# CAIQ-Lite — VAIF Studio **Version:** 0.1 (self-attestation) **Based on:** Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v4.0 **Last updated:** 2026-04-30 **Prepared by:** VAIF STUDIO LLC **Contact:** security@vaif.studio > **Important:** This document is a self-attestation prepared by VAIF Studio against the public CAIQ-Lite v4.0 framework. It has not yet been validated by an independent third-party assessor. A SOC 2 Type 1 audit is currently underway, with target report issuance in Q3 2026; a SOC 2 Type 2 observation window is planned to begin once Type 1 is issued. Where a control is not yet in place, it is honestly marked **"Not yet implemented"** or **"Planned"** with a target window. --- ## A&A — Audit & Assurance **A&A-01. Are audits performed independently and with a documented methodology?** Partially. SOC 2 Type 1 audit is currently underway with an independent CPA firm (target report Q3 2026). Internal control mapping against the AICPA Trust Service Criteria is maintained continuously. **A&A-02. Are external audit reports made available to customers under NDA?** Yes — once the SOC 2 Type 1 report is issued, it will be made available to Enterprise customers and prospects under NDA on request. **A&A-03. Is a third-party penetration test performed at least annually?** Planned. First third-party penetration test scheduled for Q3 2026. Continuous automated vulnerability scanning is in place today. --- ## CCC — Change Control & Configuration Management **CCC-01. Is there a formal change-management policy for production systems?** Yes. All production changes flow through pull requests with required code review, automated CI tests, and infrastructure-as-code review (Terraform). **CCC-02. Are changes deployed via automated, repeatable pipelines?** Yes. Deploys go through Google Cloud Build with versioned container images and signed deploy artifacts. Migrations run before API deploys (ordering enforced). **CCC-03. Is there separation between development, staging, and production environments?** Yes. Separate GCP projects, separate databases, separate secret stores. --- ## CEK — Cryptography, Encryption & Key Management **CEK-01. Is data encrypted in transit?** Yes. TLS 1.3 enforced on all public endpoints; HSTS enabled. Internal service-to-service traffic runs on private VPC networking with TLS. **CEK-02. Is data encrypted at rest?** Yes. AES-256 at rest via GCP-managed encryption (Cloud SQL, Cloud Storage, Persistent Disks). Customer-managed encryption keys (CMEK) available on the Enterprise tier. **CEK-03. Are keys managed in a dedicated key-management service?** Yes. Google Cloud KMS. Application-level secrets are stored in Google Secret Manager. **CEK-04. Are TLS certificates rotated automatically?** Yes, via Google-managed certificates and Cloudflare edge. --- ## DSP — Data Security & Privacy **DSP-01. Is customer data segregated between tenants?** Yes. Logical multi-tenancy with row-level access enforced at the application layer; tenant isolation tested as part of CI. Dedicated database instances available on the Enterprise tier. **DSP-02. Is customer data ever used to train AI models?** No. Customer data is never used to train VAIF Studio's models or its sub-processors' foundation models. Anthropic and OpenAI inference is configured with zero-retention / no-training enterprise terms. **DSP-03. Are data-deletion requests honored?** Yes. Self-service account deletion plus 30-day SLA on verified data-subject deletion requests under GDPR Art. 17 and CCPA. **DSP-04. Is there a data-classification policy?** Yes — three tiers (public, internal, customer-confidential). Customer data is classified confidential by default. **DSP-05. Is personal data only retained as long as necessary?** Yes. Default retention is the lifetime of the account; logs roll off at 90 days; backups roll off at 30 days. Customers may request earlier deletion. --- ## GRC — Governance, Risk & Compliance **GRC-01. Is there a documented information security policy?** Yes. Reviewed annually and on material change. **GRC-02. Is there a designated security owner?** Yes — security@vaif.studio routes to the named security lead. **GRC-03. Are risk assessments performed?** Yes — annual risk assessment plus event-driven assessments on material architectural change. **GRC-04. Is there a vendor / sub-processor management process?** Yes. All sub-processors are vetted, bound by written DPAs, and listed publicly at https://vaif.studio/sub-processors. 30-day customer notice on additions. --- ## HRS — Human Resources Security **HRS-01. Are background checks performed on personnel with access to customer data?** Yes, where legally permissible. **HRS-02. Do all personnel sign confidentiality / NDA agreements?** Yes, as part of onboarding. **HRS-03. Is security-awareness training mandatory and tracked?** Yes — required at hire and annually thereafter. **HRS-04. Is access revoked immediately upon termination?