CAIQ v4 Autodétermination
Dernière mise à jour : 2026-05-06 · Cloud Security Alliance Cloud Controls Matrix v4 · Autocertification (CSA STAR Niveau 1)
Ce que c'est
L’Alliance de la Cloud Security Matrix de contrôle en nuage (CCM) v4 Il s’agit d’un cadre de 17 domaines, de 261 questions standardisé parmi les principaux fournisseurs de cloud. Les équipes d’approvisionnement et de sécurité utilisent le CAIQ comme une réponse de premier pas aux questionnaires fournisseurs (SIG, SOC 2 prêt, RFPs personnalisés). 80% des questionnaires de sécurité d’entreprise acceptent le CAIQ au lieu de répondre.
Cette page est notre Autocertification Nous poursuivons la certification CSA STAR Level 2 à côté de l'audit Contrôles SOC 2 en place (audit Type II prévu T3 2026) (objectif Q3 2026), auquel point cette page sera complétée par un rapport d'attestation indépendant.
Pour un livre de travail complet de 261 questions CAIQ Excel (Format prêt à l'offre avec nos réponses), email legal@brainiall.comLes clients sur les contrats annuels ≥ 25 000 USD reçoivent le livre de travail complet + ISP, BCP et le plan de réponse aux incidents dans le cadre de la NDA.
Résumé
- Questions complètes répliquées : 56
- Oui (compliance complète) : 47 (84%)
- Partiel (en progrès / prévu) : 7 (13%)
- Non pas : 1 (2%)
- N / A : 1 (2%)
AAC · Audit & Assurance
| Identification | Question | Répondre | Notes |
|---|
| AAC-01 | Are independent third-party audits performed at least annually? | Partial | SOC 2 Type II audit scheduled Q3 2026 (Vanta-managed). Internal audits quarterly. Pen test annual via reputable boutique firm (planned Q3 2026). |
| AAC-02 | Are audit reports made available to customers? | Yes | Once SOC 2 issues, summary report available under NDA via legal@brainiall.com. Internal control matrix available now. |
| AAC-03 | Are GDPR Article 28 compliance audit rights granted to customers? | Yes | DPA Section 10 grants annual third-party audit rights to Controllers. |
AIS · Application & Interface Security
| Identification | Question | Répondre | Notes |
|---|
| AIS-01 | Is secure coding training provided to developers? | Yes | OWASP Top 10 reviewed quarterly with founder (sole developer); secure-by-default patterns enforced via ESLint security rules + Snyk Code. |
| AIS-02 | Are SAST and DAST tools used in CI/CD? | Yes | GitHub CodeQL (SAST) + Snyk (deps) on every PR. Manual DAST (OWASP ZAP) before major releases. |
| AIS-03 | Are dependencies scanned for vulnerabilities? | Yes | Daily pip-audit + npm audit + Dependabot alerts. PRs auto-opened by Renovate. SLA: critical CVE patched ≤7 days; high ≤30 days. |
| AIS-04 | Are API endpoints rate-limited and authenticated? | Yes | All non-public endpoints require Bearer Authorization + JWT validation. Per-tier sliding-window rate limits (10/min free, 120/min pro). Public demo endpoints rate-limited per-IP (5/5min). |
BCR · Business Continuity Mgmt & Op Resilience
| Identification | Question | Répondre | Notes |
|---|
| BCR-01 | Is a documented Business Continuity Plan maintained? | Yes | BCP covering: hosting outage (Latitude failover), founder unavailability (escrow agreement on request for Enterprise), payment-processor failure (Stripe→Marketplace fallback). |
| BCR-02 | Are backups encrypted and tested? | Yes | Encrypted volume snapshots daily on Latitude. Restore drill quarterly. RPO=24h, RTO=4h for self-serve, ≤1h for Enterprise. |
| BCR-03 | Is a disaster recovery plan tested annually? | Partial | Tabletop DR exercise completed Q1 2026. Live failover drill scheduled Q4 2026 once secondary region is provisioned. |
| BCR-04 | Is multi-region failover available? | Partial | Latitude FRA (primary, EU) + secondary in MAD (Madrid). US failover (DAL) on roadmap Q3 2026. |
CCC · Change Control & Configuration
| Identification | Question | Répondre | Notes |
|---|
| CCC-01 | Are production changes peer-reviewed? | Yes | All deploys via GitHub Actions; PRs require approval (founder-only operation, but external review by a contracted senior engineer for changes to auth, billing, or security paths). |
| CCC-02 | Are infrastructure-as-code tools used? | Yes | Docker Compose + Caddyfile in version control. Ansible for VM provisioning. |
| CCC-03 | Is a rollback mechanism tested? | Yes | One-click rollback via GitHub Actions workflow. Last test: 2026-04-26 (audio-enhancement-api revert). Documented rollback playbook. |
CEK · Cryptography, Encryption & Key Management
| Identification | Question | Répondre | Notes |
|---|
| CEK-01 | Is TLS used for all external communication? | Yes | TLS 1.2+ enforced (TLS 1.3 preferred). HSTS with includeSubDomains. Caddy auto-renews Let's Encrypt certificates every 60 days. |
