Security Overview
This is a public summary of our security controls. The full Information Security Policy is available under NDA from chris.larson@complianceassessmenttool.com.
Architecture & data residency
Compliance Assessment Tool, LLC runs entirely in AWS us-east-1 (N. Virginia). The platform is a serverless architecture on AWS Lambda fronted by API Gateway and Lambda Function URLs. Persistent data lives in DynamoDB (per-table) and S3 (for generated PDFs). There are no long-lived EC2 instances and no shared databases.
Encryption
- In transit: TLS 1.2+ on every endpoint; HSTS with one-year max-age; modern ciphers only; no plaintext API listeners.
- At rest: AWS-managed KMS keys on every DynamoDB table containing customer data. S3 default-encrypted with SSE-S3.
- Secrets: held in AWS Systems Manager Parameter Store as KMS-encrypted SecureStrings, read at runtime under least-privilege IAM; never stored in plaintext environment variables, never logged. Partner API keys are stored only as SHA-256 hashes.
Authentication & authorization
- Partner API keys are 32-byte high-entropy values prefixed
cat_live_…. Stored as SHA-256 hashes; the plaintext key is shown to the partner exactly once at issuance. - Per-merchant deep-links (issued via
POST /v1/merchants/{id}/portal-link) are session-bound — partners receive a URL containing the API key + merchantId and are advised not to log it. - Webhook payloads are HMAC-SHA256-signed using a per-partner webhook secret.
Tenant isolation
Every DynamoDB query is partition-key-scoped to the requesting partnerId. Where we use a Global Secondary Index for a per-merchant lookup, results are post-filtered against the requesting partnerId so that a stolen merchantId cannot leak another tenant's data. This pattern is enforced consistently across the audit log, sub-processor list, payment methods, attempts, and responses.
Audit logging
Every state-changing API call (merchant created, payment method added, SAQ determined, attempt opened, section answered, review answered, signature captured, attempt sealed, webhook delivered/failed) writes a structured audit row to a per-partner DynamoDB table. Queryable via GET /v1/audit with filters for merchantId, eventType, since/until. Available for the term of the Partner agreement plus 7 years for compliance evidence retention.
Webhook delivery
Outbound webhooks are signed with HMAC-SHA256 over {timestamp}.{rawBody}. Each delivery carries an X-CAT-Delivery UUID for idempotent partner handlers and an X-CAT-Attempt counter. Delivery is retried up to three times (immediate, +30 s, +5 min) on network failures and HTTP 408/425/429/5xx; we do not retry 4xx responses.
Sub-processor governance
See our Sub-processor List. Changes are noticed at least 30 days in advance via email to subscribers and via update to the public list. Partners may object per the procedure in our DPA.
Vulnerability management
- npm/pip dependencies scanned on every build; security advisories triaged within 24 hours.
- AWS Lambda runtime updates applied on AWS-published patch cadence.
- Responsible disclosure: chris.larson@complianceassessmenttool.com.
PCI DSS attestation
We hold a signed PCI DSS v4.1 Attestation of Compliance (SAQ A). View AoC (PDF). The platform is engineered to keep cardholder data (PAN, full track, CVV, PIN) outside our scope.
Backups & disaster recovery
DynamoDB point-in-time recovery enabled on every customer-data table (retains 35 days). S3 versioning enabled. Target RTO 4 hours / RPO 1 hour. Full plan in our BCP/DR document.
Personnel
Current production-access personnel: founder only. Multi-factor authentication enforced on all infrastructure consoles (AWS, source control, email). As the team grows, background checks will be performed prior to production access (HireRight or Checkr), and access will follow least-privilege role-based controls.
Incident response
We notify affected Partners without undue delay (target: within 24 hours of confirmed incident impact) and in all cases within 72 hours per GDPR requirements. Full procedure in our Incident Response Plan.
What we don't do
- We do not store, process, or transmit cardholder data (CHD). The platform is engineered to keep CHD outside our scope. PCI DSS SAQ A AoC.
- We do not sell, share, or rent personal data.
- We do not use customer data to train AI models for other customers, and OpenAI does not use our API data to train its models. OpenAI retains API data at most 30 days for abuse monitoring, then deletes it.
- We do not run any analytics, advertising, or marketing pixels on our properties.