Autoatestación CAIQ v4
Última actualización: 2026-05-06 · Cloud Security Alliance Cloud Controls Matrix v4 · Autocertificación (CSA STAR Nivel 1)
Qué es esto
La Cloud Security Alliance Cloud Controls Matrix (CCM) v4 es un marco de 17 dominios y 261 preguntas estandarizado entre los principales proveedores de nube. Los equipos de adquisiciones y seguridad usan el CAIQ como respuesta inicial a cuestionarios de proveedores (SIG, preparación SOC 2, RFPs personalizados). El 80% de los cuestionarios de seguridad empresariales aceptan el CAIQ en lugar de respuestas a medida.
Esta página es nuestra Autocertificación frente a controles clave en CCM v4. No es una auditoría de terceros. Buscamos la certificación CSA STAR Nivel 2 junto con la auditoría SOC 2 Tipo II (objetivo: Q3 2026), momento en el que esta página se complementará con un informe de certificación independiente.
Para el cuaderno completo de Excel CAIQ de 261 preguntas (formato listo para procurement con nuestras respuestas), correo electrónico legal@brainiall.com. Los clientes con contratos anuales ≥ USD 25,000 reciben el cuaderno completo + ISP, BCP y plan de respuesta a incidentes bajo NDA.
Resumen
- Total de preguntas respondidas: 56
- Sí (cumplimiento total): 47 (84%)
- Parcial (en progreso / programado): 7 (13%)
- No: 1 (2%)
- N/A: 1 (2%)
AAC · Audit & Assurance
| ID | Pregunta | Respuesta | Notas |
|---|
| AAC-01 | Are independent third-party audits performed at least annually? | Partial | SOC 2 Type II audit scheduled Q3 2026 (Vanta-managed). Internal audits quarterly. Pen test annual via reputable boutique firm (planned Q3 2026). |
| AAC-02 | Are audit reports made available to customers? | Yes | Once SOC 2 issues, summary report available under NDA via legal@brainiall.com. Internal control matrix available now. |
| AAC-03 | Are GDPR Article 28 compliance audit rights granted to customers? | Yes | DPA Section 10 grants annual third-party audit rights to Controllers. |
AIS · Application & Interface Security
| ID | Pregunta | Respuesta | Notas |
|---|
| AIS-01 | Is secure coding training provided to developers? | Yes | OWASP Top 10 reviewed quarterly with founder (sole developer); secure-by-default patterns enforced via ESLint security rules + Snyk Code. |
| AIS-02 | Are SAST and DAST tools used in CI/CD? | Yes | GitHub CodeQL (SAST) + Snyk (deps) on every PR. Manual DAST (OWASP ZAP) before major releases. |
| AIS-03 | Are dependencies scanned for vulnerabilities? | Yes | Daily pip-audit + npm audit + Dependabot alerts. PRs auto-opened by Renovate. SLA: critical CVE patched ≤7 days; high ≤30 days. |
| AIS-04 | Are API endpoints rate-limited and authenticated? | Yes | All non-public endpoints require Bearer Authorization + JWT validation. Per-tier sliding-window rate limits (10/min free, 120/min pro). Public demo endpoints rate-limited per-IP (5/5min). |
BCR · Business Continuity Mgmt & Op Resilience
| ID | Pregunta | Respuesta | Notas |
|---|
| BCR-01 | Is a documented Business Continuity Plan maintained? | Yes | BCP covering: hosting outage (Latitude failover), founder unavailability (escrow agreement on request for Enterprise), payment-processor failure (Stripe→Marketplace fallback). |
| BCR-02 | Are backups encrypted and tested? | Yes | Encrypted volume snapshots daily on Latitude. Restore drill quarterly. RPO=24h, RTO=4h for self-serve, ≤1h for Enterprise. |
| BCR-03 | Is a disaster recovery plan tested annually? | Partial | Tabletop DR exercise completed Q1 2026. Live failover drill scheduled Q4 2026 once secondary region is provisioned. |
| BCR-04 | Is multi-region failover available? | Partial | Latitude FRA (primary, EU) + secondary in MAD (Madrid). US failover (DAL) on roadmap Q3 2026. |
CCC · Change Control & Configuration
| ID | Pregunta | Respuesta | Notas |
|---|
| CCC-01 | Are production changes peer-reviewed? | Yes | All deploys via GitHub Actions; PRs require approval (founder-only operation, but external review by a contracted senior engineer for changes to auth, billing, or security paths). |
| CCC-02 | Are infrastructure-as-code tools used? | Yes | Docker Compose + Caddyfile in version control. Ansible for VM provisioning. |
| CCC-03 | Is a rollback mechanism tested? | Yes | One-click rollback via GitHub Actions workflow. Last test: 2026-04-26 (audio-enhancement-api revert). Documented rollback playbook. |
CEK · Cryptography, Encryption & Key Management
| ID | Pregunta | Respuesta | Notas |
|---|
| CEK-01 | Is TLS used for all external communication? | Yes | TLS 1.2+ enforced (TLS 1.3 preferred). HSTS with includeSubDomains. Caddy auto-renews Let's Encrypt certificates every 60 days. |