** Yes — same-day deprovisioning via centralized identity (Google Workspace + GCP IAM). --- ## IAM — Identity & Access Management **IAM-01. Is multi-factor authentication required for staff accessing production?** Yes — MFA enforced on Google Workspace, GCP, GitHub, and any console with production access. Hardware security keys required for break-glass admin roles. **IAM-02. Is the principle of least privilege enforced?** Yes. Production access is role-based, time-bound, and audit-logged. Default access is read-only. **IAM-03. Is access to production reviewed periodically?** Yes — quarterly access review. **IAM-04. Is SSO / SAML available to customers?** Yes — SAML SSO available on Agency, Studio+, and Enterprise tiers. **IAM-05. Is MFA available to customers?** Yes — TOTP and WebAuthn supported on all tiers. --- ## IPY — Interoperability & Portability **IPY-01. Can customers export their data in a standard format?** Yes — self-service export of project data (JSON / SQL) is available from the dashboard. ZIP, Docker, GCP Terraform, AWS Terraform, and GitHub-push exports are also supported. --- ## IVS — Infrastructure & Virtualization Security **IVS-01. Is production infrastructure isolated in private networks?** Yes. Application services run inside a private VPC; no direct public ingress to databases or worker tiers. **IVS-02. Is a Web Application Firewall (WAF) deployed?** Yes — Cloudflare WAF + GCP Cloud Armor. **IVS-03. Is DDoS protection in place?** Yes — Cloudflare and GCP Cloud Armor. **IVS-04. Are containers scanned for vulnerabilities?** Yes — automated image scanning in Artifact Registry plus dependency scanning in CI. --- ## LOG — Logging & Monitoring **LOG-01. Are security-relevant events logged?** Yes — authentication, admin actions, data exports, and infrastructure changes are logged with immutable audit trails. **LOG-02. Are logs retained for a defined period?** Yes — 90-day default retention, configurable for Enterprise customers. **LOG-03. Is there real-time alerting on suspicious activity?** Yes — automated alerting on auth anomalies, error spikes, and infra changes. --- ## SEF — Security Incident Management, E-Discovery & Cloud Forensics **SEF-01. Is there a documented incident-response plan?** Yes. Includes severity classification, on-call rotation, customer-notification SLAs, and post-incident review. **SEF-02. Is there a public security-vulnerability disclosure program?** Yes — security@vaif.studio. Public bug-bounty program planned for Q4 2026. **SEF-03. What is the customer notification SLA for a confirmed breach involving their data?** 72 hours, consistent with GDPR Art. 33 and our DPA. --- ## STA — Supply Chain Management, Transparency & Accountability **STA-01. Is a current sub-processor list published?** Yes — https://vaif.studio/sub-processors **STA-02. Are sub-processor changes communicated in advance?** Yes — 30-day notice for sub-processors handling personal data; customers may object. **STA-03. Are sub-processors bound by DPAs with terms equivalent to those offered to customers?** Yes. --- ## TVM — Threat & Vulnerability Management **TVM-01. Is automated vulnerability scanning in place?** Yes — continuous dependency scanning, container scanning, and SAST in CI. **TVM-02. Is there a defined SLA for patching critical vulnerabilities?** Yes — critical (CVSS 9.0+): 7 days. High: 30 days. Medium: 90 days. **TVM-03. Is there a coordinated-disclosure / responsible-disclosure policy?** Yes — published at https://vaif.studio/security. --- ## BCR — Business Continuity & Operational Resilience **BCR-01. Are backups performed regularly and tested?** Yes. Database point-in-time recovery enabled; full daily backups. Restore drills performed at least annually. **BCR-02. Is there a documented business continuity / disaster recovery plan?** Yes. Current RTO target: 4 hours. Current RPO target: 15 minutes (PITR window). **BCR-03. Is the service deployed in multiple availability zones?** Yes — multi-zone within us-central1. Multi-region active-active is on the Enterprise roadmap. --- ## DCS — Datacenter Security **DCS-01. Where is customer data hosted?** Google Cloud Platform — us-central1 (Iowa, USA). Underlying datacenter physical security is inherited from GCP (SOC 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, FedRAMP High — see Google's compliance reports). **DCS-02. Can customers select a different region?** Regional residency for EU and other regions is on the Enterprise roadmap. --- ## UEM — Universal Endpoint Management **UEM-01. Are employee endpoints managed and encrypted?** Yes — full-disk encryption, endpoint protection, and centralized management on all staff laptops. --- ## Document control | Field | Value | |---|---| | Document owner | security@vaif.studio | | Version | 0.1 (self-attestation) | | Next review | 2026-07-31 (or on material change) | | Validated by external auditor | Not yet — SOC 2 Type 1 in progress | For a verified, audited control attestation, please request our SOC 2 Type 1 report (available Q3 2026) or contact security@vaif.studio for a vendor-review session.