
  phone_number?: string; // Only if crisis contact needed
  emergency_contact?: string; // Only if explicitly provided
  
  // System fields
  created_at: string;
  updated_at: string;
  consent_version: string;
  consent_date: string;
}

// Purpose limitation enforcement
class DataProcessor {
  async processAssessmentData(data: AssessmentData, purpose: ProcessingPurpose) {
    // Validate processing purpose
    if (!this.isValidPurpose(purpose)) {
      throw new Error('Invalid processing purpose');
    }
    
    // Apply purpose-specific data filtering
    const filteredData = this.filterDataForPurpose(data, purpose);
    
    // Log processing activity
    await this.logProcessingActivity(data.userId, purpose, filteredData);
    
    return this.process(filteredData);
  }
  
  private isValidPurpose(purpose: ProcessingPurpose): boolean {
    const validPurposes = [
      'wellbeing_assessment',
      'crisis_intervention',
      'academic_support',
      'research_anonymized'
    ];
    return validPurposes.includes(purpose);
  }
}

Assessment Data:
  Retention Period: 7 years
  Rationale: Clinical best practice + legal requirements
  Deletion: Automatic after retention period
  Exceptions: Active crisis cases (extended retention)
 
Personal Identifiers:
  Retention Period: 7 years
  Rationale: GDPR Article 5(e) + university requirements
  Deletion: Secure deletion with verification
  Exceptions: Legal hold requirements
 
System Logs:
  Operational Logs: 30 days
  Security Logs: 1 year
  Audit Logs: 7 years
  Compliance Logs: 10 years
 
Backup Data:
  Retention Period: Same as primary data
  Deletion: Coordinated with primary deletion
  Verification: Deletion confirmation required

// Automated data retention service
class DataRetentionService {
  async enforceRetentionPolicies() {
    const policies = await this.getRetentionPolicies();
    
    for (const policy of policies) {
      const expiredData = await this.findExpiredData(policy);
      
      for (const record of expiredData) {
        await this.secureDelete(record, policy);
        await this.logDeletion(record, policy);
      }
    }
  }
  
  private async secureDelete(record: DataRecord, policy: RetentionPolicy) {
    // Multi-pass secure deletion
    await this.overwriteData(record, 3); // 3-pass overwrite
    await this.deleteFromDatabase(record);
    await this.deleteFromBackups(record);
    await this.verifyDeletion(record);
  }
}

// Data export service
class DataExportService {
  async exportUserData(userId: string, requesterId: string): Promise<UserDataExport> {
    // Verify requester authorisation
    await this.verifyDataSubjectRequest(userId, requesterId);
    
    // Collect all user data
    const userData = await this.collectUserData(userId);
    
    // Format for portability
    const exportData = {
      personal_information: userData.profile,
      assessment_history: userData.assessments,
      system_interactions: userData.logs,
      preferences: userData.settings,
      export_date: new Date().toISOString(),
      data_format: 'JSON',
      retention_information: await this.getRetentionInfo(userId)
    };
    
    // Log export request
    await this.logDataExport(userId, requesterId);
    
    return exportData;
  }
}

// Data erasure service
class DataErasureService {
  async eraseUserData(userId: string, requesterId: string): Promise<ErasureResult> {
    // Verify erasure request validity
    await this.verifyErasureRequest(userId, requesterId);
    
    // Check for legal holds
    const legalHolds = await this.checkLegalHolds(userId);
    if (legalHolds.length > 0) {
      throw new Error('Cannot erase data: legal hold in effect');
    }
    
    // Perform erasure
    const erasureResults = await Promise.all([
      this.eraseProfileData(userId),
      this.eraseAssessmentData(userId),
      this.eraseSystemLogs(userId),
      this.eraseBackupData(userId)
    ]);
    
    // Verify complete erasure
    await this.verifyErasure(userId);
    
    // Log erasure completion
    await this.logDataErasure(userId, requesterId);
    
    return {
      status: 'completed',
      erasure_date: new Date().toISOString(),
      verification: 'confirmed',
      affected_systems: erasureResults
    };
  }
}

MFA Configuration:
  Required For:
    - University administrators
    - System administrators
    - Clinicians accessing student data
  
  Methods Supported:
    - SMS (primary)
    - TOTP apps (Google Authenticator, Authy)
    - Email (backup only)
  
