{"organisation":"FIT PUP LTD","companyNumber":"15766852","framework":"CAIQ v4 / CCM-aligned domain summary (self-assessment, not an audit) — one answer per CCM domain, not the question-level CAIQ v4 workbook; the full workbook is available on request","lastReviewed":"2026-07-13","domains":[{"code":"A&A","domain":"Audit & Assurance","status":"planned","answer":"No third-party audit or certification yet. We publish this self-assessment and a public security posture; independent assurance (ISO 27001, SOC 2) is trigger-gated."},{"code":"AIS","domain":"Application & Interface Security","status":"partial","answer":"Input validation and authenticated APIs; the supplier registry and invoice-detail view mask payment fields server-side with a permission-gated, audited reveal, and one remaining payment API surface (the integration API's read-results endpoint) is being brought under the same masking (see roadmap R-ACCESS-01)."},{"code":"BCR","domain":"Business Continuity & Operational Resilience","status":"planned","answer":"Single-host deployment today; automated encrypted off-site backups with a tested restore are on the roadmap (R-BCP-01). No RPO/RTO published."},{"code":"CCC","domain":"Change Control & Configuration Management","status":"implemented","answer":"All changes go through version control and peer-reviewed pull requests, with a single required CI gate (test-and-build) that must pass before merge and deployment. That gate covers the Go, worker, compose, and API-image checks and the web app's lint, typecheck, and build (make web-check)."},{"code":"CEK","domain":"Cryptography, Encryption & Key Management","status":"partial","answer":"TLS 1.2/1.3 in transit externally; AES-256-GCM for invoice files at rest. Database column encryption (R-CRYPTO-02), key rotation (R-KMS-01), and internal TLS (R-CRYPTO-01) are on the roadmap."},{"code":"DCS","domain":"Datacenter Security","status":"inherited","answer":"Inherited from Hetzner's ISO 27001-certified datacentre in Finland (Helsinki, HEL1-DC8)."},{"code":"DSP","domain":"Data Security & Privacy Lifecycle","status":"partial","answer":"EU data storage (Hetzner, Finland), with the always-on Cloudflare edge and the opt-in Resend/mailbox/Telegram paths as the disclosed exceptions; UK GDPR processor terms; deletion on termination handled as a manual operational process today (self-serve export/purge on the roadmap). Retention records and RoPA are being formalised."},{"code":"GRC","domain":"Governance, Risk & Compliance","status":"partial","answer":"Public risk register (roadmap R-* IDs) and ICO registration; formal ISMS governance is in progress."},{"code":"HRS","domain":"Human Resources Security","status":"partial","answer":"Confidentiality obligations bind personnel; formal screening/awareness controls are lightweight at current team size."},{"code":"IAM","domain":"Identity & Access Management","status":"partial","answer":"Argon2id credentials, granular workspace permissions, and permission-gated reveal for invoice payment details. MFA and SSO are on the roadmap (R-AUTH-01)."},{"code":"IPY","domain":"Interoperability & Portability","status":"partial","answer":"An API-key-authenticated integration API and machine-readable sub-processor/CAIQ lists are provided. There is no self-serve bulk export yet — data export and return for exit or portability is handled manually on request today; self-serve export tooling is on the roadmap."},{"code":"IVS","domain":"Infrastructure & Virtualization Security","status":"partial","answer":"Services are network-isolated on a hardened single host with a default-deny firewall; internal service TLS is on the roadmap."},{"code":"LOG","domain":"Logging & Monitoring","status":"partial","answer":"Application audit trail for supplier, reveal, review, and approval actions; tamper-evidence and read/auth event logging are on the roadmap (R-AUDIT-01)."},{"code":"SEF","domain":"Security Incident Management & Forensics","status":"partial","answer":"Incident response runs through the engineering on-call rota; a published disclosure policy and security contact exist. No 24×7 SOC at current size."},{"code":"STA","domain":"Supply Chain, Transparency & Accountability","status":"implemented","answer":"Full sub-processor list published with a machine-readable JSON feed and a 30-day change-notice commitment. In our production configuration, invoice content is not sent to a third-party OCR, AI, or analytics vendor; extraction runs on models we host ourselves."},{"code":"TVM","domain":"Threat & Vulnerability Management","status":"partial","answer":"Go dependencies are pinned and checksummed via go.mod/go.sum; the Python worker currently uses version-constrained ranges without a lockfile (a locked install is a follow-up). CI build/test checks run on every change, and we operate a coordinated disclosure programme with safe harbour. Automated software-composition analysis (dependency vulnerability scanning / auto-updates such as Dependabot or govulncheck) is not yet wired and is on our roadmap; no independent penetration test performed yet (R-CERT-01)."},{"code":"UEM","domain":"Universal Endpoint Management","status":"planned","answer":"Formal endpoint-management controls (MDM, disk encryption policy enforcement) are planned as the team grows."}]}