| CEK-02 | Is data encrypted at rest? | Yes | Volume-level encryption via Latitude provider (AES-256-XTS). Application-level encryption for highly sensitive fields (API key plaintext) — only SHA-256 hashes stored. |
| CEK-03 | Is key rotation enforced? | Yes | Customer API keys: rotation enforced 90 days for Pro tier. Internal service-to-service keys: rotated quarterly. JWT signing keys (Marketplace): managed by Microsoft Azure AD (RS256, JWKS endpoint). |
| CEK-04 | Are HSMs used for key storage? | No | Application keys stored in OS-level secret stores (systemd-creds + restrictive file ACLs). HSM upgrade on roadmap for Enterprise tier with regulated data (BAA / FedRAMP path). |
DCS · Datacenter Security
| Identification | Question | Répondre | Notes |
|---|
| DCS-01 | Are physical access controls in place at hosting facilities? | Yes | Latitude.sh: SOC 2 Type II + ISO 27001 facilities. Biometric access, 24×7 manned, CCTV. Sub-processor disclosure: /dpa Section 6. |
| DCS-02 | Is environmental redundancy provided? | Yes | Tier III+ facilities — N+1 power, cooling, network. Latitude SLA: 99.99% facility uptime. |
DSP · Data Security & Privacy Lifecycle Management
| Identification | Question | Répondre | Notes |
|---|
| DSP-01 | Is customer data segmented by tenant? | Yes | API key→customer mapping enforced at auth-proxy layer. Per-tenant rate limits + usage tracking. No cross-tenant data leakage paths in audit. |
| DSP-02 | Is sensitive data redacted in logs? | Yes | PII redaction patterns (email, phone, IP, credit-card) applied before logs leave the application. Glitchtip (self-hosted) for error tracking. Application logs retained 30 days, security logs 1 year. |
| DSP-03 | Is data deletion provided on request? | Yes | API payloads: NEVER stored (in-memory only, discarded on response). Account-level data: deletion within 30 days on request via support@brainiall.com. |
| DSP-04 | Are data subject access requests (DSARs) supported? | Yes | DPA Section 4 + 5. Email privacy@brainiall.com — response within 30 days per GDPR Art. 12. |
| DSP-05 | Is data residency enforced? | Yes | EU-resident workloads: pinnable to FRA (Frankfurt) on request. Default region: EU. US/BR available for Enterprise. |
| DSP-06 | Is training-on-customer-data policy explicit? | Yes | We do NOT train models on customer payloads. ML models are open-source (permissive license/MIT) used as-is or fine-tuned only on consented or public datasets. |
GRC · Governance, Risk Mgmt & Compliance
| Identification | Question | Répondre | Notes |
|---|
| GRC-01 | Is an Information Security Policy documented? | Yes | ISP available on request to Enterprise customers under NDA. Reviewed annually by founder + external advisor. |
| GRC-02 | Is a risk register maintained? | Yes | Top 10 risks tracked quarterly. Top current risks: bus-factor (mitigated by escrow + customer-friendly contracts), single-region hosting (mitigation Q3 2026), regulatory landscape (LGPD/GDPR/EU AI Act monitored monthly). |
| GRC-03 | Are compliance frameworks tracked? | Yes | GDPR (compliant), LGPD (compliant), SOC 2 Type II (audit Q3 2026), ISO 27001 (planned 2027), HIPAA (BAA available for Enterprise), EU AI Act (risk classification documented per SKU). |
HRS · Human Resources
| Identification | Question | Répondre | Notes |
|---|
| HRS-01 | Are background checks performed on personnel? | Partial | Sole founder (criminal background self-disclosure available). Contractors signed NDA + IP assignment + reference checks; no production access without 2FA. |
| HRS-02 | Is security awareness training provided? | Yes | Annual self-study using SANS Securing The Human + OWASP. Logged. |
| HRS-03 | Is a clean termination process for personnel? | Yes | Documented offboarding checklist: revoke creds within 24h, re-issue any shared secrets, audit logs reviewed. |
IAM · Identity & Access Management
| Identification | Question | Répondre | Notes |
|---|
| IAM-01 | Is MFA enforced for production access? | Yes | All production access requires hardware security key (YubiKey 5C) + SSH key. No password-only paths. |
| IAM-02 | Is principle of least privilege applied? | Yes | Per-service Linux user accounts with restricted sudoers. Container-level isolation via Docker user namespaces. |
| IAM-03 | Are SSO/SAML supported for customers? | Partial | OAuth via GitHub + Google for self-serve. SAML/SCIM for Enterprise customers planned Q4 2026 (post-Auth0 migration). |
| IAM-04 | Are dormant accounts disabled? | Yes | Customer accounts inactive 12 months: data retention notice + deletion after 30-day grace period. Internal accounts: review monthly. |
IPY · Interoperability & Portability
| Identification | Question | Répondre | Notes |
|---|
| IPY-01 | Is data export available in standard formats? | Yes | All endpoints return JSON. Bulk export (Account data, usage logs) via /api/export — JSON or CSV. No vendor lock-in. |
