# CAIQ Lite - Scope pre-filled responses

Cloud Security Alliance Consensus Assessments Initiative Questionnaire
(CAIQ) Lite. Pre-filled against Scope's actual posture as of 2026-05-31.
Honest "no" answers are flagged for the post-launch roadmap (target Q3-Q4 2026).

Responses map to CSA Cloud Controls Matrix (CCM) domains.

---

## AIS - Application and Interface Security

| Control | Response |
|---------|----------|
| AIS-01 Application security | Server-side validation on every mutation. OpenAPI 3.1 spec published. |
| AIS-02 Customer access requirements | OAuth 2.0 access tokens, per-tenant scoping, RBAC capability gates. |
| AIS-04 Data integrity | RLS-enforced tenant isolation; append-only audit log on every mutation. |

## DSI - Data Security and Information Lifecycle

| Control | Response |
|---------|----------|
| DSI-01 Classification | Matter metadata + vendor records only. No firm client files stored. |
| DSI-02 Data inventory | Documented in the security overview data flow. |
| DSI-03 E-commerce transactions | Stripe Connect destination charges; HMAC-SHA256 webhook verification. |
| DSI-07 Secure disposal | Hard-delete with cascade on tenant-initiated deletion. Cryptographic erasure of secrets. |

## EKM - Encryption and Key Management

| Control | Response |
|---------|----------|
| EKM-02 Key generation | Managed via Supabase / Vercel platform key management. |
| EKM-03 Encryption at rest | AES-256 (Postgres at rest); AES-256-GCM (secrets). |
| EKM-04 Encryption in transit | TLS 1.2+ on every connection. |
| EKM-customer-managed-keys | Not yet - on the post-launch roadmap. |

## GRM - Governance and Risk Management

| Control | Response |
|---------|----------|
| GRM-01 Baseline requirements | Security policies under counsel + Vanta review. |
| GRM-06 Policy | Documented; reviewed on the SOC 2 cadence. |
| GRM-11 Risk management program | Forming alongside SOC 2 Type I. Formal program: post-launch roadmap. |

## IAM - Identity and Access Management

| Control | Response |
|---------|----------|
| IAM-02 Credential lifecycle | API tokens hashed (SHA-256); revocable; OAuth token expiry enforced. |
| IAM-04 Policies and procedures | RBAC with five roles, capability-based gating. |
| IAM-08 User access reviews | Firm admins manage their tenant's users + roles. Scheduled access-review automation: post-launch roadmap. |
| IAM-10 User access provisioning | Invite + role assignment in firm settings. SCIM 2.0 JIT provisioning: documented, marked v2. |
| IAM-12 SSO | SAML 2.0 + OIDC, per-tenant configuration. |

## IVS - Infrastructure and Virtualization Security

| Control | Response |
|---------|----------|
| IVS-01 Audit logging | Append-only tenant-scoped audit_log. |
| IVS-06 Network security | Vercel edge + Supabase managed network. No customer-managed VPC today. |
| IVS-08 Production / non-production separation | Separate Supabase + Vercel environments. |

## SEF - Security Incident Management

| Control | Response |
|---------|----------|
| SEF-02 Incident management | IR policy with SEV-1 to SEV-4 tiers. |
| SEF-03 Incident reporting | Tenant notification for incidents affecting their data. |
| SEF-04 Incident response legal preparation | Counsel-reviewed IR process. |

## STA - Supply Chain Management, Transparency, Accountability

| Control | Response |
|---------|----------|
| STA-05 Subprocessors | Vercel, Supabase, Stripe, Resend. All SOC 2 Type II. |
| STA-07 Supply chain agreements | Per-subprocessor DPAs in place. |
| STA-09 Third-party audits | SOC 2 Type I in progress; subprocessors maintain Type II. |

## TVM - Threat and Vulnerability Management

| Control | Response |
|---------|----------|
| TVM-01 Antivirus / malicious software | Managed platform layer (Vercel / Supabase). |
| TVM-02 Vulnerability management | Dependency scanning in CI. Formal pen-test cadence: post-launch roadmap. |