{ "metadata": { "framework": "CAIQ-Lite", "version": "v4.0.3", "publisher": "Cloud Security Alliance", "language": "en", "respondent": "Claresia S.r.l.", "respondent_contact": "security@claresia.com, dpo@claresia.com", "as_of": "2026-04-27", "status": "DRAFT — Pending Italian outside-counsel legal review and ISO 27001:2022 certification (target Q3 2026). Honest answers reflect actual control posture.", "deployment_modes_referenced": ["Mode A (Shared SaaS)", "Mode B (Dedicated Cloud)", "Mode C (BYOC)"], "evidence_base_url": "https://claresia-trust.netlify.app" }, "control_areas": [ { "code": "AAC", "name": "Audit Assurance & Compliance" }, { "code": "AIS", "name": "Application & Interface Security" }, { "code": "BCR", "name": "Business Continuity Mgmt & Op Resilience" }, { "code": "CCC", "name": "Change Control & Configuration Mgmt" }, { "code": "DCS", "name": "Datacenter Security" }, { "code": "DSI", "name": "Data Security & Information Lifecycle Mgmt" }, { "code": "EKM", "name": "Encryption & Key Mgmt" }, { "code": "GRM", "name": "Governance & Risk Mgmt" }, { "code": "HRS", "name": "Human Resources Security" }, { "code": "IAM", "name": "Identity & Access Mgmt" }, { "code": "IPY", "name": "Interoperability & Portability" }, { "code": "IVS", "name": "Infrastructure & Virtualization" }, { "code": "MOS", "name": "Mobile Security" }, { "code": "SEF", "name": "Security Incident Mgmt, E-Discovery & Cloud Forensics" }, { "code": "STA", "name": "Supply Chain Mgmt, Transparency & Accountability" }, { "code": "TVM", "name": "Threat & Vulnerability Mgmt" }, { "code": "IPV", "name": "Interface & Privacy Validation" } ], "questions": [ { "id": "AAC-01.1", "control_area": "AAC", "question": "Do you produce audit assertions using a structured, industry-accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management Audit/Assurance Program, etc.)?", "claresia_answer": "Partial — Claresia uses ISO 27001:2022 control mapping internally and publishes the Trust Center sub-processor list and SCUDO governance audit chain (cryptographic SHA-256 Merkle-style chain of every privileged action). External audit attestation in CSA STAR / SOC 2 format is planned for Q1 2027 after SOC 2 Type 1 (Q2 2026) and ISO 27001 (Q3 2026).", "evidence_link": "https://claresia-trust.netlify.app/certifications", "notes": "Audit chain is open-format JSON, customer can verify offline with the Claresia verify-chain CLI shipped MIT.", "status": "planned" }, { "id": "AAC-02.1", "control_area": "AAC", "question": "Do you allow tenants to view your SOC 2 / ISO 27001 / similar third-party audit or certification reports?", "claresia_answer": "Planned Q3 2026 with ISO 27001:2022 certification and Q1 2027 with SOC 2 Type 2 report. Tenants will receive reports under NDA via Trust Center authenticated download. Today the Trust Center publishes the in-flight audit roadmap.", "evidence_link": "https://claresia-trust.netlify.app/certifications", "status": "planned" }, { "id": "AIS-01.1", "control_area": "AIS", "question": "Do you use industry standards (e.g., OWASP for web apps, NIST SSDF, BSIMM) to build in security for your SDLC?", "claresia_answer": "Yes — OWASP ASVS L2, OWASP Top 10 mitigations, NIST SP 800-218 (SSDF) practices applied. Every PR requires peer review; CI runs SAST (CodeQL), SCA (Dependabot), and secret scanning (TruffleHog). High-risk skill IRs require two-person sign-off (SCUDO Pillar O — Operatori verificati).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "AIS-02.1", "control_area": "AIS", "question": "Are all identified security, contractual and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets and information systems?", "claresia_answer": "Yes — provisioning requires (1) signed MSA + DPA, (2) WorkOS SSO configured with MFA enforced via customer IdP, (3) Onboarding Portal walkthrough completion, (4) per-tenant restricted-topics policy reviewed. No customer access until all four steps complete.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active" }, { "id": "BCR-01.1", "control_area": "BCR", "question": "Do you provide tenants with geographically resilient hosting options?", "claresia_answer": "Planned Q3 2026 with Mode B GA — eu-south-1 (Milano) primary + eu-central-1 (Frankfurt) failover for EU/Italian tenants; AWS / Azure / GCP first-class in EU regions. Mode C (BYOC) supports any customer-elected EU region. Today the platform is scaffold-grade.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned" }, { "id": "BCR-02.1", "control_area": "BCR", "question": "Are business continuity plans subject to test at planned intervals or upon significant organizational or environmental changes to ensure continued effectiveness?", "claresia_answer": "Planned — quarterly DR drills will commence with Mode B GA (Q3 2026). Today, the BC plan is documented in the Architecture v1 spec but has not yet been exercised at scale (pre-customer state).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "CCC-01.1", "control_area": "CCC", "question": "Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities?", "claresia_answer": "Yes — every architectural change is captured in the Claresia roadmap JSON (claresia-roadmap-data.json) with explicit owner, dependencies, and acceptance criteria. New sub-processors require security review + DPA execution before activation.