# Lumicost — CAIQ-Lite Questionnaire **Version:** 2026-04 **Last updated:** April 29, 2026 **Format:** Pre-filled CSA Consensus Assessments Initiative Questionnaire (subset) **Contact:** security@lumicost.com · legal@lumicost.com --- ## Security posture - ✔ MFA available for all users - ✔ RBAC + multi-tenant isolation enforced by `tenant_id` - ✔ Encryption in transit & at rest (TLS 1.2+, AES-256) - ✔ Immutable audit log with SHA-256 hash chain - ✔ Workload Identity Federation (no static cloud credentials) - ✔ SOC 2 Type I — audit readiness in progress ## Data processing scope Lumicost only processes customer data required for product functionality. We do not sell, profile, or monetize customer data. Internal access is role-limited, MFA-protected and recorded in the audit log. --- ## About this document This is a pre-filled CAIQ-Lite (Consensus Assessments Initiative Questionnaire) by Lumicost. It covers the main CSA (Cloud Security Alliance) framework domains to accelerate security review by your procurement or InfoSec team. For the full CAIQ questionnaire (300+ questions), detailed evidence, or a signed DPA, contact [sales@lumicost.com](mailto:sales@lumicost.com). ### Legend - ✅ **Yes** — Implemented and verified - 🟡 **Partial** — Partially implemented or available on higher tier - ❌ **No** — Not implemented / on roadmap - ➖ **N/A** — Not applicable --- ## Governance & Risk Management (GRM) | ID | Question | Answer | Notes | |---|---|---|---| | GRM-01 | Is there a formal information security risk management program? | ✅ Yes | Documented policy, quarterly leadership review. Risks classified (high/medium/low) with owners. | | GRM-02 | Is there a compliance program aligned to recognized standards (SOC 2, ISO 27001)? | 🟡 Partial | Controls designed against SOC 2 Trust Services Criteria. SOC 2 Type I — audit readiness in progress (Vanta/Drata onboarding planned). See roadmap at /trust/security. | | GRM-03 | Does the company have a designated Security Officer? | ✅ Yes | Security ownership: CTO (acting) with defined security responsibilities and external advisory support. Contact: security@lumicost.com. | ## Identity & Access Management (IAM) | ID | Question | Answer | Notes | |---|---|---|---| | IAM-01 | Is multi-factor authentication (MFA) used for users? | ✅ Yes | MFA available to all users via Auth0 (TOTP, WebAuthn). Mandatory for OWNER/ADMIN roles on Enterprise+ plans. | | IAM-02 | Is corporate SSO (SAML / OIDC) supported? | ✅ Yes | SAML 2.0 and OIDC via Auth0 Enterprise Connections. Available on Enterprise and Enterprise Compliance plans. | | IAM-03 | Is role-based access control (RBAC) in place? | ✅ Yes | 5 roles: OWNER, ADMIN, ANALYST, MEMBER, VIEWER. Permissions enforced at API and query level (tenant_id + role). | | IAM-04 | Is automated user provisioning (SCIM) supported? | 🟡 Partial | SCIM 2.0 — planned on the Enterprise Identity integration roadmap. Today available via admin API or invite; SAML JIT covers most enterprise cases. | | IAM-05 | Are customer cloud credentials stored securely? | ✅ Yes | We prefer Workload Identity Federation (WIF) with no persistent secrets. When credentials are used, they are encrypted AES-256 in Postgres with Fly Secrets for the master key. | | IAM-06 | Does employee production access follow least-privilege principle? | ✅ Yes | Access on operational need, MFA mandatory, all actions logged in audit log with hash chain. | ## Data Security (DSI) | ID | Question | Answer | Notes | |---|---|---|---| | DSI-01 | Is data in transit encrypted? | ✅ Yes | TLS 1.2+ on all public endpoints (managed by Cloudflare and Fly). WireGuard mTLS between internal services. | | DSI-02 | Is data at rest encrypted? | ✅ Yes | AES-256 at Neon Postgres storage layer. Secrets encrypted with Fly Secrets (Fly.io KMS). | | DSI-03 | Is there tenant isolation (multi-tenancy)? | ✅ Yes | Logical isolation by mandatory tenant_id on all queries. Automated tests verify no cross-tenant leakage. Dedicated isolation available on Enterprise Compliance. | | DSI-04 | Is data classified by sensitivity? | ✅ Yes | 3 levels: Public, Internal, Sensitive (PII, credentials). Sensitive data only accessible via audited paths. | | DSI-05 | Is data deleted upon contract termination? | ✅ Yes | Deletion within 30 days (standard) or 7 days (Enterprise+). Certificate of destruction available on request. | ## Encryption & Key Management (EKM) | ID | Question | Answer | Notes | |---|---|---|---| | EKM-01 | Are encryption