Procurement
Security questionnaire
CAIQ-aligned answers to 63 questions across 14 control domains. Procurement teams can extract these directly into their own vendor risk register. Format follows the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v4.
Last reviewed: 2026-05-02 · Source-of-truth: /lib/security-questionnaire.ts
Download this questionnaire for your vendor risk register. Each format is generated client-side from the live data — the file you download always reflects the latest published answers.
Export
Need a counter-signed PDF or your own questionnaire format completed? security@theartofcto.com — 1 business day response.
At a glance
63
Total
57
Yes
5
No
1
N.A.
Honest framing: every No includes the rationale and the timeline (when applicable). We don't hide gaps — we list them and track them. A questionnaire with all-Yes answers from a pre-Series-A company should be a procurement red flag, not a green one.
AAC
Audit Assurance & Compliance
Independent attestations and compliance posture.
| ID | Question | Answer | Notes |
|---|---|---|---|
| AAC-01 | Do you have a SOC 2 Type II attestation? | No | Not currently. We operate to the Trust Services Criteria but have not engaged an independent auditor. SOC 2 Type 1 is on the roadmap once revenue justifies the engagement. |
| AAC-02 | Do you have an ISO 27001 certification? | No | Not currently certified. The platform implements controls aligned to ISO 27001:2022 Annex A across A.5 through A.18; mapping published at /security. |
| AAC-03 | Do you publish your sub-processor list? | Yes | Public list at /security with each provider, purpose, region, and independent attestation. Customers receive 30 days advance notice of changes. |
| AAC-04 | Do you maintain documented information security policies? | Yes | Twelve policies covering ISMS apex, IRP, VDP, access control, cryptography, retention, AUP, sub-processors, change management, BCP, risk, and backup. Source-controlled in /documents/policies; PDFs available via security@theartofcto.com. |
| AAC-05 | Are policies reviewed at least annually? | Yes | Annual review documented in each policy header (Last reviewed / Next review). |
AIS
Application & Interface Security
Secure design and operation of customer-facing applications.
| ID | Question | Answer | Notes |
|---|---|---|---|
| AIS-01 | Do you perform input validation on all API endpoints? | Yes | Zod schema validation at every API boundary. Bounded string fields. JSONB metadata payloads capped at 2KB. |
| AIS-02 | Do you protect against XSS? | Yes | Server-side HTML sanitisation on all user-supplied content (script, iframe, object, embed, form, javascript: URIs stripped). CSP enforced site-wide. |
| AIS-03 | Do you protect against CSRF on state-changing endpoints? | Yes | Double-submit cookie pattern. Token bound to session. Mismatched tokens reject with 403 before handler dispatch. |
| AIS-04 | Do you protect against SQL injection? | Yes | Parameterised queries everywhere. No string concatenation into SQL. Pre-commit pattern checks. |
| AIS-05 | Are webhook signatures verified? | Yes | Stripe webhooks verified via HMAC-SHA256 with timing-safe compare and 5-minute timestamp tolerance. Idempotent event ledger prevents replay. |
| AIS-06 | Do you perform independent (third-party) penetration testing? | No | Not yet. An independent penetration test is scheduled before first enterprise customer onboarding. Internal application-security testing operates today (see AIS-08): CodeQL on every PR, daily npm audit + retire.js, dedicated security test suite (~280 cases) covering CORS, content sanitisation, content-length, webhook SSRF, signature verification, replay protection, and the unauth 401 matrix across every endpoint. |
| AIS-07 | Do you employ static application security testing (SAST)? | Yes | CodeQL scan on every pull request; Dependabot alerts for vulnerable dependencies; daily npm audit + retire.js scans; pre-commit secret-pattern checks (scripts/check-security-patterns.sh). |
| AIS-08 | Do you perform internal / continuous application-security testing? | Yes | Yes — multi-layer. (1) PR-blocking unit + integration test suites including dedicated security tests for auth (CSRF, bearer tokens, opaque tokens, native session bridge, signup-flag enforcement), webhook signature verification with replay/idempotency, CORS, content sanitisation, content-length, webhook SSRF. (2) ~280-case REST API security suite covering the full unauth 401 matrix and security-header validation. (3) Concurrency / race-condition tests on critical paths (atomic counters, push subscription dedup, Stripe webhook idempotency). (4) Cloudflare WAF + honeypot detection (20+ paths, 30-day retention). (5) Visual regression suite (22 baselines) catches CSP / theme / chrome regressions. All run before merge to main. |
| AIS-09 | Do you actively monitor for security events in production? | Yes | Sentry-instrumented application errors; Cloudflare access + WAF logs; structured audit log of admin actions (12-month retention); rate-limit + honeypot KV entries reviewable on demand. Alert thresholds set on 5xx rate above baseline. |
BCR
Business Continuity & Resilience
Availability, backup, and disaster recovery.
