Security Statement

Infrastructure

The application is deployed on Vercel's managed infrastructure with data persisted in Neon-hosted PostgreSQL clusters located in the United States. Traffic is exclusively served over HTTPS with TLS 1.2+ enforced at the edge. Build and deployment pipelines run in isolated CI environments with principle-of-least-privilege access to production systems.

Data Protection

• Customer data in transit is encrypted via TLS. Evidence uploads use Vercel Blob storage with signed URLs.
• Application secrets and API keys are managed through Vercel's encrypted environment variable system.
• Access to production data is limited to personnel with a demonstrable need and is logged for audit purposes.
• Regular backups are taken to protect against accidental deletion and support continuity.

Monitoring & Logging

The platform captures structured audit logs for policy edits, evidence imports, and key system actions. Operational telemetry from hosting providers is reviewed to detect anomalies. System health checks back all public APIs so that downtime can be surfaced quickly.

Incident Response

Should a security issue occur, Custodia, LLC will promptly investigate, mitigate, and communicate material impacts to affected customers. Incidents are documented and reviewed to ensure lessons learned are incorporated into future controls.

Shared Responsibility

Security is a joint effort. Customers remain responsible for enforcing access controls within their organization, reviewing AI-generated content for suitability, and maintaining required policies and evidence. We encourage teams to enable multi-factor authentication, align with CMMC practice requirements, and engage a certified assessor before formal attestation.