$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Domain summary, not the full question-level workbook. This is a per-domain summary aligned to CAIQ v4, not the question-by-question CAIQ spreadsheet — if you need the full CAIQ v4 workbook completed for your vendor process, ask and we will provide it. Answers reflect our posture as reviewed against the code; where a control is partial or planned, we say so and link the gap to the roadmap. A downloadable copy of this summary is at /trust/caiq.json.

By domain

DomainStateAnswer
A&AAudit & AssurancePlannedNo third-party audit or certification yet. We publish this self-assessment and a public security posture; independent assurance (ISO 27001, SOC 2) is trigger-gated.
AISApplication & Interface SecurityPartialInput validation and authenticated APIs; the supplier registry and invoice-detail view mask payment fields server-side with a permission-gated, audited reveal, and one remaining payment API surface (the integration API's read-results endpoint) is being brought under the same masking (see roadmap R-ACCESS-01).
BCRBusiness Continuity & Operational ResiliencePlannedSingle-host deployment today; automated encrypted off-site backups with a tested restore are on the roadmap (R-BCP-01). No RPO/RTO published.
CCCChange Control & Configuration ManagementImplementedAll changes go through version control and peer-reviewed pull requests, with a single required CI gate (test-and-build) that must pass before merge and deployment. That gate covers the Go, worker, compose, and API-image checks and the web app's lint, typecheck, and build (make web-check).
CEKCryptography, Encryption & Key ManagementPartialTLS 1.2/1.3 in transit externally; AES-256-GCM for invoice files at rest. Database column encryption (R-CRYPTO-02), key rotation (R-KMS-01), and internal TLS (R-CRYPTO-01) are on the roadmap.
DCSDatacenter SecurityInheritedInherited from Hetzner's ISO 27001-certified datacentre in Finland (Helsinki, HEL1-DC8).
DSPData Security & Privacy LifecyclePartialEU data storage (Hetzner, Finland), with the always-on Cloudflare edge and the opt-in Resend/mailbox/Telegram paths as the disclosed exceptions; UK GDPR processor terms; deletion on termination handled as a manual operational process today (self-serve export/purge on the roadmap). Retention records and RoPA are being formalised.
GRCGovernance, Risk & CompliancePartialPublic risk register (roadmap R-* IDs) and ICO registration; formal ISMS governance is in progress.
HRSHuman Resources SecurityPartialConfidentiality obligations bind personnel; formal screening/awareness controls are lightweight at current team size.
IAMIdentity & Access ManagementPartialArgon2id credentials, granular workspace permissions, and permission-gated reveal for invoice payment details. MFA and SSO are on the roadmap (R-AUTH-01).
IPYInteroperability & PortabilityPartialAn API-key-authenticated integration API and machine-readable sub-processor/CAIQ lists are provided. There is no self-serve bulk export yet — data export and return for exit or portability is handled manually on request today; self-serve export tooling is on the roadmap.
IVSInfrastructure & Virtualization SecurityPartialServices are network-isolated on a hardened single host with a default-deny firewall; internal service TLS is on the roadmap.
LOGLogging & MonitoringPartialApplication audit trail for supplier, reveal, review, and approval actions; tamper-evidence and read/auth event logging are on the roadmap (R-AUDIT-01).
SEFSecurity Incident Management & ForensicsPartialIncident response runs through the engineering on-call rota; a published disclosure policy and security contact exist. No 24×7 SOC at current size.
STASupply Chain, Transparency & AccountabilityImplementedFull sub-processor list published with a machine-readable JSON feed and a 30-day change-notice commitment. In our production configuration, invoice content is not sent to a third-party OCR, AI, or analytics vendor; extraction runs on models we host ourselves.
TVMThreat & Vulnerability ManagementPartialGo dependencies are pinned and checksummed via go.mod/go.sum; the Python worker currently uses version-constrained ranges without a lockfile (a locked install is a follow-up). CI build/test checks run on every change, and we operate a coordinated disclosure programme with safe harbour. Automated software-composition analysis (dependency vulnerability scanning / auto-updates such as Dependabot or govulncheck) is not yet wired and is on our roadmap; no independent penetration test performed yet (R-CERT-01).
UEMUniversal Endpoint ManagementPlannedFormal endpoint-management controls (MDM, disk encryption policy enforcement) are planned as the team grows.

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]