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active" }, { "id": "CCC-03.1", "control_area": "CCC", "question": "Do you provide tenants with documentation that describes your quality assurance process?", "claresia_answer": "Yes — published in the Documentation site (planned Q1 2026; today the Architecture v1 markdown serves as interim QA/SDLC reference). All releases gated on green CI (unit + integration tests, SAST, SCA, secret scan).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "DCS-01.1", "control_area": "DCS", "question": "Is physical access to information assets and functions monitored, logged, and restricted?", "claresia_answer": "Yes — by sub-processor. AWS, Azure, GCP physical security is ISO 27001 + SOC 2 + ISO 27017 certified. Claresia personnel never have physical access to underlying data center hardware. Office access is badge-controlled.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active" }, { "id": "DSI-01.1", "control_area": "DSI", "question": "Do you classify customer data based on its sensitivity?", "claresia_answer": "Yes — three tiers: Public, Confidential (default for all Customer Data), Restricted (PII, secrets, audit chain). Restricted-topics policy per tenant applies additional classification (codice fiscale exposure, biometric inference, fully-automated employment decisions per Garante 2024 ruling).", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active" }, { "id": "DSI-02.1", "control_area": "DSI", "question": "Do you have a capability to recover data for a specific customer in the case of a failure or data loss?", "claresia_answer": "Planned Q3 2026 with Mode B GA — point-in-time recovery (PITR) within 7 days; per-tenant restore. Today, scaffold-grade only.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "DSI-03.1", "control_area": "DSI", "question": "Are policies and procedures established and mechanisms implemented to prevent data leakage?", "claresia_answer": "Yes — SCUDO Pillar D (Dati controllati) — every LLM call routes through the cc-073 LLM Gateway with PII redaction (Microsoft Presidio + custom NER), per-tenant model allowlist, region pinning, hard quota / cost cap, full audit log. Customer data never trains a third-party model.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "EKM-01.1", "control_area": "EKM", "question": "Do you have key management policies binding keys to identifiable owners?", "claresia_answer": "Yes — every encryption key bound to a tenant + named owner (DPO + IT admin). Mode B/C tenants use Customer-Managed Encryption Keys (CMEK) in AWS KMS / Azure Key Vault / GCP KMS, customer-rotatable.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "EKM-02.1", "control_area": "EKM", "question": "Do you have a capability to allow creation of unique encryption keys per tenant?", "claresia_answer": "Planned Q3 2026 — CMEK per tenant with Mode B GA. Mode A uses a shared, RLS-isolated tenancy with platform-managed key (envelope encryption per tenant_id).", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned" }, { "id": "EKM-03.1", "control_area": "EKM", "question": "Do you encrypt tenant data at rest (on disk/storage)?", "claresia_answer": "Yes — AES-256 at rest for all customer-data backing stores (Postgres, object storage, ClickHouse, secrets vaults). TLS 1.3 in transit.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "GRM-01.1", "control_area": "GRM", "question": "Do you have a documented information security and privacy policy that has been communicated and is enforced?", "claresia_answer": "Yes — SCUDO Framework (cc-aware-governance/framework.md) is the canonical security and privacy framework, published in EN + IT, mapped to GDPR + EU AI Act + NIS2 + ISO 42001 + Garante. Internally enforced via runtime gates at the cc-073 Gateway and cc-061 Roster Engine.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active" }, { "id": "GRM-02.1", "control_area": "GRM", "question": "Do risk assessments consider the likelihood and impact for all identified risks?", "claresia_answer": "Yes — annual enterprise risk assessment (sub-processor risk, cloud-region risk, regulatory risk) with quantified likelihood × impact scoring. Tracked in internal risk register, reviewed quarterly by leadership.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "HRS-01.1", "control_area": "HRS", "question": "Do you ensure background screening of all candidates with access to tenant data?", "claresia_answer": "Yes — all employees and contractors with production-data access undergo background checks (criminal record, education verification, employment verification) consistent with EU labor law (Italian Statuto dei Lavoratori art. 8 prohibitions respected).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "HRS-02.1", "control_area": "HRS", "question": "Do you provide security awareness training to your employees?", "claresia_answer": "Yes — onboarding + annual security training including GDPR, social engineering, secret handling, secure development, AI-specific risks (prompt injection, data exfiltration via LLM), Garante provvedimenti updates.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "IAM-01.1", "control_area": "IAM", "question": "Do you have a multi-factor authentication option for customer users?", "claresia_answer": "Yes — MFA enforced via customer IdP through WorkOS SSO. Hardware security keys (FIDO2/WebAuthn) supported via the IdP. SCUDO Pillar O (Operatori verificati) — no anonymous action permitted.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "IAM-02.1", "control_area": "IAM", "question": "Do you support identity federation (SAML, OIDC, etc.)