{"standard":"CAIQ-Lite","version":"2026-06-22","domains":[{"domain":"Governance, Risk & Compliance","items":[{"q":"Do you maintain documented information-security policies?","a":"yes","note":"Published security model + security, acceptable-use and privacy policies."},{"q":"Do you hold a SOC 2 Type II attestation?","a":"planned","note":"Controls implemented to the criteria; independent attestation on the roadmap."},{"q":"Are you ISO/IEC 27001 certified?","a":"planned","note":"ISMS mapped to 27001:2022 Annex A; certification planned."},{"q":"Do you review sub-processors and require DPAs?","a":"yes","note":"Sub-processors reviewed; GDPR-compliant DPA in place with each."},{"q":"Do you perform vendor / third-party risk review before onboarding a sub-processor?","a":"yes","note":"Each sub-processor is assessed for data handling, region and DPA terms before use; the list is published here."},{"q":"Do you notify customers of sub-processor changes?","a":"yes","note":"The sub-processor list is published with a subscribe-to-changes option so customers are notified of additions."}]},{"domain":"Identity & Access Management","items":[{"q":"Do you support enterprise SSO (SAML 2.0 / OIDC)?","a":"yes","note":"SAML 2.0 and OIDC federation for partner organisations."},{"q":"Do you support SCIM user provisioning?","a":"yes","note":"SCIM 2.0 (RFC 7644) joiner/mover/leaver with audit trail."},{"q":"Is multi-factor authentication available and enforceable?","a":"yes","note":"MFA with enforcement + step-up (AAL2) for sensitive operations."},{"q":"Do you offer phishing-resistant authentication?","a":"yes","note":"Passkey-first (WebAuthn, user verification)."},{"q":"Is access governed by least-privilege RBAC?","a":"yes","note":"Role-based access; tenant isolation enforced at the database layer."}]},{"domain":"Data Security & Encryption","items":[{"q":"Is data encrypted in transit?","a":"yes","note":"TLS 1.2+ everywhere; HSTS with preload."},{"q":"Is data encrypted at rest?","a":"yes","note":"Database, storage and backups encrypted at rest (AES-256)."},{"q":"Is customer data logically isolated between tenants?","a":"yes","note":"Postgres Row-Level Security across 100+ tables."},{"q":"Is customer data resident in a specific region?","a":"yes","note":"European Union — AWS eu-west-1; no relocation outside the EU."}]},{"domain":"Application & Operational Security","items":[{"q":"Do you rate-limit authentication endpoints?","a":"yes","note":"Atomic, auth-aware, fail-closed limiter (per-account + per-IP)."},{"q":"Do you monitor for anomalous / abusive activity?","a":"yes","note":"Continuous anomaly detection every 5 min (alerting)."},{"q":"Do you have a vulnerability-disclosure policy?","a":"yes","note":"Coordinated-disclosure policy + security.txt (RFC 9116)."},{"q":"Do you run a bug-bounty programme?","a":"planned","note":"A VDP is published; a bounty programme is on the roadmap."},{"q":"Do you commission independent penetration tests?","a":"planned","note":"Internal security reviews today; third-party pen-test on the roadmap."},{"q":"Do you maintain an audit log of security events?","a":"yes","note":"Security-relevant events recorded to an append-only stream."},{"q":"Do you support audit-log / SIEM export?","a":"partial","note":"Append-only audit stream today; records available on request. Self-service SIEM export is on the roadmap."},{"q":"Do you follow a change-management process for production changes?","a":"yes","note":"Changes go through version control and review before release; database changes ship as reviewed migrations."},{"q":"Do you follow a secure software development lifecycle (SDLC)?","a":"partial","note":"Code review, automated checks and dependency hygiene in place; a formally attested SDLC is part of the SOC 2 / ISO roadmap."},{"q":"Do you have a documented incident-response process?","a":"partial","note":"Anomaly alerting and a defined breach-notification SLA are live; a fully documented IR runbook is being formalised alongside the SOC 2 programme."}]},{"domain":"Privacy & Data Rights","items":[{"q":"Do you support GDPR data-subject requests (access, export, erasure)?","a":"yes","note":"Self-service from in-app privacy settings."},{"q":"Is a Data Processing Agreement available?","a":"yes","note":"DPA with SCCs available to every customer."},{"q":"Is customer data deleted on contract termination?","a":"yes","note":"Deletion on request; defined retention windows."},{"q":"Do you provide a data-deletion SLA / defined retention windows?","a":"yes","note":"Deletion honoured on request; each data type has a defined retention window, not indefinite storage."},{"q":"Is your sub-processor list published?","a":"yes","note":"Published on this Trust Center with a subscribe-to-changes option."}]},{"domain":"AI Governance","items":[{"q":"Is customer data used to train your AI models?","a":"no","note":"Never. Customer data is not used to train or fine-tune any AI model."},{"q":"Is there human oversight of AI-assisted decisions?","a":"yes","note":"Club AI is assistive — a human always makes the hiring decision."},{"q":"Are AI model sub-processors disclosed?","a":"yes","note":"Named in the sub-processor table with region and data terms."},{"q":"Do you address EU AI Act obligations for hiring AI?","a":"yes","note":"Built for transparency, human oversight and against adverse impact (high-risk class)."}]},{"domain":"Resilience & Continuity","items":[{"q":"Do you maintain encrypted backups?","a":"yes","note":"Backups encrypted at rest."},{"q":"Do you have a defined breach-notification SLA?","a":"yes","note":"Within 72 hours of awareness (GDPR Art. 33/34)."},{"q":"Do you publish a real-time status page?","a":"yes","note":"status.thequantumclub.com — live component health + historical uptime."}]}]}