{"status":{"encryption_at_rest":true,"encryption_in_transit":true,"access_controls":true,"audit_logging":true,"vulnerability_scanning":true,"penetration_testing":true,"incident_response_plan":true,"data_backup":true,"soc2_type2":false,"iso27001":false,"gdpr_compliant":true,"hipaa_ready":false,"last_pen_test":"2026-01-15","last_audit":"2026-02-01","uptime_sla":"99.9%","overall_score":87,"status":"good","generated_at":"2026-07-03T00:36:17.939770+00:00"},"badges":[{"id":"gdpr","label":"GDPR Compliant","status":"achieved","icon":"shield","description":"Data processing agreements in place with all sub-processors. Right to erasure, data portability, and DPA available on request.","achieved_date":"2026-01-01"},{"id":"soc2_type1","label":"SOC 2 Type I","status":"achieved","icon":"check","description":"SOC 2 Type I report completed January 2026. Covers security, availability, and confidentiality trust service criteria.","achieved_date":"2026-01-20"},{"id":"soc2_type2","label":"SOC 2 Type II","status":"in_progress","icon":"clock","description":"12-month observation period started February 2026. Expected completion February 2027.","expected_date":"2027-02-01"},{"id":"iso27001","label":"ISO 27001","status":"planned","icon":"calendar","description":"Planned for H2 2026 once SOC 2 Type II observation period is complete.","expected_date":"2026-12-01"},{"id":"eu_ai_act","label":"EU AI Act Ready","status":"achieved","icon":"eu","description":"Compliance engine mapped to EU AI Act articles 9, 11, 12, 13, 14, 15, 26, 96. One-click remediation available for all high-risk article gaps.","achieved_date":"2026-03-01"},{"id":"pci_dss","label":"PCI DSS (via Stripe)","status":"achieved","icon":"card","description":"Payment card data never touches Curate-Me servers. All billing processed via Stripe (PCI DSS Level 1 certified).","achieved_date":"2026-01-01"}],"sub_processors":[{"name":"MongoDB Atlas","purpose":"Primary data storage — user data, audit logs, analytics","location":"US / EU (region-configurable)","data_categories":["user_data","audit_logs","analytics","billing"],"dpa_signed":true,"privacy_policy_url":"https://www.mongodb.com/legal/privacy-policy"},{"name":"Redis Cloud","purpose":"Real-time caching, rate limiting, session state","location":"US / EU (region-configurable)","data_categories":["session_data","rate_limit_state","ephemeral_cache"],"dpa_signed":true,"privacy_policy_url":"https://redis.com/legal/privacy-policy/"},{"name":"Stripe","purpose":"Payment processing and subscription billing","location":"US (PCI DSS L1 certified)","data_categories":["billing_data","payment_methods"],"dpa_signed":true,"privacy_policy_url":"https://stripe.com/privacy"},{"name":"Hetzner Cloud","purpose":"Infrastructure hosting — application servers and managed runners","location":"EU (Germany / Finland)","data_categories":["infrastructure","compute","network"],"dpa_signed":true,"privacy_policy_url":"https://www.hetzner.com/legal/privacy-policy"},{"name":"Resend","purpose":"Transactional email delivery","location":"US","data_categories":["email_addresses","notification_content"],"dpa_signed":true,"privacy_policy_url":"https://resend.com/privacy"},{"name":"OpenAI","purpose":"LLM inference (when routed via gateway on org request)","location":"US / EU (configurable via data residency policy)","data_categories":["llm_request_content"],"dpa_signed":true,"privacy_policy_url":"https://openai.com/policies/privacy-policy"},{"name":"Anthropic","purpose":"LLM inference (when routed via gateway on org request)","location":"US / EU (configurable via data residency policy)","data_categories":["llm_request_content"],"dpa_signed":true,"privacy_policy_url":"https://www.anthropic.com/privacy"}],"controls":[{"id":"enc-at-rest","category":"encryption","label":"Encryption at rest","description":"All data at rest is encrypted using AES-256.  MongoDB Atlas, Redis Cloud, and Hetzner VPS volumes use encryption at rest by default.","status":"implemented","as_of":"2026-01-01","evidence_note":"MongoDB Atlas default encryption; Hetzner LUKS volumes."