Skip to main content

CAIQ v4 Autodétermination

Dernière mise à jour : 2026-05-06 · Cloud Security Alliance Cloud Controls Matrix v4 · Autocertification (CSA STAR Niveau 1)

Ce que c'est

L’Alliance de la Cloud Security Matrix de contrôle en nuage (CCM) v4 Il s’agit d’un cadre de 17 domaines, de 261 questions standardisé parmi les principaux fournisseurs de cloud. Les équipes d’approvisionnement et de sécurité utilisent le CAIQ comme une réponse de premier pas aux questionnaires fournisseurs (SIG, SOC 2 prêt, RFPs personnalisés). 80% des questionnaires de sécurité d’entreprise acceptent le CAIQ au lieu de répondre.

Cette page est notre Autocertification Nous poursuivons la certification CSA STAR Level 2 à côté de l'audit Contrôles SOC 2 en place (audit Type II prévu T3 2026) (objectif Q3 2026), auquel point cette page sera complétée par un rapport d'attestation indépendant.

Pour un livre de travail complet de 261 questions CAIQ Excel (Format prêt à l'offre avec nos réponses), email legal@brainiall.comLes clients sur les contrats annuels ≥ 25 000 USD reçoivent le livre de travail complet + ISP, BCP et le plan de réponse aux incidents dans le cadre de la NDA.

Résumé

  • Questions complètes répliquées : 56
  • Oui (compliance complète) : 47 (84%)
  • Partiel (en progrès / prévu) : 7 (13%)
  • Non pas : 1 (2%)
  • N / A : 1 (2%)

AAC · Audit & Assurance

IdentificationQuestionRépondreNotes
AAC-01Are independent third-party audits performed at least annually?PartialSOC 2 Type II audit scheduled Q3 2026 (Vanta-managed). Internal audits quarterly. Pen test annual via reputable boutique firm (planned Q3 2026).
AAC-02Are audit reports made available to customers?YesOnce SOC 2 issues, summary report available under NDA via legal@brainiall.com. Internal control matrix available now.
AAC-03Are GDPR Article 28 compliance audit rights granted to customers?YesDPA Section 10 grants annual third-party audit rights to Controllers.

AIS · Application & Interface Security

IdentificationQuestionRépondreNotes
AIS-01Is secure coding training provided to developers?YesOWASP Top 10 reviewed quarterly with founder (sole developer); secure-by-default patterns enforced via ESLint security rules + Snyk Code.
AIS-02Are SAST and DAST tools used in CI/CD?YesGitHub CodeQL (SAST) + Snyk (deps) on every PR. Manual DAST (OWASP ZAP) before major releases.
AIS-03Are dependencies scanned for vulnerabilities?YesDaily pip-audit + npm audit + Dependabot alerts. PRs auto-opened by Renovate. SLA: critical CVE patched ≤7 days; high ≤30 days.
AIS-04Are API endpoints rate-limited and authenticated?YesAll non-public endpoints require Bearer Authorization + JWT validation. Per-tier sliding-window rate limits (10/min free, 120/min pro). Public demo endpoints rate-limited per-IP (5/5min).

BCR · Business Continuity Mgmt & Op Resilience

IdentificationQuestionRépondreNotes
BCR-01Is a documented Business Continuity Plan maintained?YesBCP covering: hosting outage (Latitude failover), founder unavailability (escrow agreement on request for Enterprise), payment-processor failure (Stripe→Marketplace fallback).
BCR-02Are backups encrypted and tested?YesEncrypted volume snapshots daily on Latitude. Restore drill quarterly. RPO=24h, RTO=4h for self-serve, ≤1h for Enterprise.
BCR-03Is a disaster recovery plan tested annually?PartialTabletop DR exercise completed Q1 2026. Live failover drill scheduled Q4 2026 once secondary region is provisioned.
BCR-04Is multi-region failover available?PartialLatitude FRA (primary, EU) + secondary in MAD (Madrid). US failover (DAL) on roadmap Q3 2026.

CCC · Change Control & Configuration

IdentificationQuestionRépondreNotes
CCC-01Are production changes peer-reviewed?YesAll deploys via GitHub Actions; PRs require approval (founder-only operation, but external review by a contracted senior engineer for changes to auth, billing, or security paths).
CCC-02Are infrastructure-as-code tools used?YesDocker Compose + Caddyfile in version control. Ansible for VM provisioning.
CCC-03Is a rollback mechanism tested?YesOne-click rollback via GitHub Actions workflow. Last test: 2026-04-26 (audio-enhancement-api revert). Documented rollback playbook.

CEK · Cryptography, Encryption & Key Management

IdentificationQuestionRépondreNotes
CEK-01Is TLS used for all external communication?YesTLS 1.2+ enforced (TLS 1.3 preferred). HSTS with includeSubDomains. Caddy auto-renews Let's Encrypt certificates every 60 days.
CEK-02Is data encrypted at rest?YesVolume-level encryption via Latitude provider (AES-256-XTS). Application-level encryption for highly sensitive fields (API key plaintext) — only SHA-256 hashes stored.
CEK-03Is key rotation enforced?YesCustomer API keys: rotation enforced 90 days for Pro tier. Internal service-to-service keys: rotated quarterly. JWT signing keys (Marketplace): managed by Microsoft Azure AD (RS256, JWKS endpoint).
CEK-04Are HSMs used for key storage?NoApplication keys stored in OS-level secret stores (systemd-creds + restrictive file ACLs). HSM upgrade on roadmap for Enterprise tier with regulated data (BAA / FedRAMP path).

DCS · Datacenter Security

IdentificationQuestionRépondreNotes
DCS-01Are physical access controls in place at hosting facilities?YesLatitude.sh: SOC 2 Type II + ISO 27001 facilities. Biometric access, 24×7 manned, CCTV. Sub-processor disclosure: /dpa Section 6.
DCS-02Is environmental redundancy provided?YesTier III+ facilities — N+1 power, cooling, network. Latitude SLA: 99.99% facility uptime.

DSP · Data Security & Privacy Lifecycle Management

IdentificationQuestionRépondreNotes
DSP-01Is customer data segmented by tenant?YesAPI key→customer mapping enforced at auth-proxy layer. Per-tenant rate limits + usage tracking. No cross-tenant data leakage paths in audit.
DSP-02Is sensitive data redacted in logs?YesPII redaction patterns (email, phone, IP, credit-card) applied before logs leave the application. Glitchtip (self-hosted) for error tracking. Application logs retained 30 days, security logs 1 year.
DSP-03Is data deletion provided on request?YesAPI payloads: NEVER stored (in-memory only, discarded on response). Account-level data: deletion within 30 days on request via support@brainiall.com.
DSP-04Are data subject access requests (DSARs) supported?YesDPA Section 4 + 5. Email privacy@brainiall.com — response within 30 days per GDPR Art. 12.
DSP-05Is data residency enforced?YesEU-resident workloads: pinnable to FRA (Frankfurt) on request. Default region: EU. US/BR available for Enterprise.
DSP-06Is training-on-customer-data policy explicit?YesWe do NOT train models on customer payloads. ML models are open-source (permissive license/MIT) used as-is or fine-tuned only on consented or public datasets.

GRC · Governance, Risk Mgmt & Compliance

IdentificationQuestionRépondreNotes
GRC-01Is an Information Security Policy documented?YesISP available on request to Enterprise customers under NDA. Reviewed annually by founder + external advisor.
GRC-02Is a risk register maintained?YesTop 10 risks tracked quarterly. Top current risks: bus-factor (mitigated by escrow + customer-friendly contracts), single-region hosting (mitigation Q3 2026), regulatory landscape (LGPD/GDPR/EU AI Act monitored monthly).
GRC-03Are compliance frameworks tracked?YesGDPR (compliant), LGPD (compliant), SOC 2 Type II (audit Q3 2026), ISO 27001 (planned 2027), HIPAA (BAA available for Enterprise), EU AI Act (risk classification documented per SKU).

HRS · Human Resources

IdentificationQuestionRépondreNotes
HRS-01Are background checks performed on personnel?PartialSole founder (criminal background self-disclosure available). Contractors signed NDA + IP assignment + reference checks; no production access without 2FA.
HRS-02Is security awareness training provided?YesAnnual self-study using SANS Securing The Human + OWASP. Logged.
HRS-03Is a clean termination process for personnel?YesDocumented offboarding checklist: revoke creds within 24h, re-issue any shared secrets, audit logs reviewed.

IAM · Identity & Access Management

IdentificationQuestionRépondreNotes
IAM-01Is MFA enforced for production access?YesAll production access requires hardware security key (YubiKey 5C) + SSH key. No password-only paths.
IAM-02Is principle of least privilege applied?YesPer-service Linux user accounts with restricted sudoers. Container-level isolation via Docker user namespaces.
IAM-03Are SSO/SAML supported for customers?PartialOAuth via GitHub + Google for self-serve. SAML/SCIM for Enterprise customers planned Q4 2026 (post-Auth0 migration).
IAM-04Are dormant accounts disabled?YesCustomer accounts inactive 12 months: data retention notice + deletion after 30-day grace period. Internal accounts: review monthly.

