CAIQ Lite Questionnaire

Do you produce audit assertions using a structured industry framework (e.g., SOC 2, ISO 27001)?

Partial. SOC 2 Type 1 readiness in progress; Type 2 audit window 2026. Inherited SOC 2 Type 2 from all hosting subprocessors.

Are independent third-party audits performed at least annually?

No. First external pen test scheduled 2026. SOC 2 audit scheduled 2026.

Do you make audit reports available to tenants on request?

Yes. Inherited subprocessor SOC 2 reports available under NDA. Our own SOC 2 will be available once issued.

Do you have a documented business continuity / disaster recovery plan?

Partial. Hosting and database providers (Vercel, Turso) provide automated backups and multi-region failover. Application-level DR runbook in development.

Are backups encrypted at rest?

Yes. AES-256, provider-managed keys.

What is the documented RTO / RPO?

Partial. Targeted RTO: 4 hours. Targeted RPO: 24 hours. Formal SLA available with paid programs.

Are production changes peer-reviewed before deployment?

Yes. All production deploys go through pull request review and pass automated checks (CI lint, type, build).

Is unauthorized software prevented from running in production?

Yes. Production deploys are pinned to specific Vercel deployments; only signed-off code from main branch reaches production.

Is sensitive data classified and inventoried?

Yes. Data scope documented at /security and /privacy. No PHI, payment, or consumer data.

Is data encrypted in transit?

Yes. TLS 1.2+ enforced; HSTS enabled.

Is data encrypted at rest?

Yes. AES-256 via provider-managed keys (Turso, Supabase, Vercel).

Are secure data deletion procedures in place?

Yes. Self-serve account deletion; processed within 30 days. Subprocessor deletion follows their respective SLAs.

Is customer data segregated from other tenants?

Yes. Per-respondent rows in shared tables, scoped by user_id and workspace_id; row-level access enforced in application layer.

Are tenants notified before subprocessor changes?

Yes. 14 days notice via email to active members; subprocessor list maintained at /security.

Are cryptographic keys managed by a provider-grade KMS?

Yes. Provider-managed keys at Vercel, Turso, Supabase. No customer-held keys.

Are passwords stored using a one-way hash with salt?

Yes. bcrypt with cost factor 10.

Are secrets and API keys rotated regularly?

Partial. Rotated on staff offboarding and on suspicion of compromise. No fixed rotation calendar.

Do you have documented information security policies?

Partial. Privacy Policy, Terms of Service, DPA, and Security Overview published. Internal information security policy formalization in progress as part of SOC 2 readiness.

Are risk assessments performed periodically?

Partial. Vendor risk assessments performed prior to onboarding any new subprocessor. Formal periodic enterprise risk assessment scheduled as part of SOC 2 cadence.

Is there an information security officer or equivalent role?

Yes. Security and incident response responsibilities held by founder; reachable at security@arcana-research.com.

Are background checks performed on personnel with access to customer data?

Partial. Performed for full-time employees and contractors with production access.

Are personnel required to acknowledge confidentiality and security policies?

Yes. All personnel sign confidentiality agreements; founders bound by company operating agreement.

Is multi-factor authentication required for administrative access?

Yes. Enforced on all production console access (Vercel, Turso, Supabase admin, GitHub).

Is access provisioned on a least-privilege basis?

Yes. Role-based access. Production database direct access restricted to founder.

Is access revoked promptly on role change or termination?

Yes. Standard offboarding checklist; access to all production systems removed within 24 hours.

Is SSO/SAML supported for enterprise customers?

Partial. SSO/SAML available on request as part of paid enterprise programs.

Are user passwords subject to a documented password policy?

Yes. Minimum 8 characters; rejects ~65 common and previously-breached passwords; rejects email-equivalent passwords.

Are failed authentication attempts rate-limited?

Yes. Per-IP: 20 attempts / 15 min on login (10 / hr on register). Per-email: 5 attempts / 15 min — blocks credential-stuffing across rotating IPs.

Are network communications encrypted in transit?

Yes. TLS 1.2+ end-to-end; HSTS enabled.

Is application logging enabled and retained?

Yes. Application and access logs retained 90 days minimum at Vercel.

Are systems scanned for vulnerabilities?

Yes. Automated dependency scanning on every push; high-severity advisories patched within 7 days. Static analysis and secret scanning in CI.

Do you have a documented incident response process?

Yes. Internal IR runbook covering detection, containment, eradication, recovery, and notification.

Are tenants notified of confirmed security incidents within a defined timeframe?

Yes. Notification without undue delay, in any case within 72 hours of confirmation, in alignment with GDPR Article 33 and US state-law timelines.

Is there a process for responsible vulnerability disclosure?

Yes. Disclosure to security@arcana-research.com. Good-faith research encouraged; no legal action for testing within standard responsible-disclosure norms.

Is a list of subprocessors made publicly available?

Yes. Published at /security and /security/brief. Updated with at least 14 days notice before adding any subprocessor.

Are subprocessors bound by data-protection obligations equivalent to your own?

Yes. DPAs in place with all material subprocessors; LLM subprocessors include zero-retention contractual terms.

Are penetration tests performed by independent third parties?

No. First independent pen test scheduled 2026.

Is a malware-protection program in place?

Yes. No execution of customer-supplied code in production. CSP and sandbox controls inherited from Vercel.