# Sukma Compliance Implementation and Validation Guide

Effective Date: February 27, 2026

This guide explains what Sukma has implemented across FERPA-ready,
SOC audit-ready, and WCAG 2.1 AA-ready workstreams, and how institutions
or internal teams can validate those controls.

## Scope and Positioning

In scope:
- Institution-managed session, course, and user-data workflows
- Independent learner privacy controls for personal-account workflows
- `course-service`, `user-service`, `sukma` frontend, and `supergraph`

Allowed public wording:
- FERPA-ready / FERPA-aligned
- SOC audit-ready controls
- WCAG 2.1 AA-ready baseline

Not allowed until external audit outcomes exist:
- SOC certified
- SOC attested
- SOC compliant as a finalized assurance claim

## What Is Implemented

### FERPA-Ready Governance

- Audience query dual-write into session records and normalized lifecycle records
- Organization policy controls for retention, deletion, and related governance settings
- Conversation payload redaction with metadata preservation after retention
- Explicit organization purge across governed conversation records, audience queries, examples, assessments, whiteboards, and session summaries
- Purge workflows with hold windows and incident-aware controls
- Session continuity through structured summaries rather than indefinite raw-message storage

### SOC Audit-Ready Controls

- Compliance control registry, evidence model, and exception model
- Access review workflow with auditable start and completion records
- Hardened evidence ingestion with service authentication and hash enforcement
- Owner and admin gates for compliance-critical actions
- Support for MFA enforcement on compliance-critical workflows

### Independent Learner Privacy Controls

- Clear separation between institution-governed and personal-account handling
- OTP-verified summary recipients for parental or observer visibility
- Recipient add, verify, and revoke audit records
- Public privacy and terms materials for personal-account use

### Accessibility Baseline

- Live captions and transcripts for session experiences
- Keyboard-operable session and chat controls
- Screen-reader labels, announcements, and semantic structure
- Accessibility validation for high-use learner and host workflows

## How to Validate

Validate in this order:
1. Schema and type integrity
2. Authorization and security gates
3. Data lifecycle behavior (write, retain, redact, purge)
4. UX behavior (realtime, fallback, and accessibility)
5. Evidence generation and export readiness

## Example Validation Areas

- Audience query history survives refresh and reconnect
- Retention policies redact payload content without losing audit history
- Access review start and completion produce evidence receipts
- Compliance mutations enforce owner/admin controls and optional MFA gates
- Accessibility checks confirm keyboard and screen-reader usability on critical flows

## Why This Matters to Buyers

Institutions evaluating Sukma should not have to rely on broad trust
claims. They should be able to review how controls are implemented, how
operational evidence is created, and how governance boundaries are
maintained in practice.