Vendor Security Questionnaire Responses
SIG Lite and CAIQ v4 pre-fills · last updated 27 May 2026 · refreshed quarterly or on material change
Most procurement teams send a security questionnaire within 48 hours of taking a meeting. The two most common are the Shared Assessments SIG(full or Lite variants) and the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ v4). This page pre-answers both so your security team can validate our position without waiting for us to fill out a spreadsheet.
Download
- SIG Lite (current revision) — populated XLSX available on request to compliance@glassbreak.io. Returned within 1 business day under NDA.
- CAIQ v4.0.3 — populated XLSX available on the same request. The summary below is the human-readable digest.
- CSA STAR Level 1 Self-Assessment — we will be publishing our entry on the CSA STAR Registry once the SOC 2 Type I report is in hand; until then the CAIQ summary below is authoritative.
How to use this page
- If you only need a yes/no on the most common items, the 25 most-asked questions below cover roughly 80% of every questionnaire we have ever received.
- If you need the full SIG Lite or CAIQ in your own template, email us and we will return your template populated within 24 hours.
- If you need a vendor-portal upload (OneTrust, Whistic, ProcessUnity, Archer), email us your inviter address and we will respond directly from a dedicated GRC mailbox.
Governance & programme
Programme governance
3 met1 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| GOV-1 | Formal Information Security Programme | Met | Six published policies at /policies (InfoSec, IR, BCP/DR, Onboarding, Offboarding, Sanctions) with named Security Officer, annual review cadence, and acknowledgement tracking. |
| GOV-2 | Designated security officer | Met | Security responsibility sits with the founder. |
| GOV-3 | Risk register maintained | Met | Initial register produced by the May 2026 internal audit; refreshed at least annually thereafter. |
| GOV-4 | Cyber-liability insurance | Partial | In procurement. Coverage limits will be listed here once policy is bound. |
Certifications & attestations
Standards held / pursued
1 met6 gap1 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CERT-SOC2 | SOC 2 Type II | Gap | In flight. Gap assessment and current phase at /trust/soc-2. |
| CERT-ISO | ISO/IEC 27001:2022 | Gap | Not yet. Decision criteria at /trust/iso-27001. |
| CERT-HIPAA | HIPAA BAA | Gap | Not yet offered. Gap assessment at /trust/hipaa. |
| CERT-HITRUST | HITRUST CSF | Gap | Not pursued. |
| CERT-PCI | PCI-DSS | N/A | We do not store, process, or transmit cardholder data. Payment processing delegated to Stripe (PCI-DSS Level 1). |
| CERT-FEDRAMP | FedRAMP Moderate | Gap | Not pursued. See /trust/fedramp. |
| CERT-GDPR | GDPR / UK GDPR / Swiss FADP | Met | Published DPA incorporating EU SCCs Module 2, UK IDTA, Swiss FADP addendum at /legal/dpa. Sub-processors at /legal/sub-processors. |
| CERT-CE | UK Cyber Essentials / Cyber Essentials Plus | Gap | Not yet. Will assess after SOC 2 Type II is issued. |
Encryption
Cryptographic controls
4 met2 gap
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| ENC-1 | Encryption at rest | Met | AES-256-GCM. Customer payloads encrypted on the user's device before transmission; Glassbreak does not hold the decryption keys. |
| ENC-2 | Encryption in transit | Met | TLS 1.2+ minimum; TLS 1.3 preferred. HSTS preloaded. |
| ENC-3 | Key management | Met | Per-recipient key wrapping. Shamir over GF(2⁸) wrapped with RSA-OAEP-8192 + ML-KEM-1024 (post-quantum hybrid). Detail at /technology/encryption. |
| ENC-4 | BYOK / HYOK | Gap | Not offered today. On enterprise roadmap. |
| ENC-5 | Cryptographic libraries | Met | Noble (audited; formally specified). Wycheproof test vectors vendored and run in CI (api/common/src/security/wycheproof.test.ts). |
| ENC-6 | FIPS 140-3 validated modules | Gap | No. Required for FedRAMP; not in scope for commercial product. |
Authentication
Authentication controls
4 met1 partial1 gap
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| AUTH-1 | Password storage | Met | Argon2id (t=4, m=128MB, p=2). Per-user salt. Server-side pepper. |
| AUTH-2 | MFA | Met | TOTP (RFC 6238) and WebAuthn / FIDO2. SMS not offered for in-app MFA (delivery channel only). |
| AUTH-3 | Session management | Met | Refresh-token rotation; peppered SHA-256 hashes; family-based reuse detection. |
| AUTH-4 | JWT signing | Met | EdDSA (Ed25519) with kid-driven verify, per-vertical signing keys. Documented rotation runbook at docs/operator-jwt-per-vertical.md. |
