CAIQ Lite Responses

Last updated: 2026-01-13

Consensus Assessments Initiative Questionnaire (CAIQ) Lite

This document provides responses to the Cloud Security Alliance CAIQ Lite questionnaire, covering essential cloud security controls.

Application & Interface Security (AIS)

AIS-01: Do you use industry standards to build secure applications?

Yes. We follow OWASP secure coding guidelines and perform code reviews on all changes. Our CI/CD pipeline includes static application security testing (SAST).

AIS-02: Do you use secure protocols for data transmission?

Yes. All data transmission uses TLS 1.3. HSTS is enabled with a 2-year max-age directive.

AIS-04: Do you have a formal application security testing process?

Yes. We conduct:


  • Static code analysis in CI/CD

  • Dependency vulnerability scanning

  • Annual penetration testing by third parties

Audit Assurance & Compliance (AAC)

AAC-01: Do you conduct regular internal audits?

Yes. We conduct quarterly security reviews and annual comprehensive assessments.

AAC-02: Do you allow third-party security assessments?

Yes. We engage third-party penetration testers annually and welcome customer-initiated assessments with reasonable notice.

AAC-03: Do you have compliance mappings to industry standards?

Yes. We maintain mappings to NIST CSF and CIS Controls v8. See our Control Framework Mappings.

Business Continuity & Operational Resilience (BCR)

BCR-01: Do you have a business continuity plan?

Yes. Our business continuity program covers disaster recovery, data backup, and crisis communication.

BCR-02: What are your backup and recovery procedures?

  • Daily encrypted backups retained for 30 days
  • Point-in-time recovery capability (7-day window)
  • Geographic redundancy for backup storage
  • RTO: 4 hours, RPO: 1 hour

Change Control & Configuration Management (CCC)

CCC-01: Do you have a formal change management process?

Yes. All changes follow our change management process including:


  • Version control (Git)

  • Peer code review

  • Automated testing

  • Staged deployment with rollback capability

CCC-02: Do you maintain secure configurations?

Yes. We use infrastructure-as-code and configuration management to ensure consistent, secure configurations across environments.

Data Security & Privacy (DSP)

DSP-01: Do you classify data based on sensitivity?

Yes. We use a four-tier classification: Public, Internal, Confidential, Restricted. See Data Protection.

DSP-02: Do you encrypt data at rest and in transit?

Yes.


  • At rest: AES-256

  • In transit: TLS 1.3

DSP-05: Do you have data retention and disposal procedures?

Yes. Data retention periods are documented per data type. Secure deletion procedures are followed for data disposal.

Datacenter Security (DCS)

DCS-01: Where are your data centers located?

We use cloud infrastructure (Supabase/AWS) with data centers in the United States. Our providers maintain SOC 2 Type II certifications.

Encryption & Key Management (EKM)

EKM-01: What encryption algorithms do you use?

  • Symmetric: AES-256 (data at rest)
  • TLS: TLS 1.3 with modern cipher suites
  • Hashing: Argon2id (passwords)

EKM-02: How do you manage encryption keys?

Keys are managed by our cloud providers (Supabase, Google Cloud) with automated rotation where supported. Customer-managed keys available for enterprise clients.

Governance, Risk & Compliance (GRC)

GRC-01: Do you have a formal security governance program?

Yes. Security governance includes executive oversight, documented policies, and regular risk assessments.

GRC-02: Do you conduct regular risk assessments?

Yes. Risk assessments are conducted quarterly with a formal risk register maintained and reviewed.

Human Resources (HRS)

HRS-01: Do you perform background checks?

Yes. Background checks are performed for all employees with access to customer data.

HRS-02: Do you provide security training?

Yes. All employees complete security awareness training upon hire and annually thereafter.

HRS-03: Do you have an acceptable use policy?

Yes. Employees acknowledge acceptable use policies covering data handling, system access, and security responsibilities.

Identity & Access Management (IAM)

IAM-01: Do you enforce strong authentication?

Yes. Multi-factor authentication is required for all system access. SSO is used where possible.

IAM-02: Do you follow least privilege principles?

Yes. Role-based access control with least privilege is enforced. Access is reviewed quarterly.

IAM-04: Do you have access termination procedures?

Yes. Access is revoked immediately upon termination. Automated deprovisioning is in place.

Infrastructure & Virtualization Security (IVS)

IVS-01: Do you segment networks?

Yes. Production, staging, and development environments are isolated. Database access is restricted to application services.

IVS-04: Do you have DDoS protection?

Yes. Cloudflare provides Layer 3/4/7 DDoS protection with automatic mitigation.

Logging & Monitoring (LOG)

LOG-01: Do you maintain audit logs?

Yes. Security events and administrative actions are logged and retained for audit purposes.

LOG-03: Do you monitor for security events?

Yes. 24/7 security monitoring with automated alerting for anomalies and threats.

Security Incident Management (SIM)

SIM-01: Do you have an incident response plan?

Yes. Our incident response plan covers detection, response, recovery, and post-incident review. See Incident Response Policy.

SIM-03: Do you notify customers of incidents?

Yes. Customers are notified of security incidents affecting their data within 72 hours.

Threat & Vulnerability Management (TVM)

TVM-01: Do you perform vulnerability scanning?

Yes. Weekly automated scans, daily dependency scans, and annual penetration testing.

TVM-02: Do you have a patch management process?

Yes. Patches are applied based on severity, with critical patches applied within 24 hours.

For the full CAIQ questionnaire or additional details, contact security@grayghostdata.com