{ "manifestVersion": "0.2", "subject": { "layer": "service", "name": "employee-onboarding-portal", "version": "5.12.0", "sbomRef": "https://artifacts.corp.example/employee-onboarding-portal/5.12.0/sbom.cdx.json", "components": [ { "layer": "artifact", "name": "onboarding-portal-api", "version": "5.12.0", "digest": { "sha256": "9f3e8d7c6b5a49382716e0a5b4c3d2e1f0987654321fedcba0987654321fedcb" }, "manifestUri": "https://artifacts.corp.example/onboarding-portal-api/5.12.0/sam.json" }, { "layer": "artifact", "name": "onboarding-portal-worker", "version": "5.12.0", "digest": { "sha256": "1a2b3c4d5e6f708192a3b4c5d6e7f8091a2b3c4d5e6f708192a3b4c5d6e7f809" }, "manifestUri": "https://artifacts.corp.example/onboarding-portal-worker/5.12.0/sam.json" } ] }, "intent": { "purpose": "Internal portal that orchestrates employee onboarding across HRIS (Workday), identity (Okta), IT provisioning (ServiceNow), and benefits enrollment. Used by HR, IT, and new hires within the corporate network. Not internet-exposed.", "audience": "multi_user_single_org", "tenancy": { "model": "none", "dataResidency": [ "EU", "DE" ] }, "outOfScope": [ "Public internet exposure", "Multi-tenant deployment", "Use outside the corporate identity domain", "Self-service deployment by business units (centrally operated only)" ] }, "envelope": { "throughput": { "targetRps": 25, "maxRps": 100, "latency": { "p50Ms": 150, "p95Ms": 500, "p99Ms": 1500 }, "concurrency": { "maxConcurrentRequests": 200, "maxConcurrentUsers": 800 } }, "scaling": { "axis": "horizontal", "stateful": false, "maxInstances": 4 }, "instantiation": { "mode": "leader_elected", "coordinationDependency": "postgres advisory locks (for nightly Workday sync)" }, "privilege": { "runtime": "unprivileged", "filesystemAccess": "read_only" }, "network": { "posture": "bidirectional", "exposedPorts": [ { "port": 8443, "protocol": "https", "purpose": "Portal UI + API, behind corporate load balancer" } ], "requiredEgress": [ { "host": "workday.corp.example", "port": 443, "protocol": "https", "purpose": "HRIS read/write \u2014 employee records" }, { "host": "corp.okta.com", "port": 443, "protocol": "https", "purpose": "SCIM provisioning, SAML AuthN" }, { "host": "servicenow.corp.example", "port": 443, "protocol": "https", "purpose": "IT asset request workflows" }, { "host": "smtp.corp.example", "port": 587, "protocol": "tcp", "purpose": "Notification email" } ] }, "persistence": { "required": true, "stores": [ "sql" ] }, "dependencies": [ { "name": "Workday", "type": "saas", "criticality": "critical", "failureMode": "fail_closed", "dataFlow": "bidirectional", "dataClassifications": [ "pii", "confidential" ], "jurisdiction": [ "US" ], "alternative": "not_substitutable", "industryRefs": [ { "standard": "EU DORA", "version": "2022/2554", "conformance": "Article 28 critical ICT third-party provider" }, { "standard": "ISO/IEC 27036", "version": "2014" } ] }, { "name": "Okta", "type": "identity_provider", "criticality": "critical", "failureMode": "fail_closed", "dataFlow": "bidirectional", "dataClassifications": [ "pii" ], "jurisdiction": [ "US" ], "alternative": "partially_substitutable", "industryRefs": [ { "standard": "EU DORA", "version": "2022/2554", "conformance": "Article 28" }, { "standard": "NIST SP 800-161", "version": "Rev. 1" } ] }, { "name": "ServiceNow", "type": "saas", "criticality": "important", "failureMode": "queued", "dataFlow": "egress_only", "dataClassifications": [ "internal" ], "jurisdiction": [ "US" ], "alternative": "partially_substitutable" }, { "name": "Corporate SMTP", "type": "infrastructure", "criticality": "supportive", "failureMode": "queued", "dataFlow": "egress_only", "dataClassifications": [ "internal", "pii" ], "jurisdiction": [ "US" ], "alternative": "substitutable" } ], "serviceLevels": { "availability": "99.5% during business hours; best-effort overnight", "rpoMinutes": 60, "rtoMinutes": 240, "supportWindow": "business-hours-EU", "incidentResponse": { "criticalHours": 1, "highHours": 4, "mediumHours": 24, "lowHours": 72 }, "vulnerabilityPatch": { "criticalDays": 7, "highDays": 30, "mediumDays": 90, "lowDays": 180 }, "industryRefs": [ { "standard": "SOC 2", "conformance": "Type 2 \u2014 availability + security trust criteria", "auditor": "PwC", "auditPeriod": "2025-04-01 to 2026-03-31" } ] } }, "qualityAttributes": { "functionalSuitability": { "overall": { "status": "verified", "summary": "All onboarding workflows tested against Workday and Okta sandboxes weekly. Functional spec maintained in /docs/spec.", "industryRefs": [ { "standard": "ISO/IEC 25010", "version": "2023" } ] } }, "performanceEfficiency": { "overall": { "status": "declared", "summary": "Sized for ~800 concurrent users (peak onboarding cohorts). No load test on production-equivalent data." } }, "compatibility": { "overall": { "status": "verified", "summary": "Integrates via standard enterprise identity and provisioning protocols. No proprietary connectors.", "industryRefs": [ { "standard": "SAML", "version": "2.0", "referenceUri": "https://docs.oasis-open.org/security/saml/v2.0/" }, { "standard": "SCIM", "version": "2.0", "referenceUri": "https://datatracker.ietf.org/doc/html/rfc7644" }, { "standard": "OpenAPI", "version": "3.0.3" } ] }, "subCharacteristics": { "coExistence": { "status": "declared", "summary": "Runs alongside other internal portals on the same Kubernetes namespace; no shared state." } } }, "interactionCapability": { "overall": { "status": "verified", "summary": "Audited annually. AA conformance required for internal HR systems by corporate policy.", "industryRefs": [ { "standard": "WCAG", "version": "2.2", "conformance": "AA", "referenceUri": "https://www.w3.org/TR/WCAG22/" } ], "evidence": [ { "type": "accessibility_audit", "uri": "https://corp-audit.example/onboarding-portal/2026-Q1/wcag22-aa-report.pdf" } ] }, "subCharacteristics": { "inclusivity": { "status": "verified", "summary": "Keyboard-only navigation, screen reader tested with NVDA and JAWS, color contrast 4.5:1 minimum." }, "userAssistance": { "status": "declared", "summary": "Inline help, runbooks for HR ops in /docs/runbooks/onboarding." } } }, "reliability": { "overall": { "status": "declared", "summary": "Designed for 99.5% during business hours (corporate standard for tier-2 internal apps). Best-effort outside business hours." }, "subCharacteristics": { "recoverability": { "status": "verified", "summary": "Hourly Postgres backups, RPO 1h / RTO 4h verified quarterly via DR drill." } } }, "security": { "overall": { "status": "verified", "summary": "Tier-2 internal app under corporate ISMS. Annual pentest. Quarterly access review.", "industryRefs": [ { "standard": "ISO/IEC 27001", "version": "2022", "conformance": "certified scope: corp ISMS", "auditor": "BSI", "auditPeriod": "2024-09-01 to 2027-08-31", "dateAttested": "2024-09-15T00:00:00Z" }, { "standard": "NIST SP 800-53", "version": "Rev. 5", "conformance": "Moderate baseline" }, { "standard": "SOC 2", "conformance": "Type 2", "auditor": "PwC", "auditPeriod": "2025-04-01 to 2026-03-31", "dateAttested": "2026-04-20T00:00:00Z" }, { "standard": "OWASP ASVS", "version": "5.0", "conformance": "L2" }, { "standard": "CIS Benchmarks", "version": "Kubernetes", "conformance": "Corporate baseline applied" }, { "standard": "NIST SP 800-190", "version": "1.0" } ], "evidence": [ { "type": "security_scan", "uri": "https://corp-sec.example/onboarding-portal/2026-Q1/pentest-report.pdf" } ] }, "subCharacteristics": { "confidentiality": { "status": "verified", "summary": "PII