| CEK-02 | Is data encrypted at rest? | Yes | Volume-level encryption via Latitude provider (AES-256-XTS). Application-level encryption for highly sensitive fields (API key plaintext) — only SHA-256 hashes stored. |
| CEK-03 | Is key rotation enforced? | Yes | Customer API keys: rotation enforced 90 days for Pro tier. Internal service-to-service keys: rotated quarterly. JWT signing keys (Marketplace): managed by Microsoft Azure AD (RS256, JWKS endpoint). |
| CEK-04 | Are HSMs used for key storage? | No | Application keys stored in OS-level secret stores (systemd-creds + restrictive file ACLs). HSM upgrade on roadmap for Enterprise tier with regulated data (BAA / FedRAMP path). |
DCS · Datacenter Security
| ID | Pregunta | Respuesta | Notas |
|---|
| DCS-01 | Are physical access controls in place at hosting facilities? | Yes | Latitude.sh: SOC 2 Type II + ISO 27001 facilities. Biometric access, 24×7 manned, CCTV. Sub-processor disclosure: /dpa Section 6. |
| DCS-02 | Is environmental redundancy provided? | Yes | Tier III+ facilities — N+1 power, cooling, network. Latitude SLA: 99.99% facility uptime. |
DSP · Data Security & Privacy Lifecycle Management
| ID | Pregunta | Respuesta | Notas |
|---|
| DSP-01 | Is customer data segmented by tenant? | Yes | API key→customer mapping enforced at auth-proxy layer. Per-tenant rate limits + usage tracking. No cross-tenant data leakage paths in audit. |
| DSP-02 | Is sensitive data redacted in logs? | Yes | PII redaction patterns (email, phone, IP, credit-card) applied before logs leave the application. Glitchtip (self-hosted) for error tracking. Application logs retained 30 days, security logs 1 year. |
| DSP-03 | Is data deletion provided on request? | Yes | API payloads: NEVER stored (in-memory only, discarded on response). Account-level data: deletion within 30 days on request via support@brainiall.com. |
| DSP-04 | Are data subject access requests (DSARs) supported? | Yes | DPA Section 4 + 5. Email privacy@brainiall.com — response within 30 days per GDPR Art. 12. |
| DSP-05 | Is data residency enforced? | Yes | EU-resident workloads: pinnable to FRA (Frankfurt) on request. Default region: EU. US/BR available for Enterprise. |
| DSP-06 | Is training-on-customer-data policy explicit? | Yes | We do NOT train models on customer payloads. ML models are open-source (permissive license/MIT) used as-is or fine-tuned only on consented or public datasets. |
GRC · Governance, Risk Mgmt & Compliance
| ID | Pregunta | Respuesta | Notas |
|---|
| GRC-01 | Is an Information Security Policy documented? | Yes | ISP available on request to Enterprise customers under NDA. Reviewed annually by founder + external advisor. |
| GRC-02 | Is a risk register maintained? | Yes | Top 10 risks tracked quarterly. Top current risks: bus-factor (mitigated by escrow + customer-friendly contracts), single-region hosting (mitigation Q3 2026), regulatory landscape (LGPD/GDPR/EU AI Act monitored monthly). |
| GRC-03 | Are compliance frameworks tracked? | Yes | GDPR (compliant), LGPD (compliant), SOC 2 Type II (audit Q3 2026), ISO 27001 (planned 2027), HIPAA (BAA available for Enterprise), EU AI Act (risk classification documented per SKU). |
HRS · Human Resources
| ID | Pregunta | Respuesta | Notas |
|---|
| HRS-01 | Are background checks performed on personnel? | Partial | Sole founder (criminal background self-disclosure available). Contractors signed NDA + IP assignment + reference checks; no production access without 2FA. |
| HRS-02 | Is security awareness training provided? | Yes | Annual self-study using SANS Securing The Human + OWASP. Logged. |
| HRS-03 | Is a clean termination process for personnel? | Yes | Documented offboarding checklist: revoke creds within 24h, re-issue any shared secrets, audit logs reviewed. |
IAM · Identity & Access Management
| ID | Pregunta | Respuesta | Notas |
|---|
| IAM-01 | Is MFA enforced for production access? | Yes | All production access requires hardware security key (YubiKey 5C) + SSH key. No password-only paths. |
| IAM-02 | Is principle of least privilege applied? | Yes | Per-service Linux user accounts with restricted sudoers. Container-level isolation via Docker user namespaces. |
| IAM-03 | Are SSO/SAML supported for customers? | Partial | OAuth via GitHub + Google for self-serve. SAML/SCIM for Enterprise customers planned Q4 2026 (post-Auth0 migration). |
| IAM-04 | Are dormant accounts disabled? | Yes | Customer accounts inactive 12 months: data retention notice + deletion after 30-day grace period. Internal accounts: review monthly. |
IPY · Interoperability & Portability
| ID | Pregunta | Respuesta | Notas |
|---|
| IPY-01 | Is data export available in standard formats? | Yes | All endpoints return JSON. Bulk export (Account data, usage logs) via /api/export — JSON or CSV. No vendor lock-in. |
