Trust

Honest about what we hold, honest about what we don't.

Vendor diligence is the rule, not the exception. This page exists so a security reviewer can quickly see our posture on the frameworks they care about — including the ones we have not yet earned.

Framework alignment

Where we stand on each, today.

CMMC 2.0

Level 1 self-assessment in progress. Level 2 is the target for engagements that touch CUI, on a customer-driven timeline.

NIST SP 800-171

Control mapping maintained internally. Available under NDA. Rev. 3 alignment in progress as engagements require.

SOC 2

Aligned with Trust Services Criteria. Formal Type II audit pursued in partnership with the first customer whose deployment requires it.

ISO 27001

Not currently certified. Architecture and operational controls designed to be portable to a future ISMS.

FedRAMP

Not currently authorized. Path supported via partnership with an authorized hosting provider when an engagement requires it.

CJIS

Not currently certified. Compatible deployment topology available for a controlled-environment engagement.

ITAR / EAR

Not currently registered. We do not handle ITAR-controlled technical data on the public platform; registration would be triggered by a specific engagement.

DFARS 252.204-7012

Architecture supports the safeguarding and incident-reporting requirements of DFARS 7012 for environments that handle CDI.

We use "aligned with", "in progress", and "not currently held" deliberately. No line on this page should be read as a claim of certification we have not earned.

Controls

Architecture-level controls applied across every deployment.

Encryption

TLS 1.2+ in transit, AES-256 at rest. FIPS 140-3 validated cryptographic modules available in regulated deployments.

Identity

Google OAuth and email/password authentication via Supabase. Enterprise SSO (SAML 2.0 / OIDC) available as engagement-driven add-on. RBAC at the data layer via Postgres row-level security; workflow-level RBAC engagement-scoped. No long-lived credentials in source or images.

Data residency

US-region defaults. Single-tenant and air-gapped topologies available, scoped per customer.

Audit

Immutable event log of ingest, validation, and workflow runs. Exportable to customer SIEM (Splunk, Sentinel, Chronicle).

Supply chain

SBOM generated on every release. Signed releases. S2C2F-aligned source provenance.

Incident response

Documented IR runbook. Customer notification commitments defined per contract; default posture aligns with DFARS 7012 timelines.

Reviewing us

What we provide during a security review.

  • · Architecture diagram and accreditation-boundary description
  • · NIST 800-171 control mapping (under NDA)
  • · SBOM for the deployed release
  • · Penetration-test summary on request
  • · Sample audit-log export and lineage record
  • · Standard MSA, DPA, and BAA templates where applicable

Start with /engagement — security review fits naturally into the Discovery phase.