?", "claresia_answer": "Yes — SAML 2.0 + OpenID Connect via WorkOS. Compatible with Okta, Azure AD/Entra ID, Google Workspace, JumpCloud, OneLogin, PingFederate, Auth0, custom OIDC. SCIM 2.0 for provisioning + immediate deprovisioning on identity removal.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "IAM-03.1", "control_area": "IAM", "question": "Do you support fine-grained, role-based access control for customer admins?", "claresia_answer": "Yes — cc-059 Command Center supports per-tenant RBAC (Owner / Admin / Operator / Auditor / Viewer roles) with default-deny and least-privilege. Custom roles available in Mode B/C.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "IPY-01.1", "control_area": "IPY", "question": "Do you publish documented APIs to allow tenants to import/export data?", "claresia_answer": "Yes — every Hub record (cc-050) is exportable as canonical JSON via the Hub API. Skill IRs are versioned YAML. cc-061 Roster export available in CSV. Data portability honored per Article 20 GDPR.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active" }, { "id": "IPY-02.1", "control_area": "IPY", "question": "Do you make available a process for tenants to change their data location?", "claresia_answer": "Planned — Mode B/C customers can request region change; Claresia performs cross-region migration with tenant-coordinated maintenance window. Standard regions: eu-south-1, eu-central-1, eu-west-1, italynorth (Azure), europe-west8 (GCP).", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned" }, { "id": "IVS-01.1", "control_area": "IVS", "question": "Are you logging file integrity (host) and network intrusions (IDS/IPS)?", "claresia_answer": "Yes — by sub-processor. AWS GuardDuty / Azure Defender / GCP Security Command Center are enabled in all production accounts. Cloudflare WAF in front of public surfaces. Internal logs streamed to centralised observability tenant (Datadog EU, planned Q2 2026).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned" }, { "id": "MOS-01.1", "control_area": "MOS", "question": "Do you have a documented mobile-device security policy (MDM, etc.)?", "claresia_answer": "Yes — all corporate devices enrolled in Jamf (macOS) / Intune (Windows). Disk encryption mandatory. Remote wipe enabled. No customer-data caching on personal devices (BYOD prohibited for production access).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "SEF-01.1", "control_area": "SEF", "question": "Do you have a documented security incident response plan?", "claresia_answer": "Yes — incident response plan covers detection, triage (severity 1-4), containment, eradication, recovery, post-mortem. 72-hour notification commitment per GDPR Art. 33 + DPA Art. 11. Italian Garante notification cooperation per D.Lgs. 196/2003.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "active" }, { "id": "SEF-02.1", "control_area": "SEF", "question": "Do you maintain liaison with appropriate security forums and regulators?", "claresia_answer": "Yes — member of Cloud Security Alliance, ENISA stakeholder relations, ACN Italian National Cybersecurity Agency contact register, Garante DPO directory. Subscribed to CERT-AGID, CSIRT-IT, ANSSI, BSI, CISA advisories.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active" }, { "id": "STA-01.1", "control_area": "STA", "question": "Do you maintain a formal vendor risk management program?", "claresia_answer": "Yes — every sub-processor undergoes (a) DPA review, (b) security questionnaire (CAIQ-Lite or equivalent), (c) certification verification (SOC 2 / ISO 27001), (d) annual reassessment. Public sub-processor list maintained.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active" }, { "id": "STA-02.1", "control_area": "STA", "question": "Do you provide tenants with notice of changes to your sub-processor list?", "claresia_answer": "Yes — 30-day prior notice via Trust Center subscription, in-app banner, and DPA contact email. Customer right to object per DPA Art. 8.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active" }, { "id": "TVM-01.1", "control_area": "TVM", "question": "Do you have a vulnerability management program (scanning, patching)?", "claresia_answer": "Yes — continuous SCA via Dependabot / Snyk; container scanning via Trivy; cloud configuration scanning via Prowler / Checkov. Critical CVEs patched within 24h, High within 7d, Medium within 30d. Annual third-party penetration test (planned Q2 2026 with Cure53 / NCC Group EU).", "evidence_link": "https://claresia-trust.netlify.app/pen-test", "status": "active" }, { "id": "TVM-02.1", "control_area": "TVM", "question": "Do you operate a bug bounty or coordinated vulnerability disclosure program?", "claresia_answer": "Planned Q3 2026 — HackerOne EU or Intigriti. Today: vulnerability disclosure via security@claresia.com with 90-day disclosure window per ISO/IEC 29147.", "evidence_link": "https://claresia-trust.netlify.app/bug-bounty", "status": "planned" }, { "id": "IPV-01.1", "control_area": "IPV", "question": "Do you provide a privacy notice consistent with GDPR Articles 13–14?", "claresia_answer": "Yes — privacy notice published at claresia.com/privacy in EN + IT. Article 13/14 disclosures cover data categories, purposes, legal basis, retention, recipients, third-country transfers, data-subject rights, DPO contact (dpo@claresia.com).", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active" } ] }