},{"id":"enc-in-transit","category":"encryption","label":"Encryption in transit","description":"All connections use TLS 1.2+.  Caddy reverse proxy enforces HTTPS with automatic certificate renewal (Let's Encrypt).","status":"implemented","as_of":"2026-01-01","evidence_note":"Caddyfile TLS config in codebase."},{"id":"enc-key-mgmt","category":"encryption","label":"API key hashing","description":"All API keys are hashed with bcrypt before storage.  Plaintext keys are shown once at creation and never stored or logged.","status":"implemented","as_of":"2026-03-01"},{"id":"ac-rbac","category":"access_control","label":"Role-based access control (RBAC)","description":"Four roles: Owner, Admin, Member, Viewer.  All permissions are scoped to the org — cross-org data access is blocked at middleware.","status":"implemented","as_of":"2026-01-01"},{"id":"ac-mfa","category":"access_control","label":"Multi-factor authentication (MFA)","description":"TOTP MFA available for all dashboard users.  SSO/SAML integration available for Enterprise tier customers.","status":"implemented","as_of":"2026-04-01","evidence_note":"auth_2fa.py in codebase; TOTP enrollment UI in dashboard."},{"id":"ac-tenant-isolation","category":"access_control","label":"Multi-tenant isolation","description":"TenantIsolationMiddleware enforces org_id scoping on every B2B API call.  Gateway auth extracts org from API key; B2B API uses JWT org_id claim.","status":"implemented","as_of":"2026-01-01"},{"id":"net-ssrf","category":"network","label":"SSRF protection","description":"Gateway proxy validates upstream URLs against a provider allowlist.  Internal metadata endpoints, file:// URIs, and private IP ranges are blocked.","status":"implemented","as_of":"2026-01-01"},{"id":"net-firewall","category":"network","label":"Network firewall and private networking","description":"Production VPS uses strict firewall rules.  Database and cache ports are not exposed to the public internet.  Services communicate over private networking.","status":"implemented","as_of":"2026-01-01"},{"id":"vuln-deps","category":"vulnerability","label":"Dependency vulnerability scanning","description":"CI pipeline runs pip-audit (Python) and npm audit (TypeScript) on every PR.  Critical CVEs block merge.","status":"implemented","as_of":"2026-01-01"},{"id":"vuln-pentest","category":"vulnerability","label":"Penetration testing","description":"Annual penetration test by an independent third-party security firm.  Most recent test: January 2026.  Results available under NDA upon request.","status":"implemented","as_of":"2026-01-15","evidence_note":"Pen test completed Jan 2026.  Report provided under NDA to enterprise prospects.  Not publicly available."},{"id":"data-pii-scan","category":"data","label":"PII scanning on gateway requests","description":"33 regex patterns detect API keys, passwords, emails, phone numbers, SSNs, and credit card numbers in request payloads before proxying.  Optional Presidio NER integration (per-org opt-in).","status":"implemented","as_of":"2026-01-01"},{"id":"data-retention","category":"data","label":"Configurable data retention","description":"Retention windows vary by plan (7 days free to 365 days enterprise).  Audit logs are retained for a minimum of 1 year on all plans.","status":"implemented","as_of":"2026-05-01"},{"id":"data-export","category":"data","label":"Data portability (owner export)","description":"Org owners can request a full-tenant data export via the dashboard.  Export is assembled by a background worker and delivered as a signed download URL (72h TTL).","status":"implemented","as_of":"2026-05-01"},{"id":"data-deletion","category":"data","label":"Right to erasure (owner deletion)","description":"Org owners can request a full-tenant data deletion.  A 7-day grace period applies.  A SHA-256 proof record is retained for audit purposes.","status":"implemented","as_of":"2026-05-01"},{"id":"audit-trail","category":"audit","label":"Immutable governance audit trail","description":"27+ event types written to an append-only audit log covering every gateway request outcome, governance decision, runner lifecycle event, approval action, and key rotation.","status":"implemented","as_of":"2026-01-01"},{"id":"comp-gdpr","category":"compliance","label":"GDPR readiness","description":"DPA available on request.  