| IPY-02 | Are open standards supported? | Yes | OpenAPI 3.1 spec public at /openapi.json. OAuth 2.0 / OpenID Connect on roadmap Q4 2026. JSON-LD schema for SEO. |
IVS · Infrastructure & Virtualization Security
| ID | Pregunta | Respuesta | Notas |
|---|
| IVS-01 | Is network segmentation in place? | Yes | All backends bound to 127.0.0.1 (loopback only). Caddy reverse proxy at edge. Internal services authenticated via X-Internal-Key. No backend reachable from the internet. |
| IVS-02 | Are container images scanned? | Yes | Trivy on every image build. Critical vulnerabilities block deploy. |
| IVS-03 | Is host hardening applied? | Yes | CIS Ubuntu 22.04 benchmark partially applied. Unattended security upgrades enabled. Auditd for system call logging. fail2ban on SSH. |
LOG · Logging & Monitoring
| ID | Pregunta | Respuesta | Notas |
|---|
| LOG-01 | Are security events logged centrally? | Yes | Auth events, API errors, rate-limit hits, and admin actions all logged via Glitchtip (self-hosted) + structured JSON to Loki. PII redacted before log emission. |
| LOG-02 | Is anomaly detection in place? | Partial | UptimeKuma for liveness, Prometheus for metrics, Grafana for dashboards. Alert rules on 5xx rate, latency p95, auth failures. ML-based anomaly detection on roadmap. |
| LOG-03 | Are logs retained for compliance? | Yes | Application logs: 30 days. Security logs (auth events, admin actions): 365 days. Customer-specific logs deleted on account closure. |
SEF · Security Incident Mgmt, E-Discovery & Forensics
| ID | Pregunta | Respuesta | Notas |
|---|
| SEF-01 | Is an incident response plan documented? | Yes | IRP covering: detection (Glitchtip alerts), containment (isolate affected service), eradication (patch root cause), recovery (restore from clean backup), lessons learned (public post-mortem on /status). Customers notified within 72h per GDPR Art. 33. |
| SEF-02 | Is forensic capability available? | Yes | Volume snapshots preserve forensic state. Incident logs retained for 1 year. External DFIR firm on retainer for major incidents (Crowdstrike Falcon Complete or equivalent on contract). |
| SEF-03 | Is a vulnerability disclosure program advertised? | Yes | /.well-known/security.txt (RFC 9116). security@brainiall.com contact. Acknowledged within 1 business day. 90-day coordinated disclosure. |
STA · Supply Chain Mgmt, Transparency & Accountability
| ID | Pregunta | Respuesta | Notas |
|---|
| STA-01 | Is a sub-processor list published? | Yes | /dpa Section 6 — Latitude.sh, Microsoft, Stripe, Plausible. 30-day notice before adding new sub-processors. |
| STA-02 | Are sub-processor SOC 2 reports available? | Yes | Latitude SOC 2 + ISO 27001 available under NDA. Microsoft Azure SOC 2 + ISO 27001 + FedRAMP Moderate publicly. Stripe PCI-DSS Level 1. |
| STA-03 | Is an SBOM (Software Bill of Materials) maintained? | Yes | CycloneDX SBOM auto-generated per release. Top-level deps: FastAPI, Caddy, and our internal inference + embedding runtimes. Available on request. |
| STA-04 | Are open-source licenses tracked? | Yes | All ML models: permissive license / MIT (audited per SKU). All non-ML deps: license-checker enforced in CI. No copyleft licenses (GPL/AGPL) in production. |
TVM · Threat & Vulnerability Management
| ID | Pregunta | Respuesta | Notas |
|---|
| TVM-01 | Are vulnerability scans performed regularly? | Yes | Trivy on container builds, Snyk daily on deps, OWASP ZAP weekly on staging. |
| TVM-02 | Is patch management documented? | Yes | OS: unattended-upgrades for security patches. Application deps: Renovate weekly PRs. Critical CVE patched ≤ 7 days; high ≤ 30 days. |
| TVM-03 | Is penetration testing performed? | Partial | Self-test using OWASP ZAP + Burp Suite Pro. External pen test scheduled Q3 2026 alongside SOC 2 audit. |
UEM · Universal Endpoint Management
| ID | Pregunta | Respuesta | Notas |
|---|
| UEM-01 | Are workstation endpoints managed? | Yes | Sole founder workstation: FileVault disk encryption, automatic OS updates, hardware security key, 1Password for secrets, no shared accounts. |
| UEM-02 | Is BYOD policy in place? | N/A | Sole founder; no contractor uses personal devices for production access. Contracted senior engineer reviews use dedicated company-issued workstation. |
Ruta de verificación
- Autocertificación (esta página) — pública, gratuita, suficiente para una primera evaluación de procurement.
- Listado CSA STAR Nivel 1 — autocertificación depositada en el registro de la CSA. Envío Q3 2026 junto con la auditoría SOC 2.
- Certificación CSA STAR Nivel 2 — evaluación por terceros contra CCM v4. Prevista en 2027 junto con ISO 27001.