keys rotated periodically? | ✅ Yes | Application keys rotated annually or on incident. TLS keys rotated automatically by Cloudflare/Fly. | | EKM-02 | Does it support BYOK (Bring Your Own Key) or CMK? | 🟡 Partial | Available under Enterprise Compliance against dedicated plan. Not available on standard plans. | ## Application & Interface Security (AIS) | ID | Question | Answer | Notes | |---|---|---|---| | AIS-01 | Is security review performed in the development lifecycle (SSDLC)? | ✅ Yes | PRs require review, CI with automated tests, SAST scanning on each commit, dependencies reviewed by Dependabot. | | AIS-02 | Does the API validate inputs and apply rate limiting? | ✅ Yes | Schema validation on all endpoints. Per-tenant rate limiting at Cloudflare + application level. | | AIS-03 | Does the application protect against OWASP Top 10? | ✅ Yes | Documented controls for A01-A10:2021. Security headers (CSP, HSTS, X-Frame-Options) configured. Parameterized queries prevent SQLi. | ## Threat & Vulnerability Management (TVM) | ID | Question | Answer | Notes | |---|---|---|---| | TVM-01 | Is penetration testing performed periodically? | 🟡 Partial | External pentest scheduled for Q3 2026 (vendor TBD). Executive summary will be shared under NDA. | | TVM-02 | Is there continuous vulnerability scanning of dependencies? | ✅ Yes | Dependabot enabled on all repositories. SLA: critical <7 days, high <30 days. | | TVM-03 | Is there a responsible disclosure channel? | ✅ Yes | security@lumicost.com. Initial response commitment <72 hours. | ## Business Continuity & Resiliency (BCR) | ID | Question | Answer | Notes | |---|---|---|---| | BCR-01 | Are backups and a recovery plan in place? | ✅ Yes | PITR (Point-in-Time Recovery) 7 days standard, 30 days Enterprise+. RTO: 4 hours. RPO: 15 minutes. | | BCR-02 | Are recovery procedures tested? | 🟡 Partial | Quarterly technical PITR restore tests. Full DR failover documented, complete test scheduled for H2 2026. | | BCR-03 | What is the availability SLA? | ✅ Yes | 99.5% on standard plans (SLA credits). 99.9% on Enterprise+. Public status at /status. | ## Audit Assurance & Compliance (AAC) | ID | Question | Answer | Notes | |---|---|---|---| | AAC-01 | Is an immutable audit log of actions maintained? | ✅ Yes | Audit log with SHA-256 hash chain (each entry references previous hash). Exportable integrityHash. Retention 7/30/90/365 days per plan. | | AAC-02 | Can customers export their audit log? | ✅ Yes | CSV/JSON export available. SIEM export (Splunk/Datadog) available on Enterprise Compliance. | ## Supply Chain & Subprocessors (STA) | ID | Question | Answer | Notes | |---|---|---|---| | STA-01 | Is there a public subprocessor list? | ✅ Yes | List at /trust/subprocessors. 30-day notice before material changes. | | STA-02 | Are subprocessors security-certified? | ✅ Yes | All primary subprocessors (Fly.io, Neon, Auth0, Cloudflare, Paddle) hold SOC 2 Type II or equivalent. | | STA-03 | Are DPAs signed with all subprocessors handling personal data? | ✅ Yes | DPAs signed with all subprocessors. SCCs applied to transfers outside EU/Chile where applicable. | ## Human Resources (HRS) | ID | Question | Answer | Notes | |---|---|---|---| | HRS-01 | Are background checks performed on new hires? | 🟡 Partial | Identity and employment reference checks. Formal background check depending on role and jurisdiction. | | HRS-02 | Do employees sign confidentiality agreements? | ✅ Yes | NDA and IP assignment at onboarding. Confidentiality survives contract termination. | | HRS-03 | Is security awareness training provided to employees? | ✅ Yes | Onboarding includes security module (phishing, password hygiene, data handling). Annual refresh. | --- ## Related documents - Security overview (detailed controls): https://lumicost.com/trust/security - Subprocessor list: https://lumicost.com/trust/subprocessors - Privacy Policy: https://lumicost.com/privacy - Terms of Service: https://lumicost.com/terms ## Documents under NDA - Full CAIQ (CSA v4) with detailed evidence - Latest pentest executive summary - Standard DPA (negotiable for Enterprise) - Business Continuity Plan (BCP/DR) Request them at [security@lumicost.com](mailto:security@lumicost.com?subject=Lumicost%20-%20NDA-gated%20documents%20request). --- © 2026 Lumicost. This document is provided for informational purposes only and does not constitute a contractual commitment. For binding security commitments, refer to your signed agreement (MSA / DPA).