Skip to content

Status

The single source of truth for what's documented and where each control stands. Last reviewed 2026-05-03 (twelfth pass — launch-prep additions for the prospect-facing rollout: new pages for Endpoint security, CAIQ and SIG Lite self-assessments, and a single Contact page consolidating every reason to reach the security team; landing page rebuilt with a quick-links panel + featured-documents tile; pre-launch noindex stripped and robots.txt flipped to the launch version. Eleventh pass (2026-05-02) handled the weekend hardening: VM swapped to least-priv claim-guard-vm SA + Secure Boot enabled (Tier D); per-org ai_analysis_enabled opt-out gate scaffolded in code (default-on, awaits deploy); password_plain phases 1+2 on chore/weekend-hardening-2026-05-01; HTTPS LB stack built; pm2 startup wired to systemd; stale SSH metadata cleaned; surfaced USE_SECRET_MANAGER-gate-off + leftover IAM "test condition" findings).

Labels:

  • implemented — control is in place and evidence is linked.
  • partial — some of the control is in place; the linked page lists the gap.
  • planned — control is on the roadmap; the linked page lists the gating dependency.
  • — page not yet drafted.

Policies

Control Status Page
Audit logging (cloud audit logs) implemented (2026-04-28) policies/audit-logging.md
Cryptography partial (2026-04-29) policies/cryptography.md
Information security policy partial (2026-04-29) policies/information-security-policy.md
Acceptable use partial (2026-04-29) policies/acceptable-use.md
Access management partial (2026-04-29) policies/access-management.md
Change management implemented (2026-04-29) policies/change-management.md
Vendor management partial (2026-04-29) policies/vendor-management.md
Incident response partial (2026-04-29) policies/incident-response.md
Business continuity partial (2026-04-29) policies/business-continuity.md
Data classification partial (2026-04-29) policies/data-classification.md
Data retention partial (2026-04-29) policies/data-retention.md
Risk management partial (2026-04-29) policies/risk-management.md
Secure development implemented app-security/secure-sdlc.md

Infrastructure

Control Status Page
Cloud provider partial (2026-04-29) infrastructure/cloud-provider.md
Network architecture partial (2026-04-29) infrastructure/network-architecture.md
Network security partial (2026-04-29) infrastructure/network-security.md
Hardening partial (2026-05-02) infrastructure/hardening.md
Secrets management partial (2026-05-02) infrastructure/secrets-management.md

Access control

Control Status Page
Identity provider partial (2026-04-29) access-control/identity-provider.md
MFA partial (2026-04-29) access-control/mfa.md
Privileged access (cloud IAM) partial (2026-05-02) access-control/privileged-access.md
Endpoint security partial (2026-05-03) access-control/endpoint-security.md

Data security

Control Status Page
Encryption in transit partial (2026-04-29) data-security/encryption-in-transit.md
Encryption at rest partial (2026-04-29) data-security/encryption-at-rest.md
Backups implemented (2026-04-29) data-security/backups.md
Data residency partial (2026-04-29) data-security/data-residency.md

Application security

Control Status Page
Snyk remediation summary implemented (2026-04-26) app-security/snyk-summary.md
Secure SDLC implemented app-security/secure-sdlc.md
SAST implemented app-security/sast.md
SCA implemented app-security/sca.md
Dependency management implemented (2026-04-29) app-security/dependency-management.md
SBOM planned (2026-04-29) app-security/sbom.md

Product security

Control Status Page
Authentication partial (2026-04-30) product-security/authentication.md
Authorization implemented (2026-04-30) product-security/authorization.md
Application audit logging partial (2026-04-30) product-security/audit-logging.md
Session management implemented (2026-04-29) product-security/session-management.md

Reports

Item Status Page
Vulnerability disclosure implemented (2026-04-29) reports/vulnerability-disclosure.md
Pentest summary planned (2026-04-29) reports/pentest-summary.md

Self-assessments

Questionnaire Status Page
CAIQ v4 (Cloud Security Alliance) partial (2026-05-03) — domain coverage public, full questionnaire on NDA request self-assessments/caiq.md
SIG Lite (Shared Assessments) partial (2026-05-03) — same model self-assessments/sig-lite.md

Compliance

Framework Status Page
SOC 2 Type I planned (target H2 2026) compliance/soc2.md
ISO 27001 planned (target 2027) compliance/iso-27001.md
GDPR partial (2026-04-29) compliance/gdpr.md
CCPA partial (2026-04-29) compliance/ccpa.md

AI

Control Status Page
AI risk management partial (2026-04-29) ai/ai-risk-management.md
AI transparency partial (2026-05-02) ai/ai-transparency.md
Prompt guardrails partial (2026-04-29) ai/prompt-guardrails.md
Item Status Page
Subprocessors implemented (2026-04-29) legal/subprocessors.md
DPA planned (2026-04-29) legal/dpa.md
Privacy notice planned (2026-04-29) legal/privacy-notice.md