Trust & Security
CAT Trust Center
Security & compliance you can verify.
Compliance Assessment Tool, LLC helps acquiring banks and ISOs onboard their merchants through PCI DSS v4.1 self-assessment in minutes instead of weeks. Below is everything you need to start a vendor-risk review.
Company at a glance
Legal entity
Compliance Assessment Tool, LLC
Registered in
Delaware, USA
Headquarters
1111B S Governors Ave, #39128, Dover, DE 19904
Data residency
AWS us-east-1 (N. Virginia)
Security contact
Privacy contact
Current compliance posture
| Framework | Status | Evidence |
|---|---|---|
| PCI DSS v4.1 — SAQ A | Attested | Signed Attestation of Compliance on file. View AoC (PDF). We do not store, process, or transmit cardholder data on our infrastructure. |
| GDPR + UK GDPR | DPA available | SCCs + UK Addendum incorporated into our standard DPA. |
| CCPA / CPRA | Compliant | We act as a service provider. See Privacy Policy. |
| OpenAI Data Processing Addendum | In force | Executed February 3, 2026 (org-JZrfeV5ZWRQ4S6T7MfWaO4pC). API data not used for model training; retained by OpenAI ≤30 days, then deleted. See summary. |
Security controls (summary)
- Encryption in transit — TLS 1.2+ on every endpoint, HSTS enforced, no plaintext API listeners.
- Encryption at rest — AWS-managed KMS keys on every DynamoDB table and S3 bucket holding customer data.
- Authentication — Partner API keys (32-byte high-entropy, prefixed
cat_live_…). HMAC-SHA256 verification for webhook payloads. Per-partner key rotation procedure documented. - Tenant isolation — Every DynamoDB query is partition-key-scoped to the requesting
partnerId. GSI lookups are post-filtered to prevent cross-tenant data leakage even with a forged secondary key. - Audit trail — Per-partner queryable event log of every state-changing action (merchant create, payment-method add, attempt sealed, signature captured, etc.). Available via
GET /v1/audit. - Webhook delivery — Signed (HMAC-SHA256), automatic retries with exponential backoff (immediate / 30s / 5min), per-attempt headers for idempotent partner handlers.
- Sub-processor governance — Public sub-processor list with 30-day advance notice of changes. View list.
- Logging & monitoring — CloudWatch Logs across all Lambdas with 90-day retention. Alarms on error-rate spikes, dead-letter-queue depth, API 5xx rates, and spend anomalies, routed to an operations alert topic.
- Infrastructure audit trail — AWS CloudTrail enabled account-wide (multi-region, log-file integrity validation) with 365-day retention, independent of application logs.
- Secrets management — application secrets (AI, billing) held in AWS Systems Manager Parameter Store as KMS-encrypted SecureStrings with least-privilege IAM read access; no plaintext secrets in code, configuration, or environment variables. Partner API keys are stored only as SHA-256 hashes.
- Abuse protection — platform-level request throttling at the API gateway plus per-partner rate limits; AWS Shield Standard DDoS protection on every endpoint; failed asynchronous jobs land in dead-letter queues rather than being silently dropped.
- Backups & DR — DynamoDB point-in-time recovery enabled on every table; S3 versioning on document buckets. RTO 4h / RPO 1h. Full plan in our BCP/DR document.
Document library
| Document | Audience | Updated |
|---|---|---|
| Security Overview | Public | 2026-05-15 |
| Privacy Policy | Public | 2026-05-15 |
| Terms of Service | Public | 2026-05-15 |
| Acceptable Use Policy | Public | 2026-05-15 |
| Service Level Agreement | Public | 2026-05-15 |
| Sub-processor List | Public | 2026-05-15 |
| Reference Architecture | Public | 2026-05-15 |
| Master Services Agreement | Under NDA | 2026-05-15 |
| Data Processing Addendum | Under NDA | 2026-05-15 |
| Order Form template | Under NDA | 2026-05-15 |
| Information Security Policy | Under NDA | 2026-05-15 |
| Incident Response Plan | Under NDA | 2026-05-15 |
| Business Continuity / Disaster Recovery | Under NDA | 2026-05-15 |
| Vendor Questionnaire (SIG/CAIQ) Answers | Under NDA | 2026-05-15 |
Request access to confidential documents
For our full Information Security Policy, IR / BCP plans, or completed SIG/CAIQ responses, contact chris.larson@complianceassessmenttool.com. We share under a one-page mutual NDA.
Responsible disclosure
Found a vulnerability? Email chris.larson@complianceassessmenttool.com with reproduction steps. We respond within one business day, do not pursue good-faith researchers, and credit reporters in our public security acknowledgements (with permission).