Shared Assessments SIG-Lite v1.0
Pre-filled responses to the Shared Assessments SIG-Lite v1.0 standardised vendor-risk questionnaire. Drop-in for vendor onboarding.
| Field | Response |
|---|---|
| Audit log retention | 7 years. CFTC 1.31 / SEC 17a-4. Anchored to audit_log table, anon DENY, service-role write only. |
| Data Processing Addendum | GDPR Art. 28 DPA. Standard Contractual Clauses Module Two. |
| Data residency | EU-Central-1 (Frankfurt) for Postgres + backups. Optional eu-central-1 Bedrock for AI inference. |
| Encryption in transit / at rest | TLS 1.3 / AES-256. |
| Authentication factors | WorkOS SAML 2.0 + SCIM 2.0 for enterprise. MFA required across all admin paths. |
| Code quality controls | TypeScript strict, Zod input validation, Dependabot, `pnpm audit` weekly. |
| Logging & monitoring | Sentry runtime error capture. Vercel runtime logs. Per-service health endpoints surface to /status. |
| Email vendor | Resend. |
| Billing vendor | Stripe Checkout + Customer Portal. |
| Identity vendor | WorkOS (SAML 2.0 + SCIM 2.0). |
| AI inference vendor | Anthropic (claude-opus-4-7). Bedrock optional for on-prem. |
| Vulnerability disclosure policy | security@edgefx.xyz — 90-day coordinated disclosure window. |
| Breach notification SLA | 72 hours per GDPR Art. 33. |
| Right to be forgotten | GDPR Art. 17. Account deletion within 30 days; audit_log rows anonymised, not deleted (regulatory retention). |