{"metadata":{"title":"Curate-Me Security Questionnaire","version":"1.0","effective_date":"2026-03-01","contact":"security@curate-me.ai"},"company_overview":{"company_name":"Curate-Me, Inc.","product_name":"Curate-Me AI Gateway Platform","description":"Managed AI gateway and governance layer for LLM API calls. Provides rate limiting, cost control, PII scanning, audit logging, and human-in-the-loop approvals for AI agent workloads.","founded":"2025","employees":"< 50","headquarters":"United States","data_center_locations":["US (Hetzner)","EU (Hetzner Germany/Finland)"]},"data_security":{"encryption_at_rest":{"answer":"Yes","detail":"All data at rest is encrypted using AES-256. MongoDB Atlas and Redis Cloud provide encryption at rest by default. Hetzner VPS volumes use LUKS encryption."},"encryption_in_transit":{"answer":"Yes","detail":"All data in transit uses TLS 1.2+. Caddy reverse proxy enforces HTTPS with automatic certificate renewal. Internal service communication uses mTLS where applicable."},"key_management":{"answer":"Yes","detail":"API keys and secrets are stored using bcrypt hashing. Plaintext keys are never stored. Key rotation supported via the gateway key rotation API."},"data_classification":{"answer":"Yes","detail":"Data is classified into four tiers: Public, Internal, Confidential, and Restricted (PII/PHI). Classification drives retention TTL and access controls."},"data_retention":{"answer":"Yes — configurable","detail":"Default log retention is 90 days. EU data residency orgs default to 30 days (GDPR data minimisation). Retention policies are configurable per org. Data purge on account deletion within 30 days."},"data_deletion":{"answer":"Yes","detail":"Account deletion triggers a 30-day purge pipeline across all MongoDB collections and Redis keys. Audit logs are retained for the statutory minimum period before deletion."}},"access_controls":{"mfa":{"answer":"Yes","detail":"MFA is available and encouraged for all dashboard users. SSO/SAML integration available for Enterprise tier."},"rbac":{"answer":"Yes","detail":"Role-based access control with four roles: Owner, Admin, Member, Viewer. Permissions scoped to org — users cannot access cross-org data."},"privileged_access":{"answer":"Yes","detail":"Infrastructure access requires SSH key authentication. No password access to production servers. Privileged actions logged to immutable audit trail."},"api_key_controls":{"answer":"Yes","detail":"API keys scoped to org, with optional IP allowlisting and rate limits. Keys can be rotated or revoked at any time. Expiry dates supported."}},"vulnerability_management":{"penetration_testing":{"answer":"Yes — annual","detail":"Annual penetration test by an independent third-party security firm. Most recent test: January 2026. Results available under NDA."},"vulnerability_scanning":{"answer":"Yes — continuous","detail":"Automated SAST/DAST scanning in CI/CD pipeline. Dependency vulnerability scanning via GitHub Dependabot. Critical CVEs patched within 24 hours."},"patch_management":{"answer":"Yes","detail":"OS and dependency patches applied within 30 days of release. Critical security patches applied within 24 hours. Container images rebuilt weekly with updated base layers."}},"incident_response":{"incident_response_plan":{"answer":"Yes","detail":"Documented incident response plan with defined severity levels (P0-P3), escalation paths, and customer notification SLAs. Plan reviewed annually and after each incident."},"breach_notification":{"answer":"Yes","detail":"Data breach notification within 72 hours to affected customers and regulatory bodies (GDPR Art. 33). Notification template and process documented in incident response plan."},"security_contact":{"answer":"security@curate-me.ai","detail":"Dedicated security contact. Coordinated disclosure policy published."}},"compliance_and_certifications":{"gdpr":{"answer":"Yes","detail":"DPA available on request. Data processing limited to stated purposes. All sub-processors have signed DPAs. Data subject rights (access, erasure, portability) supported via dashboard and API."},"soc2":{"answer":"SOC 2 Type I achieved (Jan 2026); Type II in progress","detail":"SOC 2 Type I report covers security, availability, and confidentiality. Type II observation period started February 2026 (12 months). Report available under NDA."},"eu_ai_act":{"answer":"Yes","detail":"Platform implements controls mapped to EU AI Act Articles 9, 11, 12, 13, 14, 15, 26, and 96. Compliance score dashboard available. One-click remediation for identified gaps."},"hipaa":{"answer":"BAA available on request (Enterprise tier)","detail":"HIPAA-aligned controls available for Enterprise customers. Business Associate Agreement (BAA) signed on request. PHI handling requires dedicated EU/US residency configuration."}},"business_continuity":{"backup_policy":{"answer":"Yes — daily backups with 30-day retention","detail":"MongoDB Atlas daily automated backups. Redis snapshots every 6 hours. Backups stored in a separate geographic region. Recovery time objective (RTO): 4 hours. RPO: 6 hours."},"disaster_recovery":{"answer":"Yes","detail":"Multi-region failover capability. Primary EU region (Hetzner Germany) with US failover. Failover tested annually."},"uptime_sla":{"answer":"99.9% monthly uptime SLA","detail":"Starter and Growth tiers: 99.9% monthly uptime SLA. Enterprise: 99.95% with dedicated support. Status page: status.curate-me.ai"}},"vendor_management":{"sub_processors":{"answer":"Yes — list publicly available","detail":"Full sub-processor list maintained and published. Customers notified of sub-processor changes with 30-day notice. All sub-processors have signed DPAs."},"third_party_audits":{"answer":"Yes","detail":"Critical sub-processors (MongoDB, Stripe, Hetzner) audited annually. SOC 2 or equivalent reports reviewed before onboarding new sub-processors."}}}