Cloud Security Alliance CAIQ v4
Pre-filled responses to the Consensus Assessments Initiative Questionnaire v4. Ship this to procurement.
AIS · Application & Interface Security
| ID | Question | Response |
|---|---|---|
| AIS-01 | Are application security policies documented? | Yes — `docs/PHASE8_OWNER_CHECKLIST.md` plus internal Notion. Reviewed annually. |
| AIS-02 | OWASP-aligned development practices? | Yes. Dependabot + `pnpm audit` weekly. TypeScript strict + Zod input validation on every API surface. |
| AIS-03 | Input validation across APIs? | Yes — Zod on every external input (form, query, webhook, API response). |
| AIS-04 | Output encoding to prevent XSS? | Yes — React/Next default escaping; no `dangerouslySetInnerHTML` on untrusted input. |
| AIS-05 | API authentication? | HMAC-signed session cookies for users; Bearer CRON_SECRET for internal cron; WorkOS SAML for enterprise. |
BCR · Business Continuity Management & Operational Resilience
| ID | Question | Response |
|---|---|---|
| BCR-01 | Documented BC plan? | Yes — see /trust/bcdr. RTO 4h, RPO 1h. |
| BCR-02 | Tested annually? | Quarterly DR test runbook in /trust/bcdr. |
| BCR-03 | Hot-standby region? | Multi-region — Frankfurt primary, Dublin failover. |
| BCR-04 | Backup retention? | Supabase PITR 7-day; daily logical backups to S3-EU; GitHub repo mirror. |
CCC · Change Control & Configuration Management
| ID | Question | Response |
|---|---|---|
| CCC-01 | Source control system? | GitHub. Branch protection on `main`. PR review enforced. |
| CCC-02 | Automated build/deploy? | Vercel auto-deploy on `main`; preview deploys per PR. `pnpm typecheck && pnpm lint` gate. |
| CCC-03 | Change advisory board? | Solo founder + on-call review for prod-impacting migrations. Not applicable for a pre-Series-A SaaS. |
DSI · Data Security & Information Lifecycle
| ID | Question | Response |
|---|---|---|
| DSI-01 | Data classification? | Public / Internal / Restricted (customer trade data). Restricted is RLS-locked with anon DENY policies. |
| DSI-02 | Encryption at rest? | AES-256 — Supabase Postgres default, Vercel Edge Config, S3 backups. |
| DSI-03 | Encryption in transit? | TLS 1.3 enforced; HSTS preload. |
| DSI-04 | Data residency? | EU-Central-1 (Frankfurt) for Postgres + backups. AI inference: us-east-1 today; eu-central-1 Bedrock option for enterprise. |
| DSI-05 | Data deletion on request? | GDPR Art. 17 — user can delete account; audit_log rows anonymised (FK SET NULL) but retained per CFTC 1.31 / SEC 17a-4. |
GRM · Governance & Risk Management
| ID | Question | Response |
|---|---|---|
| GRM-01 | Information security policy? | Yes. Annual review. Aligned to SOC 2 CC criteria. |
| GRM-02 | Risk-assessment framework? | OWASP Top 10 + STRIDE for new features. Risk register maintained in Notion. |
| GRM-03 | Independent audit? | SOC 2 Type II in progress. Pre-audit gap analysis completed. |
HRS · Human Resources
| ID | Question | Response |
|---|---|---|
| HRS-01 | Background checks? | Yes — all contractors with prod access undergo right-to-work + criminal-record check. |
| HRS-02 | Confidentiality agreements? | Yes — every contractor signs an NDA before access. |
| HRS-03 | Security awareness training? | Annual; new joiners onboarded with phishing simulation. |
IAM · Identity & Access Management
| ID | Question | Response |
|---|---|---|
| IAM-01 | MFA enforced for prod access? | Yes — Vercel, Supabase, GitHub, Resend, Stripe all require MFA. WorkOS SAML for enterprise customers. |
| IAM-02 | Least-privilege roles? | Service-role keys only in cron and admin contexts. Anon Supabase client elsewhere. |
| IAM-03 | Access reviews? | Quarterly. Allowlist of admin emails maintained in Vercel env. |
| IAM-04 | Off-boarding revocation? | Same-day. Vercel + GitHub + Supabase access tied to corporate email. |
IVS · Infrastructure & Virtualization Security
| ID | Question | Response |
|---|---|---|
| IVS-01 | Hypervisor source? | Not applicable — fully managed (Vercel Functions, Supabase). No raw VMs. |
| IVS-02 | Network segmentation? | Supabase network policies; Vercel firewall on `/api/*` for cron auth. |
IPY · Interoperability & Portability
| ID | Question | Response |
|---|---|---|
| IPY-01 | Data export? | Yes — CSV export of journal trades, packets, audit_log on customer request. |
| IPY-02 | Open standards? | REST + JSON. SAML 2.0 + SCIM 2.0 for identity. |
MOS · Mobile Security
| ID | Question | Response |
|---|---|---|
| MOS-01 | Mobile app? | Not applicable — web-only product. |
SEF · Security Incident Management
| ID | Question | Response |
|---|---|---|
| SEF-01 | Documented incident response plan? | Yes. P0 SLA 1h; P1 SLA 4h. Detected via Sentry + Vercel runtime logs. |
| SEF-02 | Breach notification SLA? | 72h to affected customers per GDPR Art. 33. |
STA · Supply Chain Management, Transparency & Accountability
| ID | Question | Response |
|---|---|---|
| STA-01 | Sub-processor list? | Published at /trust/sub-processors. |
| STA-02 | Sub-processor due diligence? | Each is SOC 2 or ISO 27001 certified. Listed with trust-page URLs at /trust/sub-processors. |
TVM · Threat & Vulnerability Management
| ID | Question | Response |
|---|---|---|
| TVM-01 | Vulnerability scanning? | Yes — Dependabot daily; `pnpm audit` in CI; manual review on major-version bumps. |
| TVM-02 | Penetration testing? | Annual third-party pentest scheduled post-SOC-2. |
| TVM-03 | Patching cadence? | Critical: same-day. High: 7 days. Medium: 30 days. |