ACR-5.10v1.1

In shared or multi-customer environments, the system SHALL enforce strict isolation preventing any c

Domain

05 — Domain 5: Data Privacy and Information Protection

Eval Method

AT+HSAT+HS

Risk Weight

5 / 10

Applicability

L1L2L3

Description#

In shared or multi-customer environments, the system SHALL enforce strict isolation preventing any customer's data from appearing in another customer's inputs, outputs, context, or model state.

Evaluation Method#

AT+HSAT+HS

Evaluation methodology as specified by the assigned method code.

v1.1 Details#

Profile Applicability

S,A,C

Evaluation Frequency

Quarterly

Platform Cert Eligible

Framework Crosswalk Refs

NIST SP 800-53 SC-4; CSA AICM DS-02; OWASP LLM-06

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-5.09: The system SHALL implement automated detection and prevention of personally identifiable information Next →ACR-5.11: The system SHALL prevent data from prior sessions, conversations, or user contexts from leaking into

In shared or multi-customer environments, the system SHALL enforce strict isolation preventing any c

Description#

Evaluation Method#

v1.1 Details#

Classification#