CAIQ v4 Self-Attestation
Last updated: 2026-05-06 · Cloud Security Alliance Cloud Controls Matrix v4 · Self-attestation (CSA STAR Level 1)
What this is
The Cloud Security Alliance Cloud Controls Matrix (CCM) v4 is a 17-domain, 261-question framework standardized across major cloud providers. Procurement and security teams use the CAIQ as a first-pass response to vendor questionnaires (SIG, SOC 2 readiness, custom RFPs). 80% of enterprise security questionnaires accept CAIQ in lieu of bespoke responses.
This page is our self-attestation against key controls in CCM v4. It is not a third-party audit. We are pursuing CSA STAR Level 2 certification alongside the SOC 2 Type II audit (target Q3 2026), at which point this page will be supplemented by an independent attestation report.
For full 261-question CAIQ Excel workbook (procurement-ready format with our responses), email legal@brainiall.com. Customers on annual contracts ≥ USD 25,000 receive the full workbook + ISP, BCP, and incident response plan under NDA.
Summary
- Total questions answered: 56
- Yes (full compliance): 47 (84%)
- Partial (in progress / scheduled): 7 (13%)
- No: 1 (2%)
- N/A: 1 (2%)
AAC · Audit & Assurance
| ID | Question | Answer | Notes |
|---|
| AAC-01 | Are independent third-party audits performed at least annually? | Partial | SOC 2 Type II audit scheduled Q3 2026 (Vanta-managed). Internal audits quarterly. Pen test annual via reputable boutique firm (planned Q3 2026). |
| AAC-02 | Are audit reports made available to customers? | Yes | Once SOC 2 issues, summary report available under NDA via legal@brainiall.com. Internal control matrix available now. |
| AAC-03 | Are GDPR Article 28 compliance audit rights granted to customers? | Yes | DPA Section 10 grants annual third-party audit rights to Controllers. |
AIS · Application & Interface Security
| ID | Question | Answer | Notes |
|---|
| AIS-01 | Is secure coding training provided to developers? | Yes | OWASP Top 10 reviewed quarterly with founder (sole developer); secure-by-default patterns enforced via ESLint security rules + Snyk Code. |
| AIS-02 | Are SAST and DAST tools used in CI/CD? | Yes | GitHub CodeQL (SAST) + Snyk (deps) on every PR. Manual DAST (OWASP ZAP) before major releases. |
| AIS-03 | Are dependencies scanned for vulnerabilities? | Yes | Daily pip-audit + npm audit + Dependabot alerts. PRs auto-opened by Renovate. SLA: critical CVE patched ≤7 days; high ≤30 days. |
| AIS-04 | Are API endpoints rate-limited and authenticated? | Yes | All non-public endpoints require Bearer Authorization + JWT validation. Per-tier sliding-window rate limits (10/min free, 120/min pro). Public demo endpoints rate-limited per-IP (5/5min). |
BCR · Business Continuity Mgmt & Op Resilience
| ID | Question | Answer | Notes |
|---|
| BCR-01 | Is a documented Business Continuity Plan maintained? | Yes | BCP covering: hosting outage (Latitude failover), founder unavailability (escrow agreement on request for Enterprise), payment-processor failure (Stripe→Marketplace fallback). |
| BCR-02 | Are backups encrypted and tested? | Yes | Encrypted volume snapshots daily on Latitude. Restore drill quarterly. RPO=24h, RTO=4h for self-serve, ≤1h for Enterprise. |
| BCR-03 | Is a disaster recovery plan tested annually? | Partial | Tabletop DR exercise completed Q1 2026. Live failover drill scheduled Q4 2026 once secondary region is provisioned. |
| BCR-04 | Is multi-region failover available? | Partial | Latitude FRA (primary, EU) + secondary in MAD (Madrid). US failover (DAL) on roadmap Q3 2026. |
CCC · Change Control & Configuration
| ID | Question | Answer | Notes |
|---|
| CCC-01 | Are production changes peer-reviewed? | Yes | All deploys via GitHub Actions; PRs require approval (founder-only operation, but external review by a contracted senior engineer for changes to auth, billing, or security paths). |
| CCC-02 | Are infrastructure-as-code tools used? | Yes | Docker Compose + Caddyfile in version control. Ansible for VM provisioning. |
| CCC-03 | Is a rollback mechanism tested? | Yes | One-click rollback via GitHub Actions workflow. Last test: 2026-04-26 (audio-enhancement-api revert). Documented rollback playbook. |
CEK · Cryptography, Encryption & Key Management
| ID | Question | Answer | Notes |
|---|
| CEK-01 | Is TLS used for all external communication? | Yes | TLS 1.2+ enforced (TLS 1.3 preferred). HSTS with includeSubDomains. Caddy auto-renews Let's Encrypt certificates every 60 days. |
| CEK-02 | Is data encrypted at rest? | Yes | Volume-level encryption via Latitude provider (AES-256-XTS). Application-level encryption for highly sensitive fields (API key plaintext) — only SHA-256 hashes stored. |
