Skip to main content

Autoatestação CAIQ v4

Última atualização: 2026-05-06 · Cloud Security Alliance Cloud Controls Matrix v4 · Autocertificação (CSA STAR Nível 1)

O que isto é

A Cloud Security Alliance Cloud Controls Matrix (CCM) v4 é um framework de 17 domínios e 261 perguntas padronizado entre os principais provedores de nuvem. Equipes de compras e segurança usam o CAIQ como resposta inicial a questionários de fornecedores (SIG, SOC 2 readiness, RFPs customizados). 80% dos questionários de segurança corporativos aceitam o CAIQ no lugar de respostas customizadas.

Esta página é nossa autoatestação em relação aos principais controles do CCM v4. Não é uma auditoria de terceiros. Estamos buscando a certificação CSA STAR Nível 2 em conjunto com a auditoria SOC 2 Tipo II (previsão para o 3º trimestre de 2026), quando esta página será complementada por um relatório de atestado independente.

Para a planilha Excel completa do CAIQ (261 perguntas) (formato pronto para compras com nossas respostas), e-mail legal@brainiall.com. Clientes com contratos anuais ≥ USD 25.000 recebem a planilha completa + ISP, BCP e plano de resposta a incidentes sob NDA.

Resumo

  • Total de perguntas respondidas: 56
  • Sim (conformidade total): 47 (84%)
  • Parcial (em andamento / agendado): 7 (13%)
  • Não: 1 (2%)
  • N/D: 1 (2%)

AAC · Audit & Assurance

IDPerguntaRespostaNotas
AAC-01Are independent third-party audits performed at least annually?PartialSOC 2 Type II audit scheduled Q3 2026 (Vanta-managed). Internal audits quarterly. Pen test annual via reputable boutique firm (planned Q3 2026).
AAC-02Are audit reports made available to customers?YesOnce SOC 2 issues, summary report available under NDA via legal@brainiall.com. Internal control matrix available now.
AAC-03Are GDPR Article 28 compliance audit rights granted to customers?YesDPA Section 10 grants annual third-party audit rights to Controllers.

AIS · Application & Interface Security

IDPerguntaRespostaNotas
AIS-01Is secure coding training provided to developers?YesOWASP Top 10 reviewed quarterly with founder (sole developer); secure-by-default patterns enforced via ESLint security rules + Snyk Code.
AIS-02Are SAST and DAST tools used in CI/CD?YesGitHub CodeQL (SAST) + Snyk (deps) on every PR. Manual DAST (OWASP ZAP) before major releases.
AIS-03Are dependencies scanned for vulnerabilities?YesDaily pip-audit + npm audit + Dependabot alerts. PRs auto-opened by Renovate. SLA: critical CVE patched ≤7 days; high ≤30 days.
AIS-04Are API endpoints rate-limited and authenticated?YesAll non-public endpoints require Bearer Authorization + JWT validation. Per-tier sliding-window rate limits (10/min free, 120/min pro). Public demo endpoints rate-limited per-IP (5/5min).

BCR · Business Continuity Mgmt & Op Resilience

IDPerguntaRespostaNotas
BCR-01Is a documented Business Continuity Plan maintained?YesBCP covering: hosting outage (Latitude failover), founder unavailability (escrow agreement on request for Enterprise), payment-processor failure (Stripe→Marketplace fallback).
BCR-02Are backups encrypted and tested?YesEncrypted volume snapshots daily on Latitude. Restore drill quarterly. RPO=24h, RTO=4h for self-serve, ≤1h for Enterprise.
BCR-03Is a disaster recovery plan tested annually?PartialTabletop DR exercise completed Q1 2026. Live failover drill scheduled Q4 2026 once secondary region is provisioned.
BCR-04Is multi-region failover available?PartialLatitude FRA (primary, EU) + secondary in MAD (Madrid). US failover (DAL) on roadmap Q3 2026.

CCC · Change Control & Configuration

IDPerguntaRespostaNotas
CCC-01Are production changes peer-reviewed?YesAll deploys via GitHub Actions; PRs require approval (founder-only operation, but external review by a contracted senior engineer for changes to auth, billing, or security paths).
CCC-02Are infrastructure-as-code tools used?YesDocker Compose + Caddyfile in version control. Ansible for VM provisioning.
CCC-03Is a rollback mechanism tested?YesOne-click rollback via GitHub Actions workflow. Last test: 2026-04-26 (audio-enhancement-api revert). Documented rollback playbook.