  Enforcement:
    - Conditional: Based on role and risk assessment
    - Grace Period: 7 days for new users
    - Bypass: Emergency access procedures only

Password Requirements:
  Minimum Length: 12 characters
  Complexity: 
    - At least 1 uppercase letter
    - At least 1 lowercase letter
    - At least 1 number
    - At least 1 special character
  
  Restrictions:
    - No common passwords (top 10,000 list)
    - No personal information (name, email)
    - No previous 12 passwords
  
  Expiration: 90 days (configurable per university)
  Account Lockout: 5 failed attempts, 30-minute lockout

// ABAC policy engine
class AccessControlEngine {
  async evaluateAccess(
    subject: User,
    resource: Resource,
    action: Action,
    context: Context
  ): Promise<AccessDecision> {
    
    const policies = await this.getApplicablePolicies(resource, action);
    
    for (const policy of policies) {
      const decision = await this.evaluatePolicy(policy, {
        subject,
        resource,
        action,
        context
      });
      
      if (decision === 'DENY') {
        return { decision: 'DENY', reason: policy.description };
      }
    }
    
    return { decision: 'ALLOW', policies: policies.map(p => p.id) };
  }
  
  private async evaluatePolicy(policy: AccessPolicy, request: AccessRequest): Promise<'ALLOW' | 'DENY'> {
    // Evaluate subject attributes
    if (!this.matchesSubjectConditions(policy.subject, request.subject)) {
      return 'DENY';
    }
    
    // Evaluate resource attributes
    if (!this.matchesResourceConditions(policy.resource, request.resource)) {
      return 'DENY';
    }
    
    // Evaluate context conditions
    if (!this.matchesContextConditions(policy.context, request.context)) {
      return 'DENY';
    }
    
    return 'ALLOW';
  }
}

Student Data Access:
  Own Data:
    - Students: Full access to own data
    - Duration: Account lifetime
    - Restrictions: Cannot delete assessment history
  
  University Staff:
    - Access: Students from same university only
    - Scope: Aggregated data, anonymised individual data
    - Restrictions: No direct personal identifiers
    - Audit: All access logged
  
  Clinicians:
    - Access: Assigned students only
    - Scope: Full assessment data, crisis indicators
    - Restrictions: Purpose limitation (clinical care only)
    - Audit: Comprehensive logging required
  
  Researchers:
    - Access: Anonymized data only
    - Scope: Statistical analysis, trend identification
    - Restrictions: No re-identification attempts
    - Approval: Ethics committee approval required

Security Logs:
  Authentication Events:
    - Login attempts (successful/failed)
    - Password changes
    - MFA events
    - Account lockouts
  
  Authorization Events:
    - Access grants/denials
    - Permission changes
    - Role assignments
    - Policy violations
  
  Data Access Events:
    - Data queries
    - Data modifications
    - Data exports
    - Data deletions
 
Operational Logs:
  System Performance:
    - Response times
    - Error rates
    - Resource utilization
    - Scaling events
  
  Application Events:
    - User actions
    - System errors
    - Integration failures
    - Batch job results
 
Compliance Logs:
  Data Processing:
    - Consent management
    - Data retention actions
    - Cross-border transfers
    - Third-party sharing
  
  Audit Events:
    - Policy changes
    - Configuration updates
    - Compliance violations
    - Remediation actions

// Centralized logging service
class LoggingService {
  async logSecurityEvent(event: SecurityEvent) {
    const logEntry = {
      timestamp: new Date().toISOString(),
      event_type: 'security',
      event_category: event.category,
      user_id: event.userId,
      session_id: event.sessionId,
      ip_address: this.hashIP(event.ipAddress), // Privacy-preserving
      user_agent: event.userAgent,
      action: event.action,
      resource: event.resource,
      result: event.result,
      risk_score: await this.calculateRiskScore(event),
      correlation_id: event.correlationId
    };
    
    // Store in multiple locations for redundancy
    await Promise.all([
      this.storeInCloudWatch(logEntry),
      this.storeInS3(logEntry),
      this.sendToSIEM(logEntry) // If high-risk event
    ]);
    
