11
implemented
4
in progress
0
planned
0
not started
| ID | Title | Family | Framework Tags | Owner | Status | Evidence | Policies | Frequency |
|---|---|---|---|---|---|---|---|---|
| CTL-001 | Information Security Policy Governance Formal information security policy is maintained, reviewed annually, and approved by leade… | Governance | NIST CSF 2.0 GV.POSOC 2 CC1.2 | CISO | implemented | 1 | 1 | annual |
| CTL-002 | Role-Based Access Control (RBAC) Platform access is controlled via role-based access control. Roles are defined, assigned p… | Access Control | NIST CSF 2.0 PR.AASOC 2 CC6.1 | Engineering | implemented | 1 | 1 | quarterly |
| CTL-003 | Multi-Factor Authentication for Administrative Access MFA is required for all administrative accounts and privileged access paths. Enforced via … | Access Control | NIST CSF 2.0 PR.AA-01SOC 2 CC6.1 | Engineering | in progress | 0 | 1 | semi-annual |
| CTL-004 | Audit Logging All security-relevant and administrative actions are logged in the audit_events table. Log… | Logging & Monitoring | NIST CSF 2.0 DE.AESOC 2 CC7.2 | Engineering | implemented | 1 | 1 | quarterly |
| CTL-005 | Encryption in Transit All data transmitted between clients and the platform is encrypted using TLS 1.2 or higher… | Access Control | NIST CSF 2.0 PR.DS-02SOC 2 CC6.7 | Engineering | implemented | 1 | 1 | annual |
| CTL-006 | Encryption at Rest Customer data is stored on Supabase (PostgreSQL on AWS). AWS encrypts all storage volumes … | Access Control | NIST CSF 2.0 PR.DS-01SOC 2 CC6.7 | Engineering | implemented | 1 | 1 | annual |
| CTL-007 | Incident Response Program An incident response plan defines severity levels, escalation procedures, customer notific… | Incident Response | NIST CSF 2.0 RS.MASOC 2 CC7.3 | Engineering Lead | implemented | 1 | 1 | annual |
| CTL-008 | Business Continuity and Disaster Recovery A business continuity summary defines recovery objectives, backup procedures, and communic… | Business Continuity | NIST CSF 2.0 RC.RPSOC 2 A1.2 | Engineering Lead | in progress | 1 | 1 | annual |
| CTL-009 | Data Retention and Deletion Data retention periods are defined by data category. Customer data deletion is supported v… | Data Retention & Deletion | NIST CSF 2.0 PR.DS-04SOC 2 CC6.5 | Engineering | implemented | 1 | 1 | annual |
| CