Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / SIG-Lite — Pre-filled Responses

Documentation

SIG-Lite — Pre-filled Responses

Project-Agent / poc/sig-lite-responses.md

Project-Agent repo-root poc/sig-lite-responses.md

This document mirrors the public Shared Assessments SIG Lite question sections and pre-fills our answers, scoped to what the POC stack can prove plus what the production trust artefacts (/trust, docs/security/, docs/ops/) document.

A reviewer should be able to spot-check most "Yes" answers against the POC running on their laptop; the few that depend on production infrastructure are flagged inline.

> Use this as a starting point for SIG / CAIQ Lite responses. Replace > bracketed placeholders with the customer-specific answers your sales > engineer collects during onboarding.

---

A. Risk Assessment & Treatment

| # | Question | Response | |---|---|---| | A.1.1 | Is there a documented information security risk-assessment process? | Yes. Annual program; quarterly reviews. SOC 2 Type II in progress with named auditor. | | A.1.2 | Is risk assessment performed before adopting new technologies? | Yes. Architecture review checkpoint required before merging to main; CodeQL + Bandit + pip-audit + npm audit run on every PR (.github/workflows/security.yml). |

B. Security Policy

| # | Question | Response | |---|---|---| | B.1.1 | Documented information security policy? | Yes. Trust Center at /trust. Vulnerability disclosure: docs/security/vulnerability-disclosure.md. Incident response: docs/security/incident-response.md. | | B.1.2 | Acceptable Use / Code of Conduct policies? | Yes. Available on request from security@arxsec.io. |

C. Organizational Security

| # | Question | Response | |---|---|---| | C.1.1 | Information security governance structure? | Yes. Engineering owns implementation; CISO function reports to CEO. | | C.1.2 | Background checks for personnel? | Yes, per US/EU labour law for all employees with production access. |

D. Asset & Information Management

| # | Question | Response | |---|---|---| | D.1.1 | Asset inventory maintained? | Yes. Production assets tracked in IaC (deploy/terraform/aws/); SBOM published per release. | | D.1.2 | Data classification scheme? | Yes. Customer data classified as Confidential by default; PII / PHI flagged per-tenant. |

E. Access Control

| # | Question | Response | Verifiable | |---|---|---|---| | E.1.1 | Access provisioning controls? | Yes. SCIM 2.0 (app/api/v1/scim.py); role-based (admin/deployer/auditor/viewer); JIT user create on first SAML assertion. | POC §1, §5 | | E.1.4 | Tenant isolation? | Yes. Postgres RLS on every multi-tenant table (migrations/001_initial_schema.sql); RLS preserved in restore via scripts/dr/integrity_check.py. | POC §1 | | E.2.1 | SSO supported? | Yes. SAML 2.0 with full XML-DSig verification + replay protection (app/core/saml_security.py); Auth0, Okta OIDC, Microsoft Entra, Google Workspace. | POC §4 | | E.2.4 | MFA enforced? | Yes, via the customer's IdP. Platform respects MFA claim from SAML AuthnContext. | | E.4.1 | Automated user de-provisioning? | Yes. SCIM DELETE /Users/{id} deactivates immediately; deletion request workflow anonymises (app/api/v1/data_lifecycle.py). | POC §5, §7 |

F. Human Resources Security

| # | Question | Response | |---|---|---| | F.1.1 | Security training? | Yes. Annual mandatory; SOC 2 evidence on request. |

G. Cryptography

| # | Question | Response | Verifiable | |---|---|---|---| | G.1.1 | Encryption at rest? | Yes. AES-256-GCM via envelope encryption (app/encryption.py); CMEK on AWS KMS / Azure Key Vault / GCP KMS for Enterprise tier. | POC §3 | | G.1.2 | Encryption in transit? | Yes. TLS 1.2+ on all customer-facing endpoints; internal service-to-service over private networks. | | G.1.3 | Key management? | Yes. HashiCorp Vault for connector credentials; rotation supported via secrets.last_rotated_at. | | G.1.4 | Refuse to boot with default keys? | Yes. Production / staging refuse to boot when ARXSEC_ENCRYPTION_KEY is unset or equals the dev sentinel (app/config.py model_validator). | POC §3 |

H. Operational Security

| # | Question | Response | Verifiable | |---|---|---|---| | H.1.1 | Audit logging of security-relevant events? | Yes. Append-only audit_log table; policy_verdict, inputs_hash, outputs_hash, duration_ms, status recorded for every action. | POC §2 | | H.1.2 | Audit log integrity guaranteed? | Yes (INV-001). DB-level triggers reject UPDATE / DELETE on audit_log (migration 013). | POC §2 | | H.1.4 | SIEM integration? | Yes. Splunk, Datadog, generic SIEM webhook fan-out (app/api/v1/siem.py). | | H.2.1 | Compliance evidence generation? | Yes. SOC 2 / HIPAA / PCI PDF export (app/core/compliance_generator.py). | POC §11 |