| AUTH-5 | Federated identity / SSO | Partial | In flight. SAML 2.0 and OIDC under active development (api/common/src/api/auth/sso.ts). |
| AUTH-6 | SCIM provisioning | Gap | Not yet. On the enterprise roadmap with SSO. |
Access management
Authorisation & access
4 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| ACC-1 | RBAC | Met | 8 organisation permissions and 25+ team permissions with role mappings. |
| ACC-2 | Least privilege | Met | Production access on a need-to-have basis. Quarterly review cadence at /policies/cadences/access-review with signed record of every grant. |
| ACC-3 | Privileged access | Met | MFA required. Admin actions logged. |
| ACC-4 | Customer data isolation | Met | Per-organisation row-level isolation enforced at the query layer; cross-tenant access tested in middleware + admin tests. |
Infrastructure & operations
Hosting, resilience, operations
8 met2 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| INF-1 | Hosting | Met | Multi-cloud across AWS (us-east-1) and Scaleway (fr-par). Full topology at docs/architecture.md. |
| INF-2 | Data residency | Met | EU users via glassbreak.cloud remain within Scaleway French region end-to-end. US-direct path via glass-break.com stays within AWS us-east-1. |
| INF-3 | High availability | Met | Two independent compute stacks with health-checked failover at Fastly. 22 DR scenarios tested nightly. |
| INF-4 | Backups | Met | Per-vertical encrypted backups. Daily integrity round-trip in DR scenario 22. |
| INF-5 | Recovery objectives | Partial | Target RTO 15 min (automated cross-vertical failover); target RPO 5 min for replicated data; quorum-recoverable secrets have no RPO loss in single-vertical failure. Formal RTO/RPO commitment in SOC 2 BCP doc. |
| INF-6 | Change management | Met | All production changes via PR with mandatory review. Infrastructure changes via OpenTofu plan-and-review. |
| INF-7 | Vulnerability management | Partial | Monthly /policies/cadences/vulnerability-review reviews Dependabot, npm audit, sub-processor advisories. External pen test in flight. |
| INF-8 | Patching | Met | Serverless runtimes patched by sub-processors. Application dependencies via Dependabot; security patches expedited within 7 days of publication. |
| INF-9 | Logging | Met | Application audit log + observability stack (Grafana Cloud Tempo / Loki / Mimir). Per-request trace IDs surface in error reports. |
| INF-10 | Monitoring | Met | Three SLO alerts (5xx rate, p95 latency, apex probe). 30-min smoke-test heartbeat on the primary marketing and API surfaces. |
Incident response
Incident response
4 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| IR-1 | Incident response procedure | Met | Published at /policies/incident-response: SEV-1/2/3/4 classification, response phases, communication templates, post-mortem cadence, customer-notification SLAs. |
| IR-2 | Customer notification | Met | Without undue delay, and in any case within 72 hours for personal-data breaches per the DPA. Tighter SLAs available in enterprise contracts. |
| IR-3 | Coordinated disclosure | Met | Policy at /trust/disclosure. Reports to security@glassbreak.io. |
| IR-4 | Public status page | Met | Per-vertical live status at /status. Browser polls each cloud independently rather than aggregating server-side. |
Sub-processors & supply chain
Sub-processors & supply-chain
3 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| SUP-1 | Sub-processor list maintained | Met | /legal/sub-processors. 30-day advance notice on additions per the DPA. |
| SUP-2 | Sub-processor assurance | Met | All material sub-processors hold their own SOC 2 Type II (AWS, Neon, Scaleway, Fastly, Stripe). Reports available from each on request. |
| SUP-3 | Supply chain risk | Met | Supply Chain Risk Management Plan at /policies/supply-chain-risk covers sub-processor lifecycle, software supply chain (lockfiles + Dependabot + SBOM target), and CI/CD supply chain. |
People & physical
People & physical controls
4 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| PEO-1 | Background checks | Met | Background checks completed for workforce members with production access; procedure documented at /policies/onboarding §3.2. |
| PEO-2 | Security awareness training | Met | Mandatory security briefing on Day 1, formal training in first 30 days, annual refresh thereafter — per /policies/onboarding §§4.3, 5, 8. |
| PEO-3 | Personnel offboarding | Met | Documented at /policies/offboarding: access revocation, credential rotation, asset return, knowledge transfer, exit interview, post-termination obligations. |
| PEO-4 | Physical security | Met | Inherited from cloud sub-processors; no Glassbreak-operated data centres. |
Data handling