    // Trigger alerts if necessary
    if (logEntry.risk_score > 7) {
      await this.triggerSecurityAlert(logEntry);
    }
  }
  
  private async calculateRiskScore(event: SecurityEvent): Promise<number> {
    let score = 0;
    
    // Failed authentication attempts
    if (event.result === 'failed' && event.category === 'authentication') {
      score += 3;
    }
    
    // Access to sensitive data
    if (event.resource?.includes('assessment_data')) {
      score += 2;
    }
    
    // Unusual access patterns
    const recentEvents = await this.getRecentEvents(event.userId, '1h');
    if (recentEvents.length > 50) {
      score += 4;
    }
    
    // Geographic anomalies
    const userLocation = await this.getUserLocation(event.userId);
    const eventLocation = await this.getIPLocation(event.ipAddress);
    if (this.calculateDistance(userLocation, eventLocation) > 1000) {
      score += 5;
    }
    
    return Math.min(score, 10); // Cap at 10
  }
}

Monitored Events:
  High-Risk Activities:
    - Multiple failed login attempts
    - Unusual data access patterns
    - Privilege escalation attempts
    - Data export activities
    - System configuration changes
  
  Anomaly Detection:
    - Unusual login times/locations
    - Abnormal data access volumes
    - Unexpected API usage patterns
    - Performance degradation
  
  Compliance Violations:
    - Unauthorized data access
    - Data retention policy violations
    - Cross-border data transfers
    - Missing consent records
 
Alert Thresholds:
  Critical (Immediate Response):
    - Potential data breach
    - System compromise indicators
    - Compliance violations
    - Service outages
  
  High (1-hour Response):
    - Repeated security events
    - Performance degradation
    - Failed backup operations
    - Integration failures
  
  Medium (4-hour Response):
    - Unusual user behavior
    - Resource utilization alerts
    - Non-critical errors
    - Capacity warnings

// Automated incident response
class IncidentResponseService {
  async handleSecurityAlert(alert: SecurityAlert) {
    const severity = await this.assessSeverity(alert);
    
    switch (severity) {
      case 'CRITICAL':
        await this.executeCriticalResponse(alert);
        break;
      case 'HIGH':
        await this.executeHighResponse(alert);
        break;
      case 'MEDIUM':
        await this.executeMediumResponse(alert);
        break;
    }
    
    // Always log the response
    await this.logIncidentResponse(alert, severity);
  }
  
  private async executeCriticalResponse(alert: SecurityAlert) {
    // Immediate containment
    if (alert.type === 'potential_breach') {
      await this.isolateAffectedSystems(alert.affectedSystems);
      await this.disableCompromisedAccounts(alert.affectedUsers);
    }
    
    // Notification
    await this.notifySecurityTeam(alert, 'IMMEDIATE');
    await this.notifyManagement(alert);
    
    // Evidence preservation
    await this.preserveForensicEvidence(alert);
    
    // Regulatory notification (if required)
    if (await this.requiresRegulatoryNotification(alert)) {
      await this.initiateRegulatoryNotification(alert);
    }
  }
}

// Audit trail service
class AuditTrailService {
  async createAuditEntry(action: AuditableAction) {
    const auditEntry = {
      audit_id: this.generateAuditId(),
      timestamp: new Date().toISOString(),
      user_id: action.userId,
      user_role: action.userRole,
      action_type: action.type,
      resource_type: action.resourceType,
      resource_id: action.resourceId,
      action_details: action.details,
      ip_address: this.hashIP(action.ipAddress),
      user_agent: action.userAgent,
      session_id: action.sessionId,
      request_id: action.requestId,
      before_state: action.beforeState,
      after_state: action.afterState,
      success: action.success,
      error_message: action.errorMessage,
      compliance_tags: this.generateComplianceTags(action)
    };
    
    // Store with tamper-evident logging
    await this.storeWithIntegrity(auditEntry);
    
    // Real-time compliance checking
    await this.checkComplianceViolations(auditEntry);
  }
  
  private async storeWithIntegrity(entry: AuditEntry) {
    // Calculate hash for integrity
    const hash = await this.calculateHash(entry);
    entry.integrity_hash = hash;
    
    // Store in multiple locations
    await Promise.all([
      this.storeInPrimaryAuditLog(entry),
      this.storeInSecondaryAuditLog(entry),
      this.storeInImmutableStorage(entry) // S3 with Object Lock
    ]);
  }
}

