Security questionnaire

Pre-filled answers to the questions most prospect-security teams send us, aligned to the Cloud Security Alliance CAIQ category short codes for cross-reference with internal scorecards.

If your procurement workflow requires its own form, send it to security@bsns.ccand we’ll return it with answers cross-referenced to these entries plus the controls documented on /security. We aim to turn questionnaires around in 5 business days.

Honesty principle: where we don’t do something, we say so plainly and identify the compensating control. A pre-filled questionnaire is only useful if its answers survive contact with an auditor.

Application & interface security · AIS

Is the application built with secure-coding standards?

Yes. Every API route declares an explicit auth posture audited by check:api-route-auth in CI (354 routes currently green). Cross-tenant data access is enforced at the database via FORCE-ROW-LEVEL-SECURITY rather than relying on application logic. [Tenant isolation]

How is input validation handled?

Server-side validation on every Server Action and API route via Zod-typed parsers; the Prisma schema enforces shape at persistence; outbound rendering is React with default escaping (no dangerouslySetInnerHTML on customer data).

Do you publish a Content-Security-Policy?

Yes. Strict CSP with nonce-based script allowance is set in the responsive layout and middleware.

Audit assurance & compliance · AAC

Do you have SOC 2 / ISO 27001 certification?

Not yet. SOC 2 Type 1 groundwork is in progress; no audit firm engaged and no target date confirmed. We will publish the firm and the audit window here when both are set. Pending certifications, this questionnaire and the controls documented at /security are the basis for assessment.

Are external penetration tests performed?

Not yet on an external basis. A May 2026 internal security pass closed 8 hardening blocks (cron auth gating, RLS carveout audit, public-token TTL audit, portal rate limits, SAML SP scoping, audit-chain backfill, idempotency anchors, key escrow). External engagement scope drafted; not contracted.

Can customers request audit-log exports for their tenant?

Yes — on request via security@bsns.cc. Tenant admins can view their own super-admin-action audit on /admin/security in real time.

Business continuity & resilience · BCR

What is your backup strategy?

Neon hourly snapshots retained at the storage layer plus an independent daily pg_dump to encrypted blob storage. Recovery exercised weekly via the staging-refresh job (a real pg_restore into a fresh cluster, not just a checksum).

What are your RPO and RTO targets?

Target RPO: 1 hour. Target RTO: 1 hour. Last drilled May 25, 2026: pg_dump → pg_restore end-to-end in 3 minutes 25 seconds against a representative dataset. [Backups & continuity]

Is there a documented business continuity plan?

Yes. The technical-recovery runbook is at docs/operations/preview-refresh.md. The single-operator continuity plan (legal + access transfer for the bus-factor case) is published at /help/continuity.

Change control & configuration management · CCC

How are production changes controlled?

Code ships fast-forward-only through dev → preview → master. The production deploy script refuses to deploy unless HEAD equals origin/master and is an ancestor of origin/dev— a hot-fix path is mechanically blocked, not just policy. [Change management]

Are changes peer-reviewed?

Currently a single-operator constraint — reviews use asynchronous AI review tooling that flags risk before merge. Pre-commit + CI gates run an opinionated audit suite (auth posture, RLS coverage, env drift, security invariants) on every change. Peer review will be reintroduced when staffing allows.

Data security & lifecycle · DSI

Where is customer data stored?

Neon Postgres clusters in us-east-1. Two logical databases (identity and business data) across three environments (prod, staging, dev) in separate Neon projects.

How is multi-tenant data isolated?

Postgres row-level security with the FORCE attribute on every tenant-keyed table. The application uses a role that doesn’t bypass RLS; the tenant identifier is set as a session GUC inside a transaction. A bug that forgets to set context returns zero rows, never another tenant’s. [Tenant isolation]

How is customer data deleted on request?

Tenant admins delete the tenant from Settings → Data export & delete. Business- data rows and identity records bound to the tenant are purged. Two known gaps in process of being closed: archived blob storage and downstream vendor records (Stripe customers, Telnyx numbers) are queued for atomic cleanup. Verbatim data-subject-rights requests: privacy@bsns.cc, 30-day response.

How long is data retained?

Indefinitely for the lifetime of the tenant (you control your own retention). On tenant deletion, purge is immediate. Soft-deleted tasks are hard-purged after 30 days. Audit logs and signed-document hash chains are retained for the legal life of the document.

Encryption & key management · EKM

How is data encrypted in transit?