| CEK-03 | Is key rotation enforced? | Yes | Customer API keys: rotation enforced 90 days for Pro tier. Internal service-to-service keys: rotated quarterly. JWT signing keys (Marketplace): managed by Microsoft Azure AD (RS256, JWKS endpoint). |
| CEK-04 | Are HSMs used for key storage? | No | Application keys stored in OS-level secret stores (systemd-creds + restrictive file ACLs). HSM upgrade on roadmap for Enterprise tier with regulated data (BAA / FedRAMP path). |
DCS · Datacenter Security
| ID | Question | Answer | Notes |
|---|
| DCS-01 | Are physical access controls in place at hosting facilities? | Yes | Latitude.sh: SOC 2 Type II + ISO 27001 facilities. Biometric access, 24×7 manned, CCTV. Sub-processor disclosure: /dpa Section 6. |
| DCS-02 | Is environmental redundancy provided? | Yes | Tier III+ facilities — N+1 power, cooling, network. Latitude SLA: 99.99% facility uptime. |
DSP · Data Security & Privacy Lifecycle Management
| ID | Question | Answer | Notes |
|---|
| DSP-01 | Is customer data segmented by tenant? | Yes | API key→customer mapping enforced at auth-proxy layer. Per-tenant rate limits + usage tracking. No cross-tenant data leakage paths in audit. |
| DSP-02 | Is sensitive data redacted in logs? | Yes | PII redaction patterns (email, phone, IP, credit-card) applied before logs leave the application. Glitchtip (self-hosted) for error tracking. Application logs retained 30 days, security logs 1 year. |
| DSP-03 | Is data deletion provided on request? | Yes | API payloads: NEVER stored (in-memory only, discarded on response). Account-level data: deletion within 30 days on request via support@brainiall.com. |
| DSP-04 | Are data subject access requests (DSARs) supported? | Yes | DPA Section 4 + 5. Email privacy@brainiall.com — response within 30 days per GDPR Art. 12. |
| DSP-05 | Is data residency enforced? | Yes | EU-resident workloads: pinnable to FRA (Frankfurt) on request. Default region: EU. US/BR available for Enterprise. |
| DSP-06 | Is training-on-customer-data policy explicit? | Yes | We do NOT train models on customer payloads. ML models are open-source (Apache 2.0/MIT) used as-is or fine-tuned only on consented or public datasets. |
GRC · Governance, Risk Mgmt & Compliance
| ID | Question | Answer | Notes |
|---|
| GRC-01 | Is an Information Security Policy documented? | Yes | ISP available on request to Enterprise customers under NDA. Reviewed annually by founder + external advisor. |
| GRC-02 | Is a risk register maintained? | Yes | Top 10 risks tracked quarterly. Top current risks: bus-factor (mitigated by escrow + customer-friendly contracts), single-region hosting (mitigation Q3 2026), regulatory landscape (LGPD/GDPR/EU AI Act monitored monthly). |
| GRC-03 | Are compliance frameworks tracked? | Yes | GDPR (compliant), LGPD (compliant), SOC 2 Type II (audit Q3 2026), ISO 27001 (planned 2027), HIPAA (BAA available for Enterprise), EU AI Act (risk classification documented per SKU). |
HRS · Human Resources
| ID | Question | Answer | Notes |
|---|
| HRS-01 | Are background checks performed on personnel? | Partial | Sole founder (criminal background self-disclosure available). Contractors signed NDA + IP assignment + reference checks; no production access without 2FA. |
| HRS-02 | Is security awareness training provided? | Yes | Annual self-study using SANS Securing The Human + OWASP. Logged. |
| HRS-03 | Is a clean termination process for personnel? | Yes | Documented offboarding checklist: revoke creds within 24h, re-issue any shared secrets, audit logs reviewed. |
IAM · Identity & Access Management
| ID | Question | Answer | Notes |
|---|
| IAM-01 | Is MFA enforced for production access? | Yes | All production access requires hardware security key (YubiKey 5C) + SSH key. No password-only paths. |
| IAM-02 | Is principle of least privilege applied? | Yes | Per-service Linux user accounts with restricted sudoers. Container-level isolation via Docker user namespaces. |
| IAM-03 | Are SSO/SAML supported for customers? | Partial | OAuth via GitHub + Google for self-serve. SAML/SCIM for Enterprise customers planned Q4 2026 (post-Auth0 migration). |
| IAM-04 | Are dormant accounts disabled? | Yes | Customer accounts inactive 12 months: data retention notice + deletion after 30-day grace period. Internal accounts: review monthly. |
IPY · Interoperability & Portability
| ID | Question | Answer | Notes |
|---|
| IPY-01 | Is data export available in standard formats? | Yes | All endpoints return JSON. Bulk export (Account data, usage logs) via /api/export — JSON or CSV. No vendor lock-in. |
