{
  "metadata": {
    "framework": "SIG-Lite",
    "version": "2026.1",
    "publisher": "Shared Assessments",
    "language": "en",
    "respondent": "Claresia S.r.l.",
    "respondent_contact": "security@claresia.com, dpo@claresia.com",
    "as_of": "2026-04-27",
    "status": "DRAFT — 60 of ~140 SIG-Lite questions pre-filled, mapped to GDPR + ISO 27001:2022 + EU NIS2. Honest answers reflect actual control posture; 'Planned Q* 2026' answers indicate controls under construction.",
    "evidence_base_url": "https://claresia-trust.netlify.app",
    "scoping_note": "60 questions selected to cover the controls most often required by EU enterprise procurement: A (Risk Assessment), B (Security Policy), C (Org Security), D (Asset Mgmt), E (HR Security), F (Physical Security), G (Ops Security), H (Access Ctl), I (Crypto), J (Application Security), K (Incident Mgmt), L (BC/DR), M (Compliance), N (Privacy), O (Cloud), P (Mobile)."
  },
  "questions": [
    {"id": "A.1", "domain": "Risk Assessment", "question": "Is a formal information security risk assessment process established and maintained?", "claresia_answer": "Yes — annual enterprise risk assessment + per-change risk review for new sub-processors and architectural changes. Risk register reviewed quarterly by leadership.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "A.2", "domain": "Risk Assessment", "question": "Are AI-specific risks (model abuse, prompt injection, data exfiltration via LLM) included in the risk register?", "claresia_answer": "Yes — SCUDO Pillar D (Dati controllati) catalogs AI-specific egress risks; SCUDO Pillar S (Scansione) catalogs prompt-injection and unsafe-action risks. Mitigations enforced at runtime via cc-073 LLM Gateway.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "A.3", "domain": "Risk Assessment", "question": "Are third-party / sub-processor risks formally tracked?", "claresia_answer": "Yes — every sub-processor on the public list (https://claresia-trust.netlify.app/sub-processors) carries category, region, data categories, contract status, last review date.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active"},
    {"id": "B.1", "domain": "Security Policy", "question": "Is there a documented information security policy approved by management?", "claresia_answer": "Yes — SCUDO Framework v1.0 (cc-aware-governance/framework.md) approved by Claresia leadership. Reviewed annually; version-controlled in Git.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "B.2", "domain": "Security Policy", "question": "Is the policy communicated to all employees and contractors?", "claresia_answer": "Yes — onboarding training mandatory, annual refresher, policy updates announced via internal Slack + signed acknowledgement.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "B.3", "domain": "Security Policy", "question": "Is the policy reviewed at planned intervals or upon significant changes?", "claresia_answer": "Yes — annual review + ad-hoc review on (a) new regulation (e.g., NIS2 transposition, EU AI Act phase application), (b) major architecture change, (c) security incident.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "C.1", "domain": "Organisational Security", "question": "Is a CISO or equivalent role formally designated?", "claresia_answer": "Partial — security responsibilities are held by the founding CTO with DPO support. Dedicated CISO hire planned Q3 2026 ahead of ISO 27001 audit.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "C.2", "domain": "Organisational Security", "question": "Is a Data Protection Officer (DPO) designated where required by GDPR?", "claresia_answer": "Yes — dpo@claresia.com, registered in the Garante DPO directory. The DPO is independent of the engineering reporting line.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "C.3", "domain": "Organisational Security", "question": "Are security roles and responsibilities documented in role descriptions?", "claresia_answer": "Yes — every job description includes the relevant security responsibilities; production-data-access roles include explicit confidentiality + secure-handling clauses.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "D.1", "domain": "Asset Management", "question": "Is an inventory of assets (hardware, software, data) maintained?", "claresia_answer": "Yes — software bill of materials (SBOM) generated per release; hardware inventory in Jamf/Intune; data inventory in the Hub canonical schema (cc-050).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "D.2", "domain": "Asset Management", "question": "Are data assets classified per sensitivity?", "claresia_answer": "Yes — Public / Confidential / Restricted. Restricted-topics policy adds tenant-specific classification (codice fiscale, biometric inference, automated employment decisions per Garante 2024).", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "D.3", "domain": "Asset Management", "question": "Are acceptable-use policies in place for endpoints and data?", "claresia_answer": "Yes — Acceptable Use Policy signed at onboarding, covers endpoint configuration, GenAI use, secret handling, third-party software install ban on production-access devices.