Inhalt wird geladen…
Trust Center → RFP responses
Below are pre-written answers to the questions that show up on every Enterprise security questionnaire (CAIQ, SIG-Lite, BSI-IT-Grundschutz short form). Copy them straight into your procurement tool.
| Question | Answer | Evidence |
|---|---|---|
| ds-01How is customer data encrypted at rest? | AES-256-GCM for sensitive columns (OAuth tokens, PII, secrets) and disk-level AES-256 for the Supabase managed Postgres volumes. Encryption keys are rotated every 90 days; key custody is split between Codaiq engineering and Supabase per their HSM-backed KMS architecture. | View → |
| ds-02How is data encrypted in transit? | TLS 1.2+ enforced on every public endpoint with HSTS preload, OCSP stapling, and modern cipher suites (ECDHE + AEAD only). Internal service-to-service traffic uses TLS-terminated mesh routes inside Vercel and Supabase's private network. | View → |
| ds-03Where is customer data stored? | Production data resides exclusively in EU regions (Supabase eu-central-1 Frankfurt, Vercel EU edge, AWS S3 eu-central-1 for backups). No customer data is replicated outside the EU. Sub-processors in non-EU regions are opt-in only and gated by Standard Contractual Clauses. | View → |
| ds-04Do you have a data classification policy? | Yes. Four levels: Public, Internal, Confidential, Restricted. Customer data is Confidential by default; secrets and PII columns are Restricted and additionally encrypted at the column level. See the Data Retention & Disposal Policy in docs/compliance/security-policies.md. | View → |
| Question | Answer | Evidence |
|---|---|---|
| ac-01Do you support SSO and SCIM? | Yes — SAML 2.0 SSO and SCIM 2.0 user provisioning are available on the Enterprise plan. Just-in-time provisioning with role mapping is supported. SAML implementation uses @node-saml/node-saml with full XML signature-wrapping protection. | View → |
| ac-02Is multi-factor authentication enforced? | MFA via TOTP (RFC 6238) is available for all users and required for owner/admin roles. On the Enterprise plan, customers can enforce MFA workspace-wide via the SSO IdP. | View → |
| ac-03Describe your role-based access control model. | Seven built-in roles (owner, admin, member, viewer, billing, auditor, integration) × a resource-action permission matrix. Workspace-scoped permissions are enforced at both the API layer and the database layer via Row-Level Security. Custom roles available on Enterprise. | View → |
| ac-04How is privileged access to customer data controlled? | Codaiq personnel cannot access customer workspace data without two-person break-glass approval, an explicit time-bounded reason, and full audit-log capture (immutable, hash-chained). Standing access is restricted to SREs on the production rotation. | View → |
| ac-05How are access reviews performed? | Quarterly access reviews compare every internal account and customer admin role against the role-need matrix. Deviations are remediated within seven days. Offboarding triggers revocation within 24 hours via Google Workspace SAML group sync. | View → |
| Question | Answer | Evidence |
|---|---|---|
| inf-01Where is the application hosted? | Vercel for the Next.js front-end + serverless functions (EU edge region by default, Frankfurt). Supabase for managed Postgres + Auth (Frankfurt). Railway for BullMQ worker compute (Amsterdam). All certified SOC 2 Type II. | View → |
| inf-02Do you have DDoS protection? | Yes — Cloudflare DDoS protection on every public edge, plus rate-limiting per workspace and per IP, plus WAF with managed ruleset for OWASP Top-10 and AI-prompt-injection signatures. | View → |
| inf-03What is your backup strategy? | Daily encrypted DB backups to AWS S3 (eu-central-1) with 7-day point-in-time recovery. Weekly automated restore drills validate backup integrity. RTO 4 hours, RPO 15 minutes. All backups encrypted with customer-isolated keys. | View → |
| inf-04How do you isolate customer data between tenants? | Logical multi-tenancy with workspace_id on every customer row, enforced via Row-Level Security on 56+ Postgres tables. Defence-in-depth code-layer guards prevent cross-tenant queries. Storage objects are prefixed with workspace_id at the path level. | View → |
| Question | Answer | Evidence |
|---|---|---|
| ir-01Describe your incident-response process. | Six-stage playbook: detect → triage → contain → eradicate → recover → review. P1 incidents acknowledged within 15 minutes and assigned a 24/7 PagerDuty on-call engineer. Customers notified within 72 hours of any confirmed incident affecting their data (Art. 33 GDPR). | View → |
