S.E.T — Security Posture & Compliance Platform

📄️Overview

S.E.T (Secure · Enforce · Train) is a multi-tenant security-posture & compliance (GRC) platform, delivered as two portals:

📄️Brand & UI/UX

Locked design direction. Visual reference/Users/PC/Downloads/ (logo.png, seticonstransparent.png, S.E.T Platform Pitch Deck.pdf).

This section is being locked item by item via discussion. Each item below shows the Decision, the Why, and the Field signal (what comparable compliance SaaS run today, based on 2025–2026 research across Vanta, Drata, Scytale, Secureframe, Sprinto, Hyperproof, Wiz, Snyk, Thoropass).

📄️Architecture

This section describes the production architecture (one region). Environment topology (dev / nonprod / production / Phase 2 IL) is covered separately — see the "Environments" section.

📄️Authentication & Identity

- Provider: WorkOS (with AuthKit for hosted login UI)

📄️Multi-Tenancy

Model: Schema-per-Tenant ✅ Locked

📄️Observability & Logging

Two distinct logging tiers, each serving a different audience.

📄️Supply Chain Security

Development is performed by a third-party firm: their developers are GitHub collaborators with no AWS access. They can only propose changes; nothing reaches production without S.E.T-team approval. This section defines how a code change travels safely from a developer's laptop to production, and the controls at each stage.

📄️Secure SDLC (SSDLC)

Document control

🗃Secure SDLC — Policies

19 items

📄️Environments

Two-tier model — nonprod + prod — on AWS using an AWS Organizations multi-account structure. Referenced by the Architecture and Supply Chain & CI/CD Security sections.

📄️User Flows — Admin

Status: Admin portal — complete. Customer portal — now detailed from the updated MVP code (zip dated 2026-05-25). Screens that are still genuine placeholders in the code are marked [PLANNED — not yet built] with their intended purpose. Written in plain language (no technical/function detail) for inclusion in the formal document.

📄️User Flows — Customer

Used by the MSSP's clients. Mostly read-only — real inputs are filling assigned questionnaires, uploading documents/policies, building org structure, managing the vendor list, and ticking off remediation steps. Organized as 6 top domains (Compliance, Security, Supply Chain, Training, BCP, Monitoring), each with its own sub-menu. Clicking a domain swaps the left sidebar to that domain's sub-tabs and opens its main dashboard.

📄️Downloads & Reports

Interactive and downloadable artifacts that accompany the specification.