| IPY-02 | Are open standards supported? | Yes | OpenAPI 3.1 spec public at /openapi.json. OAuth 2.0 / OpenID Connect on roadmap Q4 2026. JSON-LD schema for SEO. |
IVS · Infrastructure & Virtualization Security
| ID | Question | Answer | Notes |
|---|
| IVS-01 | Is network segmentation in place? | Yes | All backends bound to 127.0.0.1 (loopback only). Caddy reverse proxy at edge. Internal services authenticated via X-Internal-Key. No backend reachable from the internet. |
| IVS-02 | Are container images scanned? | Yes | Trivy on every image build. Critical vulnerabilities block deploy. |
| IVS-03 | Is host hardening applied? | Yes | CIS Ubuntu 22.04 benchmark partially applied. Unattended security upgrades enabled. Auditd for system call logging. fail2ban on SSH. |
LOG · Logging & Monitoring
| ID | Question | Answer | Notes |
|---|
| LOG-01 | Are security events logged centrally? | Yes | Auth events, API errors, rate-limit hits, and admin actions all logged via Glitchtip (self-hosted) + structured JSON to Loki. PII redacted before log emission. |
| LOG-02 | Is anomaly detection in place? | Partial | UptimeKuma for liveness, Prometheus for metrics, Grafana for dashboards. Alert rules on 5xx rate, latency p95, auth failures. ML-based anomaly detection on roadmap. |
| LOG-03 | Are logs retained for compliance? | Yes | Application logs: 30 days. Security logs (auth events, admin actions): 365 days. Customer-specific logs deleted on account closure. |
SEF · Security Incident Mgmt, E-Discovery & Forensics
| ID | Question | Answer | Notes |
|---|
| SEF-01 | Is an incident response plan documented? | Yes | IRP covering: detection (Glitchtip alerts), containment (isolate affected service), eradication (patch root cause), recovery (restore from clean backup), lessons learned (public post-mortem on /status). Customers notified within 72h per GDPR Art. 33. |
| SEF-02 | Is forensic capability available? | Yes | Volume snapshots preserve forensic state. Incident logs retained for 1 year. External DFIR firm on retainer for major incidents (Crowdstrike Falcon Complete or equivalent on contract). |
| SEF-03 | Is a vulnerability disclosure program advertised? | Yes | /.well-known/security.txt (RFC 9116). security@brainiall.com contact. Acknowledged within 1 business day. 90-day coordinated disclosure. |
STA · Supply Chain Mgmt, Transparency & Accountability
| ID | Question | Answer | Notes |
|---|
| STA-01 | Is a sub-processor list published? | Yes | /dpa Section 6 — Latitude.sh, Microsoft, Stripe, Plausible. 30-day notice before adding new sub-processors. |
| STA-02 | Are sub-processor SOC 2 reports available? | Yes | Latitude SOC 2 + ISO 27001 available under NDA. Microsoft Azure SOC 2 + ISO 27001 + FedRAMP Moderate publicly. Stripe PCI-DSS Level 1. |
| STA-03 | Is an SBOM (Software Bill of Materials) maintained? | Yes | CycloneDX SBOM auto-generated per release. Top-level deps: FastAPI, Caddy, ONNX Runtime, Sentence-Transformers, pyannote, Marker, BGE. Available on request. |
| STA-04 | Are open-source licenses tracked? | Yes | All ML models: Apache 2.0 / MIT (audited per SKU). All non-ML deps: license-checker enforced in CI. No copyleft licenses (GPL/AGPL) in production. |
TVM · Threat & Vulnerability Management
| ID | Question | Answer | Notes |
|---|
| TVM-01 | Are vulnerability scans performed regularly? | Yes | Trivy on container builds, Snyk daily on deps, OWASP ZAP weekly on staging. |
| TVM-02 | Is patch management documented? | Yes | OS: unattended-upgrades for security patches. Application deps: Renovate weekly PRs. Critical CVE patched ≤ 7 days; high ≤ 30 days. |
| TVM-03 | Is penetration testing performed? | Partial | Self-test using OWASP ZAP + Burp Suite Pro. External pen test scheduled Q3 2026 alongside SOC 2 audit. |
UEM · Universal Endpoint Management
| ID | Question | Answer | Notes |
|---|
| UEM-01 | Are workstation endpoints managed? | Yes | Sole founder workstation: FileVault disk encryption, automatic OS updates, hardware security key, 1Password for secrets, no shared accounts. |
| UEM-02 | Is BYOD policy in place? | N/A | Sole founder; no contractor uses personal devices for production access. Contracted senior engineer reviews use dedicated company-issued workstation. |
Verification path
- Self-attestation (this page) — public, free, sufficient for first-pass procurement.
- CSA STAR Level 1 listing — self-attestation deposited in CSA registry. Submission Q3 2026 alongside SOC 2 audit.
- CSA STAR Level 2 certification — third-party assessment against CCM v4. Pursued in 2027 alongside ISO 27001.