Compliance Assessment Tool · Trust & Legal

Security Overview

Last updated: 2026-05-15 · Classification: Public

This is a public summary of our security controls. The full Information Security Policy is available under NDA from chris.larson@complianceassessmenttool.com.

Architecture & data residency

Compliance Assessment Tool, LLC runs entirely in AWS us-east-1 (N. Virginia). The platform is a serverless architecture on AWS Lambda fronted by API Gateway and Lambda Function URLs. Persistent data lives in DynamoDB (per-table) and S3 (for generated PDFs). There are no long-lived EC2 instances and no shared databases.

Encryption

Authentication & authorization

Tenant isolation

Every DynamoDB query is partition-key-scoped to the requesting partnerId. Where we use a Global Secondary Index for a per-merchant lookup, results are post-filtered against the requesting partnerId so that a stolen merchantId cannot leak another tenant's data. This pattern is enforced consistently across the audit log, sub-processor list, payment methods, attempts, and responses.

Audit logging

Every state-changing API call (merchant created, payment method added, SAQ determined, attempt opened, section answered, review answered, signature captured, attempt sealed, webhook delivered/failed) writes a structured audit row to a per-partner DynamoDB table. Queryable via GET /v1/audit with filters for merchantId, eventType, since/until. Available for the term of the Partner agreement plus 7 years for compliance evidence retention.

Webhook delivery

Outbound webhooks are signed with HMAC-SHA256 over {timestamp}.{rawBody}. Each delivery carries an X-CAT-Delivery UUID for idempotent partner handlers and an X-CAT-Attempt counter. Delivery is retried up to three times (immediate, +30 s, +5 min) on network failures and HTTP 408/425/429/5xx; we do not retry 4xx responses.

Sub-processor governance

See our Sub-processor List. Changes are noticed at least 30 days in advance via email to subscribers and via update to the public list. Partners may object per the procedure in our DPA.

Vulnerability management

PCI DSS attestation

We hold a signed PCI DSS v4.1 Attestation of Compliance (SAQ A). View AoC (PDF). The platform is engineered to keep cardholder data (PAN, full track, CVV, PIN) outside our scope.

Backups & disaster recovery

DynamoDB point-in-time recovery enabled on every customer-data table (retains 35 days). S3 versioning enabled. Target RTO 4 hours / RPO 1 hour. Full plan in our BCP/DR document.

Personnel

Current production-access personnel: founder only. Multi-factor authentication enforced on all infrastructure consoles (AWS, source control, email). As the team grows, background checks will be performed prior to production access (HireRight or Checkr), and access will follow least-privilege role-based controls.

Incident response

We notify affected Partners without undue delay (target: within 24 hours of confirmed incident impact) and in all cases within 72 hours per GDPR requirements. Full procedure in our Incident Response Plan.

What we don't do