Data subject rights (access, erasure, portability) supported.  EU region available (Hetzner Germany/Finland).  All sub-processors have signed DPAs.","status":"implemented","as_of":"2026-01-01"},{"id":"comp-soc2-type1","category":"compliance","label":"SOC 2 Type I","description":"SOC 2 Type I report completed January 2026.  Covers security, availability, and confidentiality trust service criteria.  Report available under NDA upon request.  Not publicly available.","status":"implemented","as_of":"2026-01-20","evidence_note":"Audit completed Jan 2026.  Report shared under NDA only.  Do not represent this as a publicly available certification."},{"id":"comp-soc2-type2","category":"compliance","label":"SOC 2 Type II","description":"12-month observation period started February 2026.  Expected completion February 2027.  Not yet available.","status":"in_progress","as_of":"2026-02-01","evidence_note":"Observation period underway.  No Type II report exists yet."},{"id":"comp-eu-ai-act","category":"compliance","label":"EU AI Act readiness","description":"Controls mapped to EU AI Act Articles 9, 11, 12, 13, 14, 15, 26, 96.  Governance chain provides audit trail, human oversight, PII scanning, and record-keeping required for high-risk system operators.","status":"implemented","as_of":"2026-03-01"},{"id":"comp-iso27001","category":"compliance","label":"ISO 27001","description":"Planned for H2 2026 after SOC 2 Type II observation period completes.","status":"planned","as_of":"2026-05-01","evidence_note":"Roadmap item; no certification work has started."}],"data_handling":{"retention_note":"Retention windows vary by plan: 7 days (Free) to 365 days (Enterprise) for gateway logs.  Audit logs are retained for a minimum of 1 year on all plans.  EU residency orgs apply shorter defaults per GDPR data minimisation.","deletion_note":"Account and org deletion requests enter a 7-day grace period; hard deletion is processed within 30 days of grace period expiry by the Curate-Me team.  A SHA-256 proof record is kept for audit purposes.  Audit logs are retained for the statutory minimum period even after deletion.","portability_note":"Org owners can request a full data export via the dashboard or the /api/v1/platform/data-requests/export endpoint.  The export covers all org collections (excluding plaintext secrets) and is delivered as a signed download URL (72-hour TTL).","location_note":"Default region: EU (Hetzner Germany and Finland).  US region available on request.  Data residency is configurable at the org level for Pro and above plans.  All sub-processors support EU-region data placement.","pii_handling_note":"LLM request prompt and response bodies are NOT stored by default.  Metadata (model, token counts, cost, org_id) is stored for billing and analytics.  PII scanning detects and flags sensitive content before proxying to LLM providers.  Body logging (for debugging) must be explicitly enabled and is opt-in only.","as_of":"2026-05-01"},"security_contact":{"email":"security@curate-me.ai","disclosure_policy_url":"https://curate-me.ai/security/disclosure","response_sla_hours":24,"bug_bounty_note":"We do not currently operate a formal bug bounty programme.  Responsible disclosure is welcomed and researchers are credited (with permission) in our security advisories.","as_of":"2026-01-01"},"links":{"dpa":"https://curate-me.ai/legal/dpa","privacy_policy":"https://curate-me.ai/legal/privacy","terms_of_service":"https://curate-me.ai/legal/terms","security_page":"https://curate-me.ai/security","trust_center":"https://curate-me.ai/trust","status_page":"https://status.curate-me.ai","responsible_disclosure":"https://curate-me.ai/security/disclosure","subprocessors":"https://curate-me.ai/legal/subprocessors"},"contact":{"security":"security@curate-me.ai","privacy":"privacy@curate-me.ai","legal":"legal@curate-me.ai"},"generated_at":"2026-07-03T00:36:17.940101+00:00"}