Critical (P1):
  Definition: Immediate threat to data security or system availability
  Examples:
    - Confirmed data breach
    - System compromise
    - Complete service outage
    - Ransomware attack
  Response Time: Immediate (< 15 minutes)
  Escalation: Automatic to C-level
 
High (P2):
  Definition: Significant security or operational impact
  Examples:
    - Suspected unauthorized access
    - Partial service outage
    - Failed backup operations
    - Compliance violation
  Response Time: 1 hour
  Escalation: Security team + management
 
Medium (P3):
  Definition: Moderate impact on security or operations
  Examples:
    - Unusual user behavior
    - Performance degradation
    - Non-critical system errors
    - Policy violations
  Response Time: 4 hours
  Escalation: Security team
 
Low (P4):
  Definition: Minor issues with minimal impact
  Examples:
    - Information requests
    - Minor configuration issues
    - Routine maintenance alerts
    - User support requests
  Response Time: 24 hours
  Escalation: Support team

Phase 1: Detection & Assessment (0-1 hour)
  - Incident detection and verification
  - Initial impact assessment
  - Stakeholder notification
  - Evidence preservation
  - Containment measures
 
Phase 2: Investigation & Containment (1-24 hours)
  - Detailed forensic investigation
  - Root cause analysis
  - System isolation if necessary
  - Affected data identification
  - Regulatory notification (if required)
 
Phase 3: Notification & Communication (24-72 hours)
  - Data subject notification
  - Regulatory authority notification
  - Public disclosure (if required)
  - Stakeholder communication
  - Media response (if necessary)
 
Phase 4: Recovery & Lessons Learned (1-4 weeks)
  - System restoration
  - Security improvements
  - Process updates
  - Staff training
  - Incident documentation

// Incident response automation
class AutomatedIncidentResponse {
  async handleDataBreachAlert(alert: DataBreachAlert) {
    // Phase 1: Immediate response
    const incident = await this.createIncident(alert, 'CRITICAL');
    
    // Automatic containment
    await this.executeContainmentProcedures(alert);
    
    // Evidence preservation
    await this.preserveEvidence(alert);
    
    // Stakeholder notification
    await this.notifyStakeholders(incident);
    
    // Regulatory assessment
    const regulatoryNotificationRequired = await this.assessRegulatoryNotification(alert);
    if (regulatoryNotificationRequired) {
      await this.initiateRegulatoryNotification(incident);
    }
    
    return incident;
  }
  
  private async executeContainmentProcedures(alert: DataBreachAlert) {
    // Isolate affected systems
    if (alert.affectedSystems) {
      await this.isolateSystems(alert.affectedSystems);
    }
    
    // Disable compromised accounts
    if (alert.compromisedAccounts) {
      await this.disableAccounts(alert.compromisedAccounts);
    }
    
    // Block suspicious IP addresses
    if (alert.suspiciousIPs) {
      await this.blockIPAddresses(alert.suspiciousIPs);
    }
    
    // Rotate credentials
    await this.rotateAffectedCredentials(alert.affectedServices);
  }
}

Immediate Notification (< 15 minutes):
  Recipients:
    - Security Team Lead
    - CTO
    - CEO (for critical incidents)
  Methods:
    - SMS alerts
    - Phone calls
    - Slack emergency channel
  Information:
    - Incident summary
    - Initial impact assessment
    - Immediate actions taken
 
Detailed Briefing (< 1 hour):
  Recipients:
    - Extended security team
    - Development team leads
    - Operations team
    - Legal counsel (if required)
  Methods:
    - Email briefing
    - Emergency conference call
    - Incident response portal
  Information:
    - Detailed incident analysis
    - Affected systems and data
    - Response actions planned
    - Resource requirements
 
Regular Updates (Every 2-4 hours):
  Recipients:
    - All stakeholders
    - Management team
    - Affected university contacts
  Methods:
    - Email updates
    - Dashboard updates
    - Stakeholder calls
  Information:
    - Investigation progress
    - Containment status
    - Recovery timeline
    - Next steps