CEK · Cryptography, Encryption & Key Management

IDPerguntaRespostaNotas
CEK-01Is TLS used for all external communication?YesTLS 1.2+ enforced (TLS 1.3 preferred). HSTS with includeSubDomains. Caddy auto-renews Let's Encrypt certificates every 60 days.
CEK-02Is data encrypted at rest?YesVolume-level encryption via Latitude provider (AES-256-XTS). Application-level encryption for highly sensitive fields (API key plaintext) — only SHA-256 hashes stored.
CEK-03Is key rotation enforced?YesCustomer API keys: rotation enforced 90 days for Pro tier. Internal service-to-service keys: rotated quarterly. JWT signing keys (Marketplace): managed by Microsoft Azure AD (RS256, JWKS endpoint).
CEK-04Are HSMs used for key storage?NoApplication keys stored in OS-level secret stores (systemd-creds + restrictive file ACLs). HSM upgrade on roadmap for Enterprise tier with regulated data (BAA / FedRAMP path).

DCS · Datacenter Security

IDPerguntaRespostaNotas
DCS-01Are physical access controls in place at hosting facilities?YesLatitude.sh: SOC 2 Type II + ISO 27001 facilities. Biometric access, 24×7 manned, CCTV. Sub-processor disclosure: /dpa Section 6.
DCS-02Is environmental redundancy provided?YesTier III+ facilities — N+1 power, cooling, network. Latitude SLA: 99.99% facility uptime.

DSP · Data Security & Privacy Lifecycle Management

IDPerguntaRespostaNotas
DSP-01Is customer data segmented by tenant?YesAPI key→customer mapping enforced at auth-proxy layer. Per-tenant rate limits + usage tracking. No cross-tenant data leakage paths in audit.
DSP-02Is sensitive data redacted in logs?YesPII redaction patterns (email, phone, IP, credit-card) applied before logs leave the application. Glitchtip (self-hosted) for error tracking. Application logs retained 30 days, security logs 1 year.
DSP-03Is data deletion provided on request?YesAPI payloads: NEVER stored (in-memory only, discarded on response). Account-level data: deletion within 30 days on request via support@brainiall.com.
DSP-04Are data subject access requests (DSARs) supported?YesDPA Section 4 + 5. Email privacy@brainiall.com — response within 30 days per GDPR Art. 12.
DSP-05Is data residency enforced?YesEU-resident workloads: pinnable to FRA (Frankfurt) on request. Default region: EU. US/BR available for Enterprise.
DSP-06Is training-on-customer-data policy explicit?YesWe do NOT train models on customer payloads. ML models are open-source (permissive license/MIT) used as-is or fine-tuned only on consented or public datasets.

GRC · Governance, Risk Mgmt & Compliance

IDPerguntaRespostaNotas
GRC-01Is an Information Security Policy documented?YesISP available on request to Enterprise customers under NDA. Reviewed annually by founder + external advisor.
GRC-02Is a risk register maintained?YesTop 10 risks tracked quarterly. Top current risks: bus-factor (mitigated by escrow + customer-friendly contracts), single-region hosting (mitigation Q3 2026), regulatory landscape (LGPD/GDPR/EU AI Act monitored monthly).
GRC-03Are compliance frameworks tracked?YesGDPR (compliant), LGPD (compliant), SOC 2 Type II (audit Q3 2026), ISO 27001 (planned 2027), HIPAA (BAA available for Enterprise), EU AI Act (risk classification documented per SKU).

HRS · Human Resources

IDPerguntaRespostaNotas
HRS-01Are background checks performed on personnel?PartialSole founder (criminal background self-disclosure available). Contractors signed NDA + IP assignment + reference checks; no production access without 2FA.
HRS-02Is security awareness training provided?YesAnnual self-study using SANS Securing The Human + OWASP. Logged.
HRS-03Is a clean termination process for personnel?YesDocumented offboarding checklist: revoke creds within 24h, re-issue any shared secrets, audit logs reviewed.

IAM · Identity & Access Management

IDPerguntaRespostaNotas
IAM-01Is MFA enforced for production access?YesAll production access requires hardware security key (YubiKey 5C) + SSH key. No password-only paths.
IAM-02Is principle of least privilege applied?YesPer-service Linux user accounts with restricted sudoers. Container-level isolation via Docker user namespaces.
IAM-03Are SSO/SAML supported for customers?PartialOAuth via GitHub + Google for self-serve. SAML/SCIM for Enterprise customers planned Q4 2026 (post-Auth0 migration).
IAM-04Are dormant accounts disabled?YesCustomer accounts inactive 12 months: data retention notice + deletion after 30-day grace period. Internal accounts: review monthly.

