Our security posture, mapped to the CAIQ v4 domains.
This is a self-assessment summary of our posture across the 17 Cloud Controls Matrix domains that underpin the CSA CAIQ v4 — one honest answer per domain, not an audit. It gives your procurement team a fast read of where we stand from this page.
Domain summary, not the full question-level workbook. This is a per-domain summary aligned to CAIQ v4, not the question-by-question CAIQ spreadsheet — if you need the full CAIQ v4 workbook completed for your vendor process, ask and we will provide it. Answers reflect our posture as reviewed against the code; where a control is partial or planned, we say so and link the gap to the roadmap. A downloadable copy of this summary is at /trust/caiq.json.
By domain
| Domain | State | Answer |
|---|---|---|
| A&A — Audit & Assurance | Planned | No third-party audit or certification yet. We publish this self-assessment and a public security posture; independent assurance (ISO 27001, SOC 2) is trigger-gated. |
| AIS — Application & Interface Security | Partial | Input validation and authenticated APIs; the supplier registry and invoice-detail view mask payment fields server-side with a permission-gated, audited reveal, and one remaining payment API surface (the integration API's read-results endpoint) is being brought under the same masking (see roadmap R-ACCESS-01). |
| BCR — Business Continuity & Operational Resilience | Planned | Single-host deployment today; automated encrypted off-site backups with a tested restore are on the roadmap (R-BCP-01). No RPO/RTO published. |
| CCC — Change Control & Configuration Management | Implemented | All changes go through version control and peer-reviewed pull requests, with a single required CI gate (test-and-build) that must pass before merge and deployment. That gate covers the Go, worker, compose, and API-image checks and the web app's lint, typecheck, and build (make web-check). |
| CEK — Cryptography, Encryption & Key Management | Partial | TLS 1.2/1.3 in transit externally; AES-256-GCM for invoice files at rest. Database column encryption (R-CRYPTO-02), key rotation (R-KMS-01), and internal TLS (R-CRYPTO-01) are on the roadmap. |
| DCS — Datacenter Security | Inherited | Inherited from Hetzner's ISO 27001-certified datacentre in Finland (Helsinki, HEL1-DC8). |
| DSP — Data Security & Privacy Lifecycle | Partial | EU data storage (Hetzner, Finland), with the always-on Cloudflare edge and the opt-in Resend/mailbox/Telegram paths as the disclosed exceptions; UK GDPR processor terms; deletion on termination handled as a manual operational process today (self-serve export/purge on the roadmap). Retention records and RoPA are being formalised. |
| GRC — Governance, Risk & Compliance | Partial | Public risk register (roadmap R-* IDs) and ICO registration; formal ISMS governance is in progress. |
| HRS — Human Resources Security | Partial | Confidentiality obligations bind personnel; formal screening/awareness controls are lightweight at current team size. |
| IAM — Identity & Access Management | Partial | Argon2id credentials, granular workspace permissions, and permission-gated reveal for invoice payment details. MFA and SSO are on the roadmap (R-AUTH-01). |
| IPY — Interoperability & Portability | Partial | An API-key-authenticated integration API and machine-readable sub-processor/CAIQ lists are provided. There is no self-serve bulk export yet — data export and return for exit or portability is handled manually on request today; self-serve export tooling is on the roadmap. |
| IVS — Infrastructure & Virtualization Security | Partial | Services are network-isolated on a hardened single host with a default-deny firewall; internal service TLS is on the roadmap. |
| LOG — Logging & Monitoring | Partial | Application audit trail for supplier, reveal, review, and approval actions; tamper-evidence and read/auth event logging are on the roadmap (R-AUDIT-01). |
| SEF — Security Incident Management & Forensics | Partial | Incident response runs through the engineering on-call rota; a published disclosure policy and security contact exist. No 24×7 SOC at current size. |
| STA — Supply Chain, Transparency & Accountability | Implemented | Full sub-processor list published with a machine-readable JSON feed and a 30-day change-notice commitment. In our production configuration, invoice content is not sent to a third-party OCR, AI, or analytics vendor; extraction runs on models we host ourselves. |
| TVM — Threat & Vulnerability Management | Partial | Go dependencies are pinned and checksummed via go.mod/go.sum; the Python worker currently uses version-constrained ranges without a lockfile (a locked install is a follow-up). CI build/test checks run on every change, and we operate a coordinated disclosure programme with safe harbour. Automated software-composition analysis (dependency vulnerability scanning / auto-updates such as Dependabot or govulncheck) is not yet wired and is on our roadmap; no independent penetration test performed yet (R-CERT-01). |
| UEM — Universal Endpoint Management | Planned | Formal endpoint-management controls (MDM, disk encryption policy enforcement) are planned as the team grows. |