Security questionnaire, pre-completed
Most vendor reviews ask the same questions. Here they are, answered in advance across the CAIQ-Lite domains and mapped to the VSA-Core areas — honestly: yes means operated today and stated on a trust page; partial names the gap; planned has a date and nothing more.
| Domain | Question | Answer | Detail |
|---|---|---|---|
| A&ACompliance | Do you hold independent security certifications (SOC 2, ISO 27001)? | Planned | Not yet — and we say so plainly. SOC 2 Type I is targeted for Q3 2026 (evidence collection via Vanta starts at commercial launch), Type II about nine months later, ISO 27001 in parallel. Until then, this page and the security page describe the controls we actually operate. |
| AISApplication security | Is security built into the application and its lifecycle? | Yes | Inputs are schema-validated at the boundary, all database access is parameterized, strict security headers and CSP ship on every surface, and high or critical dependency advisories fail the build. |
| BCRResilience | Can you recover from infrastructure failure? | Partial | Serverless architecture on managed multi-AZ services, encrypted backups with point-in-time recovery, and a written disaster-recovery runbook; a formally exercised business-continuity plan is still ahead. |
| CEKEncryption | Is customer data encrypted in transit and at rest? | Yes | TLS 1.3 minimum in transit with HSTS; AES-256 at rest on every store with managed key rotation; secrets live in a managed secrets service, never in code. |
| DCSPhysical security | Where does production run, and who controls physical access? | Yes | AWS eu-central-1 (Frankfurt), in a dedicated, fully isolated account. Physical security is inherited from AWS’s audited data centers. |
| DSPData protection | How is customer data protected and kept out of model training? | Yes | Model-provider API traffic is excluded from training under each provider’s API terms, and Zero Data Retention agreements with Anthropic and OpenAI are being finalized; we never train on customer data; retrieval embeddings stay in-region in the EU; a DPA with SCCs is offered and DSAR handling is published. |
| GRCSecurity policy | Do you maintain a security governance program? | Partial | Security policies are maintained as enforced engineering rules, versioned with the code and reviewed on every change; a certified ISMS (ISO 27001) is on the published roadmap. |
| HRSPersonnel | Do personnel security controls exist (screening, onboarding, offboarding)? | Partial | Syncanix is founder-operated today: the only person with production access is the accountable operator. Formal screening and onboarding policies land with the first hires — and this answer will change when they do. |
| IAMAccess control | How is access to systems and data controlled? | Yes | Least privilege throughout: SSO-backed identity with verified tokens on every request, explicitly written per-resource policies, no long-lived access keys, and audited role changes. |
| IPYPortability | Can customers export their data and leave? | Yes | The capability catalog is a portable artifact, customer data is exportable, and cancellation never locks data in. |
| IVSInfrastructure | How is the production infrastructure secured? | Yes | Everything is infrastructure-as-code with reviewed diffs before deploys, an isolated VPC, no resources shared with any other product, and a fully tagged inventory. |
| LOGLogging & monitoring | Are systems monitored and are logs protected? | Yes | Structured logs carry tenant and request correlation on every line, secrets and PII are excluded by redaction policy, retention is bounded, and audit-relevant events raise alarms. |
| SEFIncident response | Is there an incident-response process with customer notification? | Yes | A documented incident-response runbook; disclosure reports acknowledged within 24 hours and triaged within 72; confirmed customer-impact breaches notified within 24 hours of confirmation. |
| STASupply chain | How do you manage supply-chain risk? | Yes | The sub-processor list is public with a 30-day change notice, dependency advisories gate CI, and every new library passes a documented adoption checklist. |
| TVMVulnerability management | How are vulnerabilities found and fixed? | Partial | Automated dependency scanning gates every build and a public disclosure programme with safe harbor is live; an external penetration test is planned alongside SOC 2 — none has been commissioned yet. |
| UEMEndpoint management | Are the devices that touch production managed? | Partial | Production access is limited to named operator identities under the access controls above; formal endpoint management (MDM) arrives with the first hires. |
Need the answers in your own sheet (full CAIQ, VSA, or your internal format)? Send it over and we fill it in: admin@syncanix.com.
Last reviewed: 2026-06-10. Answers change when the controls change — never the other way around.