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "E.1", "domain": "HR Security", "question": "Are background checks conducted for personnel with access to sensitive data?", "claresia_answer": "Yes — criminal record, employment verification, education verification — within the limits of Italian Statuto dei Lavoratori art. 8 (no political/religious/union screening).", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "E.2", "domain": "HR Security", "question": "Are confidentiality / NDA obligations included in employment contracts?", "claresia_answer": "Yes — NDA + IP assignment in every employment + contractor contract, governed by Italian law for IT-resident personnel.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "E.3", "domain": "HR Security", "question": "Is access revoked promptly upon termination?", "claresia_answer": "Yes — SCIM 2.0 deprovisioning is immediate on IdP removal; manual override via Owner role; audit-logged. Off-boarding checklist completes within 4 business hours.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "E.4", "domain": "HR Security", "question": "Is annual security awareness training mandatory?", "claresia_answer": "Yes — covers phishing, GDPR, secret handling, AI-specific risks (prompt injection, data exfiltration), Garante updates.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "F.1", "domain": "Physical Security", "question": "Are physical access controls in place at processing facilities?", "claresia_answer": "Yes — by sub-processor (AWS, Azure, GCP — ISO 27001 / SOC 2 / ISO 27017 certified). Claresia office: badge access, CCTV, visitor sign-in.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active"},
    {"id": "F.2", "domain": "Physical Security", "question": "Are environmental controls (fire, flood, power) in place?", "claresia_answer": "Yes — handled by cloud sub-processors at the data-center layer.", "evidence_link": "https://claresia-trust.netlify.app/sub-processors", "status": "active"},
    {"id": "G.1", "domain": "Operations Security", "question": "Are change management procedures documented and enforced?", "claresia_answer": "Yes — every change via PR + peer review + green CI. Production deployment via approved CI/CD pipeline; manual production access requires just-in-time elevation.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "G.2", "domain": "Operations Security", "question": "Is malware protection deployed on endpoints and servers?", "claresia_answer": "Yes — endpoint protection on all corporate devices via Jamf/Intune managed XDR; container images scanned with Trivy in CI; runtime protection planned Q3 2026 with Mode B GA.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "G.3", "domain": "Operations Security", "question": "Are backup procedures established and tested?", "claresia_answer": "Planned Q3 2026 with Mode B GA — daily encrypted backups, 90-day rolling retention, cross-region replication, quarterly restore drills. Today: scaffold-grade only.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "G.4", "domain": "Operations Security", "question": "Are logs retained per applicable law?", "claresia_answer": "Yes — SCUDO audit chain retained 7 years per EU AI Act Art. 12. Telemetry retained 13 months default. Access logs retained 12 months. Per-tenant retention configurable in Mode B/C.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "G.5", "domain": "Operations Security", "question": "Is time synchronisation enforced on all systems?", "claresia_answer": "Yes — NTP from cloud-provider time sources (AWS Time Sync Service / Azure Time / GCP). Audit chain timestamps are UTC.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "H.1", "domain": "Access Control", "question": "Is access granted on least-privilege basis?", "claresia_answer": "Yes — RBAC with default-deny; Owner / Admin / Operator / Auditor / Viewer roles. Production access requires just-in-time elevation with peer approval.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "H.2", "domain": "Access Control", "question": "Are accesses reviewed periodically?", "claresia_answer": "Yes — monthly review of privileged accesses; quarterly review of all accesses; deprovisioning evidence retained.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "H.3", "domain": "Access Control", "question": "Is MFA enforced for privileged accounts?", "claresia_answer": "Yes — MFA enforced via WorkOS + customer IdP. Hardware tokens (FIDO2) supported. SCUDO Pillar O — no anonymous action permitted.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "H.4", "domain": "Access Control", "question": "Is privileged access activity logged and reviewed?", "claresia_answer": "Yes — every privileged action emits a governance_event in the SCUDO audit chain (SHA-256 Merkle-style). Customer can stream to their SIEM in real-time.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "H.5", "domain": "Access Control", "question": "Are shared / generic accounts prohibited?", "claresia_answer": "Yes — every access is bound to an individual identity via SSO. Service accounts are bound to a named owner and audit-logged.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "I.1", "domain": "Cryptography", "question": "Is data encrypted at rest using industry-standard algorithms?", "claresia_answer": "Yes — AES-256 at rest, AES-256-GCM where applicable. All Customer-Data backing stores encrypted.