Regulatory Notification:
  Timeline: Within 72 hours (GDPR) / Without unreasonable delay (HIPAA)
  Recipients:
    - ICO (UK data protection authority)
    - Relevant university data protection officers
    - Other applicable regulators
  Content:
    - Nature of the breach
    - Categories and number of data subjects affected
    - Likely consequences
    - Measures taken or proposed
 
Data Subject Notification:
  Timeline: Without undue delay (when high risk to rights and freedoms)
  Recipients:
    - Affected students
    - Affected university staff
    - Affected third parties
  Methods:
    - Email notification
    - In-app notification
    - University portal announcement
  Content:
    - Description of the breach
    - Contact information for inquiries
    - Measures taken to address the breach
    - Recommendations for data subjects
 
Public Disclosure:
  Criteria:
    - Legal requirement
    - Significant public interest
    - Media attention
    - Stakeholder demand
  Approval: CEO + Legal counsel
  Methods:
    - Press release
    - Website announcement
    - Social media statement

Recovery Time Objective (RTO):
  Critical Systems: 4 hours
  Important Systems: 24 hours
  Standard Systems: 72 hours
 
Recovery Point Objective (RPO):
  Database: 15 minutes
  File Storage: 1 hour
  Configuration: 5 minutes
  Logs: 5 minutes

Database Backups:
  Frequency: Continuous (point-in-time recovery)
  Retention: 35 days
  Storage: Cross-region replication
  Encryption: AES-256
  Testing: Weekly restore tests
 
File Backups:
  Frequency: Real-time replication
  Retention: 90 days
  Storage: Cross-region + cross-account
  Encryption: SSE-S3
  Testing: Monthly restore tests
 
Configuration Backups:
  Frequency: On every change
  Retention: 1 year
  Storage: Version-controlled repository
  Encryption: Git-crypt
  Testing: Automated deployment tests
 
Application Backups:
  Frequency: On every deployment
  Retention: 50 versions
  Storage: Container registry + S3
  Encryption: Registry encryption
  Testing: Automated rollback tests

// Disaster recovery orchestration
class DisasterRecoveryService {
  async executeDisasterRecovery(scenario: DisasterScenario) {
    const recoveryPlan = await this.getRecoveryPlan(scenario);
    
    // Phase 1: Assessment and decision
    const impact = await this.assessImpact(scenario);
    const recoveryDecision = await this.makeRecoveryDecision(impact);
    
    if (recoveryDecision.proceed) {
      // Phase 2: Infrastructure recovery
      await this.recoverInfrastructure(recoveryPlan);
      
      // Phase 3: Data recovery
      await this.recoverData(recoveryPlan);
      
      // Phase 4: Application recovery
      await this.recoverApplications(recoveryPlan);
      
      // Phase 5: Validation and testing
      await this.validateRecovery(recoveryPlan);
      
      // Phase 6: Failover traffic
      await this.failoverTraffic(recoveryPlan);
    }
    
    return {
      status: 'completed',
      recovery_time: Date.now() - scenario.startTime,
      systems_recovered: recoveryPlan.systems,
      data_loss: await this.assessDataLoss()
    };
  }
  
  private async recoverInfrastructure(plan: RecoveryPlan) {
    // Deploy infrastructure in DR region
    await this.deployInfrastructure(plan.drRegion);
    
    // Configure networking
    await this.configureNetworking(plan.networkConfig);
    
    // Set up security groups and policies
    await this.configureSecurity(plan.securityConfig);
    
    // Verify infrastructure health
    await this.verifyInfrastructure(plan.healthChecks);
  }
}

Primary Region: eu-west-2 (London)
  Services:
    - Aurora Serverless v2 (Primary)
    - Lambda functions
    - S3 buckets (primary)
    - CloudFront (origin)
 
Secondary Region: eu-west-1 (Ireland)
  Services:
    - Aurora Serverless v2 (Read replica)
    - Lambda functions (standby)
    - S3 buckets (replica)
    - CloudFront (failover)
 
Failover Criteria:
  - Primary region unavailable > 5 minutes
  - Database unavailable > 2 minutes
  - Application error rate > 10%
  - Manual failover trigger
 
Failover Process:
  1. Health check failure detection
  2. Automatic DNS failover (Route 53)
  3. Database promotion (read replica to primary)
  4. Lambda function activation
  5. Application traffic routing
  6. Monitoring and validation