and SSN encrypted at rest with KMS, TLS 1.3 in transit. Field-level encryption for compensation data." }, "authenticity": { "status": "verified", "summary": "SAML 2.0 SSO via Okta. mTLS to Workday. No local password store." }, "accountability": { "status": "verified", "summary": "All write operations logged with actor, timestamp, before/after to immutable audit store." }, "nonRepudiation": { "status": "declared", "summary": "Audit log signed daily, exported to corporate SIEM." } } }, "maintainability": { "overall": { "status": "declared", "summary": "Owned by HR Tech team. ADRs in repo. ~80% behavioral test coverage." }, "subCharacteristics": { "testability": { "status": "verified", "summary": "Contract tests against Workday and Okta sandboxes run in CI." }, "modifiability": { "status": "declared", "summary": "Workflow steps are configuration-driven, not hardcoded." } } }, "flexibility": { "overall": { "status": "declared", "summary": "Deployable to corporate Kubernetes (primary) or VM (legacy datacenter fallback). Not designed for cloud-public deployment." }, "subCharacteristics": { "installability": { "status": "verified", "summary": "Helm chart maintained for corporate K8s. Documented prerequisite: corp PKI cert, Okta SAML registration, Workday API credentials." }, "scalability": { "status": "declared", "summary": "Horizontal to 4 instances; beyond that, the Workday API rate limit is the bottleneck." }, "replaceability": { "status": "not_applicable", "summary": "No replacement contract; integrators bind to internal API directly." } } }, "safety": { "overall": { "status": "not_applicable", "summary": "Administrative system; no physical or safety-critical surface." } } }, "extensions": { "observability": { "status": "verified", "summary": "Structured JSON logs (PII redacted), Prometheus metrics scraped by corp Observability platform, OTLP traces.", "industryRefs": [ { "standard": "OpenTelemetry", "version": "1.40.0" } ] }, "dataLifecycle": { "status": "verified", "summary": "I-9 forms retained 3 years from hire OR 1 year from termination, whichever is later (8 CFR 274a.2). Payroll and tax records retained 7 years (IRS / SOX \u00a7802 / Reg S-X 2-06). Other employee PII purged on termination + cooldown unless under legal hold. Audit logs retained 10 years per corporate retention policy.", "industryRefs": [ { "standard": "SOX", "conformance": "Section 802 (record retention)" }, { "standard": "8 CFR 274a.2", "conformance": "I-9 retention rule" }, { "standard": "GDPR", "conformance": "Article 17 (right to erasure, with legal-claims exception under Article 17(3)(e))" }, { "standard": "ISO/IEC 25012", "version": "2008" }, { "standard": "NIST SP 800-88 Rev. 1", "conformance": "Media sanitization for terminated employee data and decommissioned hardware" } ] }, "internationalization": { "status": "declared", "summary": "EN, ES, FR, DE, JA. CLDR-based formatting. Workday locale propagated to portal session.", "industryRefs": [ { "standard": "Unicode CLDR", "version": "46" } ] } }, "tensionsDeclared": [ { "tension": "cap_pacelc", "posture": "CP within session, AP across regions", "rationale": "Onboarding workflow correctness requires read-after-write within a session; cross-region replication is async (DR only)." }, { "tension": "observability_pii", "posture": "Field-level redaction at logger; SSN, compensation, address never logged", "rationale": "Audit log lives in a hardened store; application logs go to corporate ELK with broader access. The two retention regimes diverge intentionally." } ], "producer": { "name": "HR Technology, Acme Corp", "contact": "hr-tech@corp.example", "issuedAt": "2026-04-26T15:00:00Z", "validFor": "P180D", "x-corp-cost-center": "HRTECH-OPS" } }