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "I.2", "domain": "Cryptography", "question": "Is data encrypted in transit using TLS 1.2 or higher?", "claresia_answer": "Yes — TLS 1.3 enforced; TLS 1.2 supported only for legacy clients with strong ciphers. HSTS enforced on all public surfaces.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "I.3", "domain": "Cryptography", "question": "Are cryptographic keys managed in a secure key-management system?", "claresia_answer": "Yes — AWS KMS / Azure Key Vault / GCP KMS depending on tenant deployment region. CMEK customer-rotatable in Mode B/C.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "I.4", "domain": "Cryptography", "question": "Is a key rotation policy documented and enforced?", "claresia_answer": "Yes — automated annual rotation for platform keys; on-demand rotation for CMEK initiated by customer; immediate rotation on suspected compromise.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "J.1", "domain": "Application Security", "question": "Is a secure SDLC followed (OWASP, NIST SSDF)?", "claresia_answer": "Yes — peer review on every PR, SAST (CodeQL), SCA (Dependabot), secret scan (TruffleHog), container scan (Trivy). High-risk changes require two-person sign-off.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "J.2", "domain": "Application Security", "question": "Are penetration tests conducted at least annually?", "claresia_answer": "Planned Q2 2026 — engagement with Cure53 / NCC Group EU. Today: scaffold-grade pre-customer.", "evidence_link": "https://claresia-trust.netlify.app/pen-test", "status": "planned"},
    {"id": "J.3", "domain": "Application Security", "question": "Is a vulnerability disclosure programme in place?", "claresia_answer": "Yes — security@claresia.com with 90-day disclosure window per ISO/IEC 29147. Bug bounty (HackerOne EU / Intigriti) planned Q3 2026.", "evidence_link": "https://claresia-trust.netlify.app/bug-bounty", "status": "planned"},
    {"id": "J.4", "domain": "Application Security", "question": "Is API authentication enforced via tokens or signed requests?", "claresia_answer": "Yes — OAuth 2.0 + mTLS for service-to-service; per-customer API keys stored in their KMS, rotatable. Rate limiting and quotas enforced per tenant.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "J.5", "domain": "Application Security", "question": "Are inputs validated and outputs encoded against injection attacks?", "claresia_answer": "Yes — input validation at API boundary; output encoding in UI; CSP headers enforced. AI-specific: SCUDO Pillar S (Scansione) pre-execution scan + cc-073 Gateway PII redaction.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "J.6", "domain": "Application Security", "question": "Are dependencies maintained current with known CVE remediation timelines?", "claresia_answer": "Yes — Critical 24h, High 7d, Medium 30d, Low 90d per internal vulnerability SLA.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "K.1", "domain": "Incident Management", "question": "Is an incident response plan documented?", "claresia_answer": "Yes — incident-response.md covers detection (SLO burn-rate alerts, customer report, threat intel), triage (severity 1-4), containment, eradication, recovery, post-mortem.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "active"},
    {"id": "K.2", "domain": "Incident Management", "question": "Are incident notifications delivered within 72 hours per GDPR?", "claresia_answer": "Yes — DPA Art. 11 commits to 72h notification on Personal Data Breach. Italian Garante notification cooperation per D.Lgs. 196/2003.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "K.3", "domain": "Incident Management", "question": "Are incident lessons-learned tracked and acted upon?", "claresia_answer": "Yes — every Sev-1/Sev-2 incident triggers a blameless post-mortem within 5 business days; action items tracked to closure in the engineering backlog; aggregate metrics published in the Trust Center quarterly.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "active"},
    {"id": "K.4", "domain": "Incident Management", "question": "Is a status page operated for production incidents?", "claresia_answer": "Yes — status.claresia.com (planned subscriber backend Q1 2026 via Atlassian Statuspage / Better Stack). Today: real-ping driven, no subscriber list.", "evidence_link": "https://claresia-trust.netlify.app/incidents", "status": "planned"},
    {"id": "L.1", "domain": "Business Continuity", "question": "Is a business continuity plan (BCP) documented?", "claresia_answer": "Yes — documented in Architecture v1; quarterly DR drills planned Q3 2026 with Mode B GA.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "L.2", "domain": "Business Continuity", "question": "Are RTO and RPO targets documented per service tier?", "claresia_answer": "Yes — Mode B: RPO ≤ 1h, RTO ≤ 4h. Mode A: RPO ≤ 4h, RTO ≤ 8h. Mode C: customer-defined per Terraform module.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned"},
