This questionnaire covers the most common enterprise security evaluation domains. For custom questionnaire formats (CAIQ, SIG, HECVAT, or your own), or for questions about in-progress items, contact security@cloudryption.com.
1. Company overview
Question
Answer
What does Cloudryption do?
Cloudryption is a cloud security decision engine that ingests cloud environment metadata (AWS, GCP, Kubernetes), builds a security graph, computes attack paths, evaluates controls, and generates prioritised, evidence-backed findings and remediation recommendations.
Where is the company based?
Cloudryption is an early-stage company. See your commercial agreement or contact us for current entity details.
What cloud providers are used for production?
AWS (primary infrastructure). See the Subprocessors page for current infrastructure providers.
2. Governance
Question
Answer
Is there a designated security lead or CISO function?
Yes. Security responsibilities are assigned to a named individual in the founding team. A formal CISO function is planned as the team grows.
Is there a formal information security policy?
Yes. An information security policy is maintained and reviewed at least annually.
Are employees required to complete security awareness training?
Yes. All employees complete security awareness training at onboarding and at least annually.
Are employees subject to background checks?
Background checks are performed consistent with applicable law and role requirements.
Is there an acceptable use policy?
Yes. All employees sign an acceptable use policy at onboarding.
3. Compliance
Question
Answer
Is Cloudryption SOC 2 certified?
Not yet. See the SOC 2 Roadmap for the phased plan to achieve SOC 2 Type II. A security packet with current controls is available for enterprise customers.
Is Cloudryption ISO 27001 certified?
Not currently. Planned as part of compliance maturity roadmap following SOC 2 Type II.
Does Cloudryption maintain a risk register?
Yes. A risk register is maintained and reviewed regularly.
Has Cloudryption undergone a third-party penetration test?
Pen testing is planned before broad enterprise GA. Results are available to enterprise customers under NDA upon completion.
Cloudryption operates with GDPR principles including data minimisation, lawful basis, subject rights, and appropriate security. Formal DPA and SCCs are available for EU data transfers.
Does Cloudryption process personal data?
Cloudryption processes limited account and usage data (user accounts, audit logs, support correspondence). Cloud environment metadata processed on behalf of customers may incidentally contain personal data (e.g., IAM usernames, resource tags). See the Privacy Policy and DPA for details.
Does Cloudryption support data subject access requests (DSARs)?
Yes. Customer data deletion and export requests are supported. Contact support@cloudryption.com.
5. Data handling
Question
Answer
What data does Cloudryption collect from customer cloud environments?
Cloud resource metadata: IAM policies, roles, trust relationships, network topology, security group rules, storage bucket ACLs, encryption status, compute configurations, Kubernetes workloads. No raw application payloads, database contents, secrets, or private keys.
Is there a data retention policy?
Yes. See Data Retention Policy. Default retention schedules are defined per data type. Customers can request deletion.
Is data shared with third parties beyond listed subprocessors?
No. Data is not sold. Subprocessors are listed at Subprocessors.
Does Cloudryption use customer data for AI model training?
No. Customer cloud environment data is not used to train AI models.
6. Architecture
Question
Answer
Is Cloudryption multi-tenant?
Yes. The platform is multi-tenant with logical tenant isolation enforced at every application and database layer.
Is there a network architecture diagram available?
A high-level architecture diagram is available to enterprise customers in the security packet. Contact security@cloudryption.com.
Are production and development environments separated?
Yes. Production and development environments are isolated with separate credentials, infrastructure, and access controls.
7. Tenant isolation
Question
Answer
How is tenant data isolated?
All application logic enforces tenant_id at the HTTP handler, service, and database query layers. Row-level tenant scoping is applied to all data queries.
Are cross-tenant isolation controls tested?
Yes. Automated negative tests run in CI on every pull request to verify cross-tenant access is blocked.
Can one customer's actions affect another tenant's data or availability?
Architectural controls and resource limits are designed to prevent this. Denial of service from a single tenant affecting others is a known risk addressed in capacity planning.
8. Encryption
Question
Answer
Is data encrypted in transit?
Yes. All external connections use HTTPS / TLS 1.2+. Obsolete protocols are disabled. HSTS enforced on the public platform.
Is data encrypted at rest?