TLS 1.2 or higher on every public endpoint; HSTS with long max-age. Postgres connections use sslmode=require with channel binding.

How is data encrypted at rest?

Neon storage is transparently encrypted at the disk layer. Sensitive columns (DOB, SSN, EIN, tax IDs, driver license numbers, federation private keys, telematics keys) are additionally column-encrypted with AES-256-GCM using per-app encryption keys. [Encryption]

Where are encryption keys held?

Operator-only in 1Password as the primary store, mirrored to a Bitwarden escrow with a CI fingerprint check that refuses to push divergent envvar configurations. Rotation is a documented runbook (docs/operations/env-recovery.md).

Governance & risk management · GRM

Is there a documented information-security policy?

In progress; formal policy bundle (InfoSec, AUP, IRP, BCP, Vendor Management, Access Control, Data Retention) drafted as part of SOC 2 groundwork and will publish on completion. The controls those policies will codify are already implemented and documented at /security.

Is there a risk register?

Yes — maintained as source under docs/compliance/risk-register.md(internal). The customer-visible summary of known gaps is the “What we don’t have yet” section on /security.

Human resources security · HRS

Is there segregation of duties?

Structurally limited — bsns.cc is currently a single-operator company. Compensating controls: full audit logs on every privileged action, mechanically enforced dev-first deploy gate, Bitwarden escrow for credential recovery, documented continuity plan for the bus-factor case.

Are background checks performed on employees?

Not applicable today (sole operator is the founder). Policy will require completed background check before a new hire receives production credentials.

Is security training conducted?

Not applicable today. Will be required for any future hire with production access.

Identity & access management · IAM

Is MFA required for all user accounts?

Yes. New accounts have a 7-day grace window to enroll a passkey or TOTP. After expiry, sign-in routes through MFA verification before any app launch.

Is MFA required for administrative access?

Yes for the operator. Yes for tenant admins via the same MFA enforcement that applies to all users.

How are passwords stored?

Argon2id; never logged.

Does the product support SSO / SAML for enterprise tenants?

Yes. SAML 2.0 federation for enterprise tenants; IdP private keys encrypted with a dedicated key separate from the column- PII key so a key compromise blast radius stays scoped.

Infrastructure & virtualization security · IVS

Are systems segmented between environments?

Yes. Three independent Neon projects (cent-prod, cent-staging, cent-dev) with no shared credentials. Vercel environments (production, preview, development) are separately configured and a production deploy requires the explicit production deploy script.

Is network access to the database restricted?

Database credentials are per-environment and never present in preview / dev contexts. A strict IP allowlist is impractical with serverless egress; compensating controls are FORCE-ROW-LEVEL-SECURITY, audit logs, and Neon’s platform-level controls.

Interoperability & portability · IPY

Can customers export their data?

Yes — one click from Settings → Data export. One JSON file per table, flat CSV per spreadsheet-friendly entity, plus a manifest.json. No proprietary format; re-import paths in each app accept the matching shape.

What happens to my data if I cancel?

You retain the right to export for 30 days after cancellation. On request or after 30 days, the tenant is purged per the deletion process above.

Security incident management · SEF

How are security incidents detected?

Application errors and slow queries forward to a central observability surface with ntfy alerting; cron failures are caught by a dead-man’s switch; uptime is monitored by Better Stack plus an independent healthchecks watchdog. Public disclosures are accepted at security@bsns.cc and /.well-known/security.txt (RFC 9116).

What is your incident-response timeline?

Receipt of a vulnerability report: confirmed within 24 hours. Status update: within 5 business days. Customer notification for business-impacting incidents: as soon as scope is understood, via /status and direct email to tenant admins.

Supply chain transparency · STA

Do you publish a list of sub-processors?

Yes, at /security/sub-processors with vendor, purpose, region, and DPA status. The list is maintained in source control and changes go through pull request.

How are sub-processors managed?

Internal vendor register at docs/compliance/vendor-register.mdtracks DPA status, review cadence, and last-reviewed date. We commit to 30 days’ notice before adding a new sub-processor.

Threat & vulnerability management · TVM

How are dependencies scanned for vulnerabilities?

GitHub Dependabot for the JavaScript/TypeScript stack and npm audit at the workspace root in CI. High and critical advisories block merge.

How are infrastructure vulnerabilities managed?

Vercel and Neon handle their respective platform patching; kernel, runtime, and container surface area is outside our control by design (managed-platform tradeoff). Application dependency patching is operator-driven via the dependency-bot pipeline above.