    {"id": "L.3", "domain": "Business Continuity", "question": "Are BCP / DR plans tested at planned intervals?", "claresia_answer": "Quarterly DR drills planned Q3 2026 with Mode B GA. Today scaffold-grade.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "M.1", "domain": "Compliance", "question": "Is a compliance management programme in place?", "claresia_answer": "Yes — SCUDO framework maps to GDPR, EU AI Act, NIS2 (D.Lgs. 138/2024), Italian Garante provvedimenti, ISO 27001:2022, ISO 42001:2023. Vanta / Drata continuous compliance planned Q1 2026.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "active"},
    {"id": "M.2", "domain": "Compliance", "question": "Are intellectual property rights protected (licenses, attribution)?", "claresia_answer": "Yes — every dependency license recorded in SBOM; license compatibility checked in CI; copyright notices preserved in source.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "M.3", "domain": "Compliance", "question": "Is GDPR compliance documented (DPA, ROPA, DPIA support)?", "claresia_answer": "Yes — DPA published, ROPA maintained, DPIA support per DPA Art. 10. Italian-specific Statuto dei Lavoratori art. 4 addendum included (DPA Art. 16.1).", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "M.4", "domain": "Compliance", "question": "Is EU AI Act compliance addressed?", "claresia_answer": "Partial — SCUDO Pillar U (Uso conforme) implements Article 50 transparency stamp + Article 11/Annex IV technical documentation auto-generation. Full conformance programme operational target Q3 2026.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned"},
    {"id": "M.5", "domain": "Compliance", "question": "Is NIS2 compliance addressed for customers in scope?", "claresia_answer": "Yes — NIS2 vendor due-diligence pack available (this document set). Italian transposition (D.Lgs. 138/2024) covered. Article 21 controls mapped to SCUDO pillars; Article 23 incident-reporting cooperation in DPA Art. 11.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "M.6", "domain": "Compliance", "question": "Is DORA compliance addressed for financial-services customers?", "claresia_answer": "Planned Q3 2026 — DORA readiness pack to be released when first financial-services customer signs. Audit chain already supports DORA Art. 11-12 incident timeline.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"},
    {"id": "N.1", "domain": "Privacy", "question": "Is a privacy programme documented and managed by a DPO?", "claresia_answer": "Yes — DPO designated, registered with Garante, privacy programme documented in DPA + SCUDO framework.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "N.2", "domain": "Privacy", "question": "Are data-subject rights (access, rectification, erasure, portability) supported?", "claresia_answer": "Yes — DPA Art. 9; self-service tooling in cc-059 Command Center.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "N.3", "domain": "Privacy", "question": "Are cross-border data transfers protected via SCC + supplementary measures (Schrems II)?", "claresia_answer": "Yes — SCC Module 2 + Module 3 + UK IDTA in DPA Annex IV. TIA documented per third-country sub-processor. SCUDO Pillar D enforces region pinning.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "N.4", "domain": "Privacy", "question": "Is employee monitoring compliant with applicable labour law?", "claresia_answer": "Yes — DPA Art. 16.1 explicitly addresses Italian Statuto dei Lavoratori art. 4 with a Telemetry Suppression mode for cohort-only metrics.", "evidence_link": "https://claresia-trust.netlify.app/dpa", "status": "active"},
    {"id": "O.1", "domain": "Cloud Security", "question": "Are tenants logically isolated?", "claresia_answer": "Yes — Mode A: Postgres RLS keyed to app.tenant_id + per-tenant object-storage prefix. Mode B/C: dedicated Postgres + dedicated KMS key per tenant.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned"},
    {"id": "O.2", "domain": "Cloud Security", "question": "Are cloud-region options offered to customers?", "claresia_answer": "Yes — eu-south-1 (Milano) default, eu-central-1 (Frankfurt), eu-west-1 (Ireland), italynorth (Azure), europe-west8 (GCP). No data leaves EEA without DPA addendum + customer sign-off.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned"},
    {"id": "O.3", "domain": "Cloud Security", "question": "Are private network endpoints supported?", "claresia_answer": "Planned — AWS PrivateLink / Azure Private Link / GCP Private Service Connect with Mode B/C. Today scaffold-grade.", "evidence_link": "https://claresia-trust.netlify.app/architecture", "status": "planned"},
    {"id": "P.1", "domain": "Mobile / Endpoint", "question": "Is mobile-device management (MDM) enforced?", "claresia_answer": "Yes — Jamf (macOS) / Intune (Windows). Disk encryption mandatory. Remote wipe enabled. BYOD prohibited for production access.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "active"},
    {"id": "P.2", "domain": "Mobile / Endpoint", "question": "Are endpoints scanned for compliance before granting production access?", "claresia_answer": "Yes — device posture check at SSO time (disk encryption, OS patch level, EDR running) gates production access via WorkOS + IdP risk policy.", "evidence_link": "https://claresia-trust.netlify.app/security-whitepaper", "status": "planned"}
  ]
}