IPY · Interoperability & Portability

IDPerguntaRespostaNotas
IPY-01Is data export available in standard formats?YesAll endpoints return JSON. Bulk export (Account data, usage logs) via /api/export — JSON or CSV. No vendor lock-in.
IPY-02Are open standards supported?YesOpenAPI 3.1 spec public at /openapi.json. OAuth 2.0 / OpenID Connect on roadmap Q4 2026. JSON-LD schema for SEO.

IVS · Infrastructure & Virtualization Security

IDPerguntaRespostaNotas
IVS-01Is network segmentation in place?YesAll backends bound to 127.0.0.1 (loopback only). Caddy reverse proxy at edge. Internal services authenticated via X-Internal-Key. No backend reachable from the internet.
IVS-02Are container images scanned?YesTrivy on every image build. Critical vulnerabilities block deploy.
IVS-03Is host hardening applied?YesCIS Ubuntu 22.04 benchmark partially applied. Unattended security upgrades enabled. Auditd for system call logging. fail2ban on SSH.

LOG · Logging & Monitoring

IDPerguntaRespostaNotas
LOG-01Are security events logged centrally?YesAuth events, API errors, rate-limit hits, and admin actions all logged via Glitchtip (self-hosted) + structured JSON to Loki. PII redacted before log emission.
LOG-02Is anomaly detection in place?PartialUptimeKuma for liveness, Prometheus for metrics, Grafana for dashboards. Alert rules on 5xx rate, latency p95, auth failures. ML-based anomaly detection on roadmap.
LOG-03Are logs retained for compliance?YesApplication logs: 30 days. Security logs (auth events, admin actions): 365 days. Customer-specific logs deleted on account closure.

SEF · Security Incident Mgmt, E-Discovery & Forensics

IDPerguntaRespostaNotas
SEF-01Is an incident response plan documented?YesIRP covering: detection (Glitchtip alerts), containment (isolate affected service), eradication (patch root cause), recovery (restore from clean backup), lessons learned (public post-mortem on /status). Customers notified within 72h per GDPR Art. 33.
SEF-02Is forensic capability available?YesVolume snapshots preserve forensic state. Incident logs retained for 1 year. External DFIR firm on retainer for major incidents (Crowdstrike Falcon Complete or equivalent on contract).
SEF-03Is a vulnerability disclosure program advertised?Yes/.well-known/security.txt (RFC 9116). security@brainiall.com contact. Acknowledged within 1 business day. 90-day coordinated disclosure.

STA · Supply Chain Mgmt, Transparency & Accountability

IDPerguntaRespostaNotas
STA-01Is a sub-processor list published?Yes/dpa Section 6 — Latitude.sh, Microsoft, Stripe, Plausible. 30-day notice before adding new sub-processors.
STA-02Are sub-processor SOC 2 reports available?YesLatitude SOC 2 + ISO 27001 available under NDA. Microsoft Azure SOC 2 + ISO 27001 + FedRAMP Moderate publicly. Stripe PCI-DSS Level 1.
STA-03Is an SBOM (Software Bill of Materials) maintained?YesCycloneDX SBOM auto-generated per release. Top-level deps: FastAPI, Caddy, and our internal inference + embedding runtimes. Available on request.
STA-04Are open-source licenses tracked?YesAll ML models: permissive license / MIT (audited per SKU). All non-ML deps: license-checker enforced in CI. No copyleft licenses (GPL/AGPL) in production.

TVM · Threat & Vulnerability Management

IDPerguntaRespostaNotas
TVM-01Are vulnerability scans performed regularly?YesTrivy on container builds, Snyk daily on deps, OWASP ZAP weekly on staging.
TVM-02Is patch management documented?YesOS: unattended-upgrades for security patches. Application deps: Renovate weekly PRs. Critical CVE patched ≤ 7 days; high ≤ 30 days.
TVM-03Is penetration testing performed?PartialSelf-test using OWASP ZAP + Burp Suite Pro. External pen test scheduled Q3 2026 alongside SOC 2 audit.

UEM · Universal Endpoint Management

IDPerguntaRespostaNotas
UEM-01Are workstation endpoints managed?YesSole founder workstation: FileVault disk encryption, automatic OS updates, hardware security key, 1Password for secrets, no shared accounts.
UEM-02Is BYOD policy in place?N/ASole founder; no contractor uses personal devices for production access. Contracted senior engineer reviews use dedicated company-issued workstation.

Caminho de verificação

  1. Autoatestação (esta página) — pública, gratuita, suficiente para triagem inicial de compras.
  2. Listagem CSA STAR Nível 1 — autoatestação depositada no registro da CSA. Submissão no 3T 2026 junto com auditoria SOC 2.
  3. Certificação CSA STAR Nível 2 — avaliação por terceiros contra o CCM v4. Prevista para 2027 junto com a ISO 27001.

Documentação