Aurora Serverless v2:
  Min Capacity: 0.5 ACUs
  Max Capacity: 16 ACUs
  Scaling Policy: Target-based
  Scale-up Threshold: 70% CPU utilization
  Scale-down Threshold: 20% CPU utilization
  Scale-up Cooldown: 5 minutes
  Scale-down Cooldown: 15 minutes
 
Lambda Functions:
  Concurrent Executions: 1000 (reserved)
  Provisioned Concurrency: 10 (critical functions)
  Auto-scaling: Automatic based on invocation rate
  Throttling: Graceful degradation
 
API Gateway:
  Throttling: 10,000 requests/second
  Burst Limit: 5,000 requests
  Per-client Limit: 100 requests/minute
  Caching: 5-minute TTL for GET requests

Frequency: Quarterly
Scope: All compliance controls
Auditors: Internal security team + external consultants
Process:
  1. Control testing
  2. Evidence collection
  3. Gap analysis
  4. Remediation planning
  5. Management reporting
 
Documentation:
  - Audit plans
  - Testing procedures
  - Evidence collection
  - Findings reports
  - Remediation tracking

HIPAA Audit:
  Frequency: Annual
  Auditor: Certified HIPAA auditor
  Scope: All HIPAA controls
  Deliverables: Compliance report + recommendations
 
SOC 2 Audit:
  Frequency: Annual
  Auditor: Certified public accounting firm
  Scope: Security, availability, confidentiality
  Deliverables: SOC 2 Type II report
 
GDPR Assessment:
  Frequency: Annual
  Assessor: Data protection consultant
  Scope: All GDPR requirements
  Deliverables: Compliance assessment + gap analysis

// Compliance monitoring service
class ComplianceMonitoringService {
  async performComplianceCheck(): Promise<ComplianceReport> {
    const checks = await Promise.all([
      this.checkHIPAACompliance(),
      this.checkGDPRCompliance(),
      this.checkSOC2Compliance(),
      this.checkDataRetention(),
      this.checkAccessControls(),
      this.checkEncryption(),
      this.checkAuditLogging()
    ]);
    
    const overallStatus = this.calculateOverallCompliance(checks);
    
    return {
      timestamp: new Date().toISOString(),
      overall_status: overallStatus,
      individual_checks: checks,
      violations: checks.filter(c => c.status === 'VIOLATION'),
      recommendations: this.generateRecommendations(checks)
    };
  }
  
  private async checkHIPAACompliance(): Promise<ComplianceCheck> {
    const checks = [
      await this.checkBAACoverage(),
      await this.checkEncryptionCompliance(),
      await this.checkAccessControlCompliance(),
      await this.checkAuditLogCompliance(),
      await this.checkIncidentResponseCompliance()
    ];
    
    return {
      framework: 'HIPAA',
      status: checks.every(c => c.passed) ? 'COMPLIANT' : 'VIOLATION',
      details: checks,
      last_checked: new Date().toISOString()
    };
  }
}

Real-time Monitoring:
  - Access control violations
  - Data retention policy violations
  - Encryption compliance
  - Audit log integrity
  - Backup completion status
 
Daily Checks:
  - User access reviews
  - Data classification compliance
  - Security configuration drift
  - Vulnerability assessments
  - Patch compliance
 
Weekly Reviews:
  - Compliance dashboard review
  - Violation trend analysis
  - Risk assessment updates
  - Policy effectiveness review
  - Training compliance check
 
Monthly Assessments:
  - Comprehensive compliance review
  - Gap analysis updates
  - Risk register updates
  - Vendor compliance review
  - Business continuity testing

Critical Patches:
  Timeline: Within 24 hours
  Scope: Security vulnerabilities (CVSS > 7.0)
  Process: Emergency change management
  Testing: Automated + manual validation
  Rollback: Immediate rollback capability
 
Important Patches:
  Timeline: Within 7 days
  Scope: Security vulnerabilities (CVSS 4.0-7.0)
  Process: Standard change management
  Testing: Full regression testing
  Rollback: Planned rollback procedures
 
Standard Updates:
  Timeline: Monthly maintenance window
  Scope: Feature updates, minor fixes
  Process: Regular change management
  Testing: Comprehensive testing
  Rollback: Standard rollback procedures