| ir-02Do you have a public status page? | Yes — www.orconic.com/status publishes uptime, current incidents, and the maintenance calendar. Subscribers receive email/RSS notifications for every incident. | View ↗ |
| ir-03How often do you run disaster-recovery drills? | Weekly automated restore drill validates backup → fresh-Postgres → tenant-isolation invariants. Monthly chaos-engineering exercise hits a real production-like environment with controlled failures (DB outage, Redis outage, AI provider outage). | View → |
| Question | Answer | Evidence |
|---|---|---|
| pv-01Is there a signed DPA available? | Yes — the Auftragsverarbeitungsvertrag (AVV per Art. 28 GDPR) is available at orconic.com/dpa and is electronically signed on first workspace provisioning. Tamper-evidence SHA-256 hash is recorded with each signature. | View → |
| pv-02How are sub-processors managed? | The full sub-processor list is published at orconic.com/trust/subprocessors and reviewed quarterly. Customers are notified at least 30 days in advance of any new sub-processor and may object on data-protection grounds. SCCs apply to any non-EU transfer. | View → |
| pv-03How do you support data-subject rights? | Self-service GDPR data-export covers 30+ tables and is signed for tamper-evidence. Erasure (Art. 17) is available via workspace settings. DPIA template is provided to assist customers in their own assessments. | View → |
| pv-04Do you sell or share customer data? | No. Customer data is never sold, never shared with third parties for advertising, and never used to train Codaiq's own or third-party AI models without explicit per-workspace opt-in. | View → |
| Question | Answer | Evidence |
|---|---|---|
| op-01How is source code protected? | Source code is hosted on GitHub with mandatory two-factor for every committer, branch protection on main, required code review, and CODEOWNERS gating for security-sensitive areas. CI runs the security-reviewer agent on every PR. | View → |
| op-02What is your vulnerability management process? | GitHub Dependabot scans daily; npm audit gates the build on Critical/High findings. Annual external penetration test; quarterly internal pentest; continuous SAST + secret-scanning in CI. Bug-bounty program available at orconic.com/responsible-disclosure. | View → |
| op-03How are software releases managed? | Trunk-based development with feature flags. Every release is built from a signed git tag, attested with build-provenance (SLSA Level 3), and accompanied by a CycloneDX SBOM. Rollback is a single-command operation backed by Vercel immutable deployments. | View → |
| op-04What is the SLA for production availability? | 99.9% monthly uptime SLA on Enterprise (Business plan: 99.5%). SLA credits applied automatically against the following month's invoice. Real-time uptime at www.orconic.com/status. | View ↗ |
| Question | Answer | Evidence |
|---|---|---|
| cp-01Which compliance certifications do you hold? | GDPR — fully implemented. SOC 2 Type I — audit Q3 2026; Type II — Q1 2027. ISO 27001 — Stage-1 Q4 2026. BSI C5 Type-1 — Q4 2026 for DACH-Enterprise. Bridge letters and audit reports available under NDA. | View → |
| cp-02Can we audit your environment? | Yes. Customers receive an annual written information report. On-site or remote audits can be arranged with 30 days written notice; pooled audits via the SOC 2 Type II report are preferred to minimise operational disruption. | View → |
| cp-03Do you provide a Schrems II / TIA? | Yes. A Transfer Impact Assessment is documented for every sub-processor outside the EEA (currently OpenRouter/OpenAI, Statuspage, GitHub, PagerDuty). SCCs are countersigned and on file with each provider. | View → |
| Question | Answer | Evidence |
|---|---|---|
| ai-01How is AI usage controlled and observable? | Multi-provider router with per-workspace policy (model allowlist, region pinning, data-residency tier). Every call recorded in the AI usage ledger with per-tenant cost attribution. Langfuse tracing on; prompts redacted server-side before observability export. | View → |
| ai-02Is customer data used to train AI models? | No. Default routing is to no-train endpoints (Anthropic EU, Mistral EU, OpenAI no-train tier). The opt-in OpenRouter/OpenAI route is gated by workspace policy and explicitly contracted to no-train under the SCCs. | View → |
| ai-03How do you handle prompt injection and jailbreak attempts? | Defence-in-depth: input sanitisation, function-calling allowlist, structured-output schema enforcement, output classifier, and red-team test suite in CI. Detected attempts are recorded as security events in the immutable audit log. | View → |
Forward your full questionnaire to security@codaiq.com — we usually return it within two business days, and the new questions land in this public bank.