Data handling & lifecycle
5 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| DAT-1 | Data classification | Met | Customer Data treated as confidential. Encrypted payloads treated as opaque ciphertext. |
| DAT-2 | Data retention | Met | Retained for the life of the subscription. On termination: returned or deleted per customer election per the DPA. Audit logs retained 12 months minimum. |
| DAT-3 | Data deletion | Met | Self-service erasure route mounted (audit finding C-12 resolved). Cryptographic erasure for shared secrets; account deletion via /legal/data-request. |
| DAT-4 | Data subject rights | Met | Export and erasure available per /legal/data-request. |
| DAT-5 | Cross-border transfers | Met | Governed by SCCs / UK IDTA / Swiss FADP addendum per the DPA. |
Application security
Application security
3 met2 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| APP-1 | Secure development lifecycle | Met | Controlled SDLC procedure at /policies/sdlc with security activities at each lifecycle phase (plan, design, implement, review, test, release, operate, retire). |
| APP-2 | Static analysis | Met | ESLint with security rulesets and TypeScript strict mode. Adding semgrep policies for SOC 2 readiness. |
| APP-3 | Dependency scanning | Met | Dependabot. |
| APP-4 | Penetration testing | Partial | External pen test in flight; most recent internal audit covered eight domain-focused static analysis passes across ~187k lines of code. |
| APP-5 | Bug bounty | Partial | Not currently paid. Public coordinated-disclosure policy with credit and swag at /trust/disclosure. |
Cloud-specific (CAIQ v4 deltas)
Cloud-specific (CAIQ v4)
3 met1 partial1 gap
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CLO-1 | Multi-tenancy model | Met | Logical isolation at the application layer with per-organisation row-level enforcement. Dedicated-tenancy option on the enterprise roadmap. |
| CLO-2 | Customer-managed encryption keys | Gap | Not offered today. Hybrid PQ envelope encryption with per-user keys is the current model; BYOK at the master-envelope layer is on the enterprise roadmap. |
| CLO-3 | Tenant-specific encryption | Met | By design — keys are per-user and per-secret; no master key spans tenants. |
| CLO-4 | Audit-log access by customer | Partial | Customers have read access via /secure/audit. Streaming to customer-owned SIEM (Splunk HEC, Datadog, S3 push) is on the enterprise roadmap. |
| CLO-5 | Tenant data export | Met | JSON export of all customer-readable data via the data-export route. |
Privacy
Privacy
5 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| PRI-1 | GDPR controller / processor role | Met | Processor. Customer is Controller. DPA at /legal/dpa. |
| PRI-2 | CCPA / CPRA role | Met | Service Provider. Will not sell or share Personal Information. |
| PRI-3 | Privacy notice | Met | /privacy. |
| PRI-4 | DPO / Privacy contact | Met | privacy@glassbreak.io. |
| PRI-5 | Children's data | Met | Service not directed at children under 16; we do not knowingly collect data from children. |
What we will not commit to in a questionnaire
We will say no — politely and on the record — to questions that ask us to:
- Confirm compliance with a standard we do not hold (no "SOC 2 equivalent", no "HIPAA ready", no "FedRAMP aligned").
- Promise unlimited liability or unbounded indemnification.
- Grant unrestricted on-site audit rights without notice or confidentiality terms.
- Disclose detailed internal infrastructure that would constitute reconnaissance for an attacker (specific cipher suites by version, internal hostnames, employee laptop fleet specifics).
- Provide root-of-trust cryptographic key material in escrow.
We will explain why in writing. Most procurement teams accept the rationale; if yours does not, please escalate to your security lead and we will engage directly.
How to get the populated spreadsheets
Email compliance@glassbreak.io with:
- Your organisation name and the named procurement contact.
- Whether you want SIG Lite, SIG Core, CAIQ v4, or your own proprietary template (attach the blank).
- Your expected contract value and timeline (so we can prioritise if multiple are in flight).
- Whether an NDA needs to be exchanged first — we have a one-page mutual NDA we can counter-sign within an hour.
We aim to return the populated document within 1 business day for SIG Lite or CAIQ; longer custom templates may take up to 5 business days.
This page is reviewed quarterly and immediately on any material change to our security posture. If you find a statement here that you can disprove, please email security@glassbreak.io — we would rather correct the page than mislead a buyer.