| ID | Question | Answer | Notes |
|---|---|---|---|
| BCR-01 | Do you have a documented Business Continuity Plan? | Yes | Business Continuity Policy at /documents/policies/business-continuity-policy.md. RTO 1h for application data, RPO 5 minutes via Neon point-in-time recovery. |
| BCR-02 | Do you perform regular disaster recovery drills? | Yes | Quarterly restore-to-sandbox exercise. Annual full DR drill. Findings recorded. |
| BCR-03 | Are backups encrypted? | Yes | Backups inherit the encryption-at-rest of the primary store (AES-256, KMS-managed keys via Neon). |
| BCR-04 | What is your stated availability SLO? | Yes | 99.5% monthly availability. External probes against /public/health verify. |
| BCR-05 | Do you replicate data across regions? | Yes | Cloudflare Workers run in every PoP globally. R2 cross-region replication enabled. Postgres (Neon) high-availability with auto-failover replicas. |
CCC
Change Control & Configuration Management
How changes to production are governed.
| ID | Question | Answer | Notes |
|---|---|---|---|
| CCC-01 | Do all production changes go through a defined change-management process? | Yes | Change Management Policy. Every production change ships through git + CI/CD; PR-blocking lint, typecheck, unit tests, integration tests, build, bundle size check. |
| CCC-02 | Do you have separate environments for production and pre-production? | Yes | Two-environment strategy: preview.theartofcto.pages.dev and theartofcto.com. Preview gets all changes first. |
| CCC-03 | Are emergency changes documented and reviewed retroactively? | Yes | Emergency-class changes require Security Owner approval at deploy and a post-hoc PR + post-mortem within 24 hours. |
DSI
Data Security & Information Lifecycle
Encryption, classification, and handling of customer data.
| ID | Question | Answer | Notes |
|---|---|---|---|
| DSI-01 | Is customer data encrypted at rest? | Yes | AES-256 at rest across Postgres (Neon), R2, KV. KMS-managed keys. |
| DSI-02 | Is customer data encrypted in transit? | Yes | TLS 1.2 minimum, TLS 1.3 preferred. HSTS preload. Worker-to-Postgres via Hyperdrive (TLS). |
| DSI-03 | Do you classify data by sensitivity? | Yes | Data Retention Policy section 2 inventories every category with retention and storage. Payment data delegated to Stripe; we never store full card data. |
| DSI-04 | Do you securely delete data on customer request? | Yes | Primary stores deleted within 30 days; backup roll-off within 90 days. GDPR / CCPA right of erasure honoured. See Data Retention Policy. |
| DSI-05 | Do you support customer data export? | Yes | Right of portability via privacy@theartofcto.com. Account, tool inputs/outputs, and telemetry exported as JSON / native formats within 30 days. |
| DSI-06 | Is data segregated between customers? | Yes | Logical multi-tenancy: all DB queries scoped by user_id from the verified session. No cross-customer reads possible without explicit join through ownership. |
EKM
Encryption & Key Management
Cryptographic primitives and key lifecycle.