| IPY-02 | Are open standards supported? | Yes | OpenAPI 3.1 spec public at /openapi.json. OAuth 2.0 / OpenID Connect on roadmap Q4 2026. JSON-LD schema for SEO. |
IVS · Infrastructure & Virtualization Security
| Identification | Question | Répondre | Notes |
|---|
| IVS-01 | Is network segmentation in place? | Yes | All backends bound to 127.0.0.1 (loopback only). Caddy reverse proxy at edge. Internal services authenticated via X-Internal-Key. No backend reachable from the internet. |
| IVS-02 | Are container images scanned? | Yes | Trivy on every image build. Critical vulnerabilities block deploy. |
| IVS-03 | Is host hardening applied? | Yes | CIS Ubuntu 22.04 benchmark partially applied. Unattended security upgrades enabled. Auditd for system call logging. fail2ban on SSH. |
LOG · Logging & Monitoring
| Identification | Question | Répondre | Notes |
|---|
| LOG-01 | Are security events logged centrally? | Yes | Auth events, API errors, rate-limit hits, and admin actions all logged via Glitchtip (self-hosted) + structured JSON to Loki. PII redacted before log emission. |
| LOG-02 | Is anomaly detection in place? | Partial | UptimeKuma for liveness, Prometheus for metrics, Grafana for dashboards. Alert rules on 5xx rate, latency p95, auth failures. ML-based anomaly detection on roadmap. |
| LOG-03 | Are logs retained for compliance? | Yes | Application logs: 30 days. Security logs (auth events, admin actions): 365 days. Customer-specific logs deleted on account closure. |
SEF · Security Incident Mgmt, E-Discovery & Forensics
| Identification | Question | Répondre | Notes |
|---|
| SEF-01 | Is an incident response plan documented? | Yes | IRP covering: detection (Glitchtip alerts), containment (isolate affected service), eradication (patch root cause), recovery (restore from clean backup), lessons learned (public post-mortem on /status). Customers notified within 72h per GDPR Art. 33. |
| SEF-02 | Is forensic capability available? | Yes | Volume snapshots preserve forensic state. Incident logs retained for 1 year. External DFIR firm on retainer for major incidents (Crowdstrike Falcon Complete or equivalent on contract). |
| SEF-03 | Is a vulnerability disclosure program advertised? | Yes | /.well-known/security.txt (RFC 9116). security@brainiall.com contact. Acknowledged within 1 business day. 90-day coordinated disclosure. |
STA · Supply Chain Mgmt, Transparency & Accountability
| Identification | Question | Répondre | Notes |
|---|
| STA-01 | Is a sub-processor list published? | Yes | /dpa Section 6 — Latitude.sh, Microsoft, Stripe, Plausible. 30-day notice before adding new sub-processors. |
| STA-02 | Are sub-processor SOC 2 reports available? | Yes | Latitude SOC 2 + ISO 27001 available under NDA. Microsoft Azure SOC 2 + ISO 27001 + FedRAMP Moderate publicly. Stripe PCI-DSS Level 1. |
| STA-03 | Is an SBOM (Software Bill of Materials) maintained? | Yes | CycloneDX SBOM auto-generated per release. Top-level deps: FastAPI, Caddy, and our internal inference + embedding runtimes. Available on request. |
| STA-04 | Are open-source licenses tracked? | Yes | All ML models: permissive license / MIT (audited per SKU). All non-ML deps: license-checker enforced in CI. No copyleft licenses (GPL/AGPL) in production. |
TVM · Threat & Vulnerability Management
| Identification | Question | Répondre | Notes |
|---|
| TVM-01 | Are vulnerability scans performed regularly? | Yes | Trivy on container builds, Snyk daily on deps, OWASP ZAP weekly on staging. |
| TVM-02 | Is patch management documented? | Yes | OS: unattended-upgrades for security patches. Application deps: Renovate weekly PRs. Critical CVE patched ≤ 7 days; high ≤ 30 days. |
| TVM-03 | Is penetration testing performed? | Partial | Self-test using OWASP ZAP + Burp Suite Pro. External pen test scheduled Q3 2026 alongside SOC 2 audit. |
UEM · Universal Endpoint Management
| Identification | Question | Répondre | Notes |
|---|
| UEM-01 | Are workstation endpoints managed? | Yes | Sole founder workstation: FileVault disk encryption, automatic OS updates, hardware security key, 1Password for secrets, no shared accounts. |
| UEM-02 | Is BYOD policy in place? | N/A | Sole founder; no contractor uses personal devices for production access. Contracted senior engineer reviews use dedicated company-issued workstation. |
Le chemin de vérification
- Autocertification (cette page) - publique, gratuite, suffisante pour l'achat de premier pas.
- CSA STAR Niveau 1 - Autocertification déposée dans le registre de la CSA. Soumission Q3 2026 accompagnée de l'audit SOC 2.
- Certification CSA STAR Niveau 2 — évaluation par des tiers contre CCM v4. poursuivie en 2027 avec ISO 27001.