I. Network Security

| # | Question | Response | |---|---|---| | I.1.1 | Network segmentation? | Yes. Production runs in segmented VPCs per region; staging/prod isolated. | | I.1.2 | DDoS protection? | Yes. Plan-tier rate limiting via Redis-Lua token bucket (app/middleware/rate_limiter.py); upstream WAF in production. | | I.1.3 | IP allowlist? | Yes. Per-org configurable (app/api/v1/ip_allowlist.py). |

J. Application Security

| # | Question | Response | Verifiable | |---|---|---|---| | J.1.1 | SAST in CI? | Yes. Bandit on every PR + nightly; SARIF uploaded to GitHub Security tab. | .github/workflows/security.yml | | J.1.2 | Dependency vulnerability scanning? | Yes. pip-audit (--strict) + npm audit (--audit-level=high) on every PR. | Same. | | J.1.3 | Secret scanning? | Yes. GitHub native secret scanning + .bandit configured for app code. | | J.1.4 | Penetration testing? | Scheduled with named third-party (Cobalt / Bishop Fox / NCC). Executive summary published on /trust on completion. | Trust page |

K. Performance & Capacity

| # | Question | Response | Verifiable | |---|---|---|---| | K.1.1 | Capacity planning + load testing? | Yes. k6 baseline against top-10 endpoints (load-tests/k6/top10.js); SLO budgets enforced (p95 read < 300 ms, p95 write < 800 ms, zero 5xx). | POC §6 | | K.1.4 | Rate limiting per-tenant? | Yes, plan-tiered (60–5000 RPM); replica-safe via Redis-Lua. | POC §6 |

L. Privacy & Data Handling

| # | Question | Response | Verifiable | |---|---|---|---| | L.1.1 | Data retention policy? | Yes. Configurable per-tenant per-table with guardrails (app/core/data_lifecycle.py); audit_log retention enforced at partition layer to preserve INV-001. | POC §7 | | L.1.3 | GDPR right to erasure? | Yes. POST /v1/data-deletion queues anonymisation; immutable final audit event written. | POC §7 | | L.1.5 | Sub-processors disclosed? | Yes. Trust Center sub-processor table (/trust). | POC §10 | | L.1.7 | Cross-border transfers? | Yes. Region-pinned (US / EU); cross-region replication only on opt-in DR. |

M. Monitoring & Alerting

| # | Question | Response | Verifiable | |---|---|---|---| | M.1.1 | Real-time monitoring of security events? | Yes. Datadog APM (required in production); Sentry for errors with PII scrubber. | POC §8 | | M.1.2 | Component-level health surface? | Yes. /health/components mappable to BetterStack / statuspage.io / Instatus. | POC §6 |

N. Incident Management

| # | Question | Response | |---|---|---| | N.1.1 | Documented IR plan? | Yes. docs/security/incident-response.md — severity rubric, response phases, customer notification SLAs (SEV-1 ≤ 24 h, SEV-2 ≤ 5 BD), GDPR Article 33 / 34 hook. | | N.1.2 | Tabletop / drill cadence? | Yes. Quarterly tabletop; quarterly DR restore drill (docs/ops/disaster-recovery.md). |

O. Business Continuity / DR

| # | Question | Response | Verifiable | |---|---|---|---| | O.1.1 | Documented DR plan? | Yes. docs/ops/disaster-recovery.md — RPO 24 h, RTO 4 h. | POC §9 | | O.1.2 | Backups tested? | Quarterly via scripts/dr/restore_drill.sh + scripts/dr/integrity_check.py. | POC §9 | | O.1.3 | Multi-region? | Yes, US and EU regions. Cross-region failover on the roadmap. |

P. Compliance & Audit

| # | Question | Response | |---|---|---| | P.1.1 | SOC 2 Type II? | In progress with named auditor; letter available on request. Type I report attached on signature. | | P.1.2 | ISO 27001? | Gap assessment complete; full audit on the FY26 roadmap. | | P.1.3 | HIPAA? | BAA available on Enterprise plans. | | P.1.4 | PCI? | Out of scope (we do not store card data — Stripe is PCI Level 1). |

Q. Third-Party Risk

| # | Question | Response | |---|---|---| | Q.1.1 | Sub-processor risk assessments? | Yes. Annual review of all sub-processors listed at /trust. | | Q.1.2 | Vendor breach notification clauses in contracts? | Yes. 24-hour notice obligation. |

R. Privacy Compliance

| # | Question | Response | Verifiable | |---|---|---|---| | R.1.1 | DPA available? | Yes. Standard DPA + SCCs available on request from legal@arxsec.io. | Trust page | | R.1.2 | Data Subject Access Request handling? | Yes. POST /v1/data-deletion; export endpoints on roadmap. | POC §7 |

---

What's NOT verifiable in the POC

  • SOC 2 Type II report (production-only; letter on request).
  • Pen test executive summary (post-completion; published on /trust).
  • Production network architecture (trust page covers; sub-processor list is the source of truth).
  • BAA / DPA execution (legal artefact).
  • Actual incident metrics (post-mortems published per docs/security/incident-response.md).

For these, the buyer's GRC team will receive PDFs / signed letters from questionnaires@arxsec.io during the contract review.