| ID | Question | Answer | Notes |
|---|---|---|---|
| EKM-01 | Do you use industry-standard cryptographic algorithms? | Yes | TLS 1.2+, AES-256-GCM, HMAC-SHA256, RS256 for JWT. Cryptography Policy lists approved + prohibited algorithms. |
| EKM-02 | Are encryption keys stored separately from the data they protect? | Yes | Application secrets in Cloudflare Workers Secrets. Postgres / R2 encryption keys held by the sub-processor in their KMS. |
| EKM-03 | Do you rotate keys regularly? | Yes | Quarterly rotation for application secrets (SESSION_SECRET, inter-worker tokens, BREVO_API_KEY). Sub-processor-managed keys rotated per their lifecycle. |
| EKM-04 | Are secrets prevented from entering source control? | Yes | Pre-commit pattern checks. CodeQL secret-scan rules. Daily npm audit on the dependency tree. |
GRM
Governance & Risk Management
Risk register, ownership, and oversight.
| ID | Question | Answer | Notes |
|---|---|---|---|
| GRM-01 | Do you maintain a risk register? | Yes | Risk Management Policy defines methodology. Live register reviewed quarterly. Critical risks (rating ≥ 16) block ship until treated. |
| GRM-02 | Is there a designated Security Owner? | Yes | Single named Security Owner (currently the founder). Role split planned at team size > 3. |
| GRM-03 | Do you have cyber insurance? | No | Not currently. Cyber insurance planned at revenue threshold; today we self-insure given platform stage. |
HRS
Human Resources Security
Personnel screening, training, access lifecycle.
| ID | Question | Answer | Notes |
|---|---|---|---|
| HRS-01 | Do you perform background checks on staff with production access? | Yes | The sole production-access holder (founder) holds a current National Police Certificate and an active CTO role inside a regulated organisation, which mandates ongoing background-screening obligations. Formal background-check policy for additional staff will operate from the first hire and is required from team size > 1. |
| HRS-02 | Do staff sign confidentiality / NDA agreements? | Yes | All contractors and prospective hires sign NDA before any access to non-public data. |
| HRS-03 | Do staff receive security training? | Yes | Annual security awareness training. Coverage in Acceptable Use Policy section 7. |
| HRS-04 | Do you revoke access promptly on offboarding? | Yes | Immediate revocation on departure: GitHub, Auth0, Cloudflare, Sentry, all admin consoles within 24 hours. Documented in Access Control Policy section 8. |
IAM
Identity & Access Management
Authentication, authorisation, account lifecycle.
| ID | Question | Answer | Notes |
|---|---|---|---|
| IAM-01 | Do you use multi-factor authentication for administrative access? | Yes | MFA mandatory on admin accounts. Cloudflare, Auth0 management, Stripe, GitHub all enforce MFA. |
| IAM-02 | Do customers have the option to enable MFA? | Yes | MFA available via Auth0 (TOTP, SMS, push). Required on accounts flagged as administrative. |
| IAM-03 | Do you support SSO for enterprise customers? | No | Not yet — SAML / SCIM SSO is on the roadmap for the team plan. Current Auth0 backing supports adding it without migration risk. |
| IAM-04 | Are sessions invalidated on logout? | Yes | All sessions for the user are invalidated on logout. Server-side session record purged from KV. |
| IAM-05 | Are passwords stored using salted, slow hashing? | Yes | Password storage is delegated to Auth0; bcrypt with breach detection enabled. We never see or store raw passwords. |
| IAM-06 | Do you implement role-based access control? | Yes | Three roles: customer, admin, owner. Admin endpoints check role on every request. Auth0 manages role assignment. |
| IAM-07 | Are privileged accounts reviewed regularly? | Yes | Quarterly review of all admin / owner accounts. Default-deny renewals. |
IVS
Infrastructure & Virtualization Security
Network controls, isolation, environmental segregation.