IPY · Interoperability & Portability

IdentificationQuestionRépondreNotes
IPY-01Is data export available in standard formats?YesAll endpoints return JSON. Bulk export (Account data, usage logs) via /api/export — JSON or CSV. No vendor lock-in.
IPY-02Are open standards supported?YesOpenAPI 3.1 spec public at /openapi.json. OAuth 2.0 / OpenID Connect on roadmap Q4 2026. JSON-LD schema for SEO.

IVS · Infrastructure & Virtualization Security

IdentificationQuestionRépondreNotes
IVS-01Is network segmentation in place?YesAll backends bound to 127.0.0.1 (loopback only). Caddy reverse proxy at edge. Internal services authenticated via X-Internal-Key. No backend reachable from the internet.
IVS-02Are container images scanned?YesTrivy on every image build. Critical vulnerabilities block deploy.
IVS-03Is host hardening applied?YesCIS Ubuntu 22.04 benchmark partially applied. Unattended security upgrades enabled. Auditd for system call logging. fail2ban on SSH.

LOG · Logging & Monitoring

IdentificationQuestionRépondreNotes
LOG-01Are security events logged centrally?YesAuth events, API errors, rate-limit hits, and admin actions all logged via Glitchtip (self-hosted) + structured JSON to Loki. PII redacted before log emission.
LOG-02Is anomaly detection in place?PartialUptimeKuma for liveness, Prometheus for metrics, Grafana for dashboards. Alert rules on 5xx rate, latency p95, auth failures. ML-based anomaly detection on roadmap.
LOG-03Are logs retained for compliance?YesApplication logs: 30 days. Security logs (auth events, admin actions): 365 days. Customer-specific logs deleted on account closure.

SEF · Security Incident Mgmt, E-Discovery & Forensics

IdentificationQuestionRépondreNotes
SEF-01Is an incident response plan documented?YesIRP covering: detection (Glitchtip alerts), containment (isolate affected service), eradication (patch root cause), recovery (restore from clean backup), lessons learned (public post-mortem on /status). Customers notified within 72h per GDPR Art. 33.
SEF-02Is forensic capability available?YesVolume snapshots preserve forensic state. Incident logs retained for 1 year. External DFIR firm on retainer for major incidents (Crowdstrike Falcon Complete or equivalent on contract).
SEF-03Is a vulnerability disclosure program advertised?Yes/.well-known/security.txt (RFC 9116). security@brainiall.com contact. Acknowledged within 1 business day. 90-day coordinated disclosure.

STA · Supply Chain Mgmt, Transparency & Accountability

IdentificationQuestionRépondreNotes
STA-01Is a sub-processor list published?Yes/dpa Section 6 — Latitude.sh, Microsoft, Stripe, Plausible. 30-day notice before adding new sub-processors.
STA-02Are sub-processor SOC 2 reports available?YesLatitude SOC 2 + ISO 27001 available under NDA. Microsoft Azure SOC 2 + ISO 27001 + FedRAMP Moderate publicly. Stripe PCI-DSS Level 1.
STA-03Is an SBOM (Software Bill of Materials) maintained?YesCycloneDX SBOM auto-generated per release. Top-level deps: FastAPI, Caddy, and our internal inference + embedding runtimes. Available on request.
STA-04Are open-source licenses tracked?YesAll ML models: permissive license / MIT (audited per SKU). All non-ML deps: license-checker enforced in CI. No copyleft licenses (GPL/AGPL) in production.

TVM · Threat & Vulnerability Management

IdentificationQuestionRépondreNotes
TVM-01Are vulnerability scans performed regularly?YesTrivy on container builds, Snyk daily on deps, OWASP ZAP weekly on staging.
TVM-02Is patch management documented?YesOS: unattended-upgrades for security patches. Application deps: Renovate weekly PRs. Critical CVE patched ≤ 7 days; high ≤ 30 days.
TVM-03Is penetration testing performed?PartialSelf-test using OWASP ZAP + Burp Suite Pro. External pen test scheduled Q3 2026 alongside SOC 2 audit.

UEM · Universal Endpoint Management

IdentificationQuestionRépondreNotes
UEM-01Are workstation endpoints managed?YesSole founder workstation: FileVault disk encryption, automatic OS updates, hardware security key, 1Password for secrets, no shared accounts.
UEM-02Is BYOD policy in place?N/ASole founder; no contractor uses personal devices for production access. Contracted senior engineer reviews use dedicated company-issued workstation.

Le chemin de vérification

  1. Autocertification (cette page) - publique, gratuite, suffisante pour l'achat de premier pas.
  2. CSA STAR Niveau 1 - Autocertification déposée dans le registre de la CSA. Soumission Q3 2026 accompagnée de l'audit SOC 2.
  3. Certification CSA STAR Niveau 2 — évaluation par des tiers contre CCM v4. poursuivie en 2027 avec ISO 27001.

Documentation