Yes. Cloud provider native encryption at rest for all production databases and object storage, backed by cloud KMS (AWS KMS).
How are encryption keys managed?
Via cloud KMS. Key access is restricted to required service roles and logged. Keys are rotated per cloud provider schedule and policy.
Are connector credentials encrypted?
Yes. Stored in an encrypted credential / secrets store. Not logged or included in any customer-visible content.
MFA is required for privileged accounts and recommended for all users. Enterprise SSO (SAML / OIDC) is supported.
Is SSO / SAML / OIDC supported?
Yes. Enterprise SSO via SAML / OIDC is available. SCIM provisioning is available or on the roadmap for enterprise customers.
Is privileged access reviewed periodically?
Yes. Privileged access is reviewed at least quarterly. Access is removed promptly upon role change or termination.
Is Cloudryption staff access to customer data logged?
Yes. All Cloudryption personnel access to customer data is logged with actor identity, timestamp, and justification. Enterprise customers may request support access logs.
10. Logging and monitoring
Question
Answer
Is audit logging implemented?
Yes. Authentication events, privileged actions, data access, exports, scan events, and configuration changes are logged with timestamps and actor identifiers.
Are logs protected from tampering?
Logs are written to append-only or protected storage. Access to modify or delete audit logs is restricted.
Is security monitoring and alerting in place?
Yes. Infrastructure monitoring, anomaly detection, and security alerting are implemented. Alerts are routed to the security team.
Are customers able to access their audit logs?
Customer audit log access is available through the platform UI and API, scoped to their tenant.
11. SDLC and change management
Question
Answer
Is there a secure SDLC process?
Yes. All code changes go through pull request review, CI gating (static analysis, dependency scanning, tests), and deployment approval.
Is static code analysis / SAST used?
Yes. Automated static analysis runs on every pull request. Findings are reviewed before merge.
Is dependency scanning (SCA) used?
Yes. Software composition analysis runs in CI. An SBOM is maintained and reviewed.
Are changes to production gated by review?
Yes. No direct commits to main / production branches. Peer review is required for all changes.
Is there a change management policy?
Yes. A formal change management policy documents the review, approval, testing, and rollback requirements for production changes.
12. Vulnerability management
Question
Answer
Is there a vulnerability management programme?
Yes. Vulnerability scanning runs in CI and on a scheduled basis. Critical and high vulnerabilities are tracked and remediated per documented SLAs.
Are container images scanned?
Yes. Container images are scanned for vulnerabilities as part of the build and release pipeline.
Is there a responsible disclosure / bug bounty programme?
Responsible disclosure is accepted. See Responsible Disclosure. A formal bug bounty is not currently offered.
Are penetration tests conducted?
Planned before broad enterprise GA. Annual pen testing is the target cadence. Results are available to enterprise customers under NDA.
13. Incident response
Question
Answer
Is there an incident response plan?
Yes. A documented incident response plan covers detection, triage, containment, eradication, recovery, and post-incident review. See Incident Response Summary.
How will customers be notified of security incidents?
Affected customers will be notified within 48 hours (target) of a confirmed security incident affecting their data, consistent with GDPR Article 33/34 where applicable.
Has Cloudryption experienced a data breach?
Not at the time of this document's publication. Any material incidents will be disclosed per the incident response plan.
14. Backup and DR
Question
Answer
Are backups taken of production data?
Yes. Encrypted backups of all production databases and object storage are taken on a regular schedule.
Yes. Restore testing is performed before enterprise GA, quarterly for critical databases, and annually as a full DR simulation. Evidence is maintained.
15. Subprocessors and AI
Question
Answer
Is a list of subprocessors available?
Yes. See Subprocessors. Customers are notified in advance of material changes to subprocessors.
Are subprocessors subject to security review?
Yes. New subprocessors are reviewed for security, privacy, and compliance before onboarding.
Does Cloudryption use AI / large language models?
AI-assisted narrative generation is available as an optional feature, disabled by default. The AI provider is listed in Subprocessors. Customer cloud environment data is not used to train AI models.
Can customers opt out of AI processing?
Yes. AI features are disabled by default. Customers may also disable them at the tenant-admin level if previously enabled.
We use cookies to improve your experience and measure marketing performance. Analytics cookies are only loaded after you accept. See our Privacy Policy.