| ID | Question | Answer | Notes |
|---|---|---|---|
| IVS-01 | Do you isolate production from non-production environments? | Yes | Separate Cloudflare environments, separate Workers Secrets, separate Neon databases, separate Auth0 tenants. |
| IVS-02 | Are public-facing systems behind a WAF? | Yes | Cloudflare WAF + DDoS protection on every public endpoint. Honeypot detection for bot scans. |
| IVS-03 | Are servers patched regularly? | N.A. | No customer-controlled servers. Cloudflare Workers run in V8 isolates with no shared filesystem. Underlying infrastructure patching is Cloudflare-managed. |
| IVS-04 | Is internal communication between services authenticated? | Yes | Inter-worker calls use signed bearer tokens; rotated quarterly. Worker-to-Postgres via Hyperdrive (TLS, no public exposure). |
IPY
Interoperability & Portability
Data export, vendor lock-in, customer-controlled formats.
| ID | Question | Answer | Notes |
|---|---|---|---|
| IPY-01 | Can customers export their data? | Yes | Yes, via privacy@theartofcto.com — JSON for account + telemetry, native formats for tool outputs (Excel, PowerPoint, JSON). |
| IPY-02 | Are exported formats based on open standards? | Yes | JSON (RFC 8259), CSV (RFC 4180), Excel (Open XML), PowerPoint (Open XML), Markdown. |
MOS
Mobile Security
Native app security posture.
| ID | Question | Answer | Notes |
|---|---|---|---|
| MOS-01 | Do mobile apps use OS-secure storage for tokens? | Yes | iOS Keychain, Android Keystore for refresh tokens. PKCE flow (no client secret). |
| MOS-02 | Are mobile apps signed? | Yes | Apple App Store + Google Play signing. Production builds signed by the Apple / Google developer accounts. |
SEF
Security Incident Management
Detection, response, notification.
| ID | Question | Answer | Notes |
|---|---|---|---|
| SEF-01 | Do you have a documented Incident Response Policy? | Yes | Incident Response Policy at /documents/policies/incident-response-policy.md. Severity classification, response phases, notification windows. |
| SEF-02 | Do you commit to GDPR Article 33 / 34 notification timelines? | Yes | 72-hour notification to supervisory authority on a personal data breach; "without undue delay" to affected individuals where high risk. |
| SEF-03 | Do you have a vulnerability disclosure programme? | Yes | /security#disclosure with a published policy, 24-hour acknowledgement, 5 business-day triage, safe-harbour for good-faith researchers. RFC 9116 security.txt at /.well-known/security.txt. |
| SEF-04 | Do you log security events? | Yes | Auth failures, rate-limit events, honeypot hits, admin actions all logged. Retention 12 months for auth, 30 days for honeypot. |
| SEF-05 | Do you commit to a customer notification SLA on incidents? | Yes | Customer notification within 72 hours of confirmed incident affecting their data. Status page communications every 30 minutes for SEV-1. |
STA
Supply Chain Management
Sub-processors and supplier risk.
| ID | Question | Answer | Notes |
|---|---|---|---|
| STA-01 | Do you have a sub-processor management policy? | Yes | Sub-processor Management Policy. Selection criteria require independent attestation (SOC 2 / ISO 27001) and a signed DPA before any data is transmitted. |
| STA-02 | Do you sign DPAs with sub-processors? | Yes | DPA signed before onboarding for every sub-processor handling customer data. |
| STA-03 | Do you notify customers of new sub-processors? | Yes | 30-day advance notice via email. Customers may object during the window. |
| STA-04 | Do you assess sub-processor security posture annually? | Yes | Quarterly attestation re-confirmation; annual full review including incidents and continued use justification. |
Need additional documentation?
We respond within 1 business day to procurement and security questionnaires. Documents available on request:
- Data Processing Agreement (DPA)
- Information Security Policy + 11 supporting policies (PDF bundle)
- Sub-processor list with current attestations
- This questionnaire signed and date-stamped (PDF)
- Penetration test summary (when commissioned)