{"questionnaire":"CAIQ","version":"v4.0.2","vendor":"Atestaria","completed_at":"2026-05-03","domains":{"Audit & Assurance (A&A)":"Independent audit roadmap (SOC 2 Type I → II, ISO 27001) published at /trust.","Application & Interface Security (AIS)":"OWASP ASVS L2 baseline; SAST + dependency audit in CI.","Business Continuity Management (BCR)":"RTO 5 min / RPO 1 min targets; multi-region active-active in Phase 4.","Change Control (CCC)":"GitOps; mandatory peer review; protected branches.","Cryptography & Key Management (CEK)":"Pluggable KMS (Local/AWS/GCP/Vault); annual key rotation; HSM-backed for prod.","Datacenter Security (DCS)":"Inherited from cloud provider (Replit / GCP / AWS).","Data Security & Privacy (DSP)":"Privacy by design; only hashes stored; DSAR endpoints.","Governance, Risk & Compliance (GRC)":"Annual risk assessment; documented control catalog.","Human Resources (HRS)":"Background checks; security training; insider-threat program.","Identity & Access Management (IAM)":"SSO (SAML+OIDC), SCIM 2.0, RBAC, MFA enforced for prod.","Interoperability & Portability (IPY)":"All data exportable in JSON via /privacy/me/export and audit export endpoints.","Infrastructure & Virtualization (IVS)":"Immutable infra; rate limiting; observability via OpenTelemetry.","Logging & Monitoring (LOG)":"Hash-chained audit log; signed head; OpenTelemetry traces & metrics.","Security Incident Mgmt (SEF)":"Documented IR runbook; bug bounty program at /trust/bounty.","Supply Chain Mgmt (STA)":"Sub-processors listed at /trust; pinned dependencies; SBOM produced per release.","Threat & Vulnerability Mgmt (TVM)":"Continuous SAST/DAST; quarterly pen tests; dependency audit.","Universal Endpoint Mgmt (UEM)":"MDM-managed corporate devices; full-disk encryption."}}