Compliance Checklist (GDPR/NIS2/ISO27k — Lite)

• Data mapping & lawful basis recorded (GDPR Art. 6)
• Minimal personal data in logs; retention policy defined
• Access controls, MFA for admins
• Incident response procedure (24‑72h)
• Supply‑chain security (SBOM optional), CodeQL enabled
• Host hardening applied (“13+2”)