// Vulnerability management service
class VulnerabilityManagementService {
  async performVulnerabilityAssessment(): Promise<VulnerabilityReport> {
    const assessments = await Promise.all([
      this.scanInfrastructure(),
      this.scanApplications(),
      this.scanDependencies(),
      this.scanConfigurations(),
      this.scanNetworkSecurity()
    ]);
    
    const vulnerabilities = this.consolidateFindings(assessments);
    const prioritized = await this.prioritizeVulnerabilities(vulnerabilities);
    
    return {
      scan_date: new Date().toISOString(),
      total_vulnerabilities: vulnerabilities.length,
      critical: prioritized.filter(v => v.severity === 'CRITICAL').length,
      high: prioritized.filter(v => v.severity === 'HIGH').length,
      medium: prioritized.filter(v => v.severity === 'MEDIUM').length,
      low: prioritized.filter(v => v.severity === 'LOW').length,
      vulnerabilities: prioritized,
      remediation_plan: await this.generateRemediationPlan(prioritized)
    };
  }
  
  private async prioritizeVulnerabilities(vulnerabilities: Vulnerability[]): Promise<PrioritizedVulnerability[]> {
    return vulnerabilities.map(vuln => ({
      ...vuln,
      priority_score: this.calculatePriorityScore(vuln),
      business_impact: this.assessBusinessImpact(vuln),
      remediation_effort: this.estimateRemediationEffort(vuln)
    })).sort((a, b) => b.priority_score - a.priority_score);
  }
}

Policy Review Cycle:
  Frequency: Annual (or as required by regulation changes)
  Process:
    1. Regulatory change monitoring
    2. Gap analysis
    3. Policy drafting
    4. Stakeholder review
    5. Approval and implementation
    6. Training and communication
 
Key Policies:
  - Information Security Policy
  - Data Protection Policy
  - Incident Response Policy
  - Business Continuity Policy
  - Access Control Policy
  - Vendor Management Policy

Security Awareness Training:
  Frequency: Quarterly
  Audience: All staff
  Topics:
    - Phishing awareness
    - Password security
    - Data handling
    - Incident reporting
    - Social engineering
 
Compliance Training:
  Frequency: Annual
  Audience: All staff handling personal data
  Topics:
    - GDPR requirements
    - HIPAA compliance
    - Data subject rights
    - Breach notification
    - Privacy by design
 
Technical Training:
  Frequency: Bi-annual
  Audience: Technical staff
  Topics:
    - Secure coding practices
    - AWS security features
    - Vulnerability management
    - Incident response procedures
    - Compliance monitoring

// Performance optimisation service
class PerformanceOptimizationService {
  async optimizeSystemPerformance(): Promise<OptimizationReport> {
    const metrics = await this.collectPerformanceMetrics();
    const bottlenecks = await this.identifyBottlenecks(metrics);
    const optimizations = await this.generateOptimizations(bottlenecks);
    
    // Implement safe optimizations
    const results = await this.implementOptimizations(optimizations);
    
    return {
      optimization_date: new Date().toISOString(),
      metrics_analyzed: metrics.length,
      bottlenecks_identified: bottlenecks.length,
      optimizations_applied: results.successful.length,
      performance_improvement: await this.measureImprovement(),
      next_review_date: this.calculateNextReviewDate()
    };
  }
  
  private async identifyBottlenecks(metrics: PerformanceMetric[]): Promise<Bottleneck[]> {
    const bottlenecks = [];
    
    // Database performance analysis
    const dbMetrics = metrics.filter(m => m.category === 'database');
    if (this.averageResponseTime(dbMetrics) > 100) {
      bottlenecks.push({
        type: 'database',
        severity: 'high',
        description: 'Database response time exceeds threshold',
        recommendations: ['Optimise queries', 'Add indexes', 'Scale up capacity']
      });
    }
    
    // Lambda cold start analysis
    const lambdaMetrics = metrics.filter(m => m.category === 'lambda');
    const coldStartRate = this.calculateColdStartRate(lambdaMetrics);
    if (coldStartRate > 0.1) {
      bottlenecks.push({
        type: 'lambda_cold_start',
        severity: 'medium',
        description: 'High cold start rate affecting performance',
        recommendations: ['Increase provisioned concurrency', 'Optimise function size']
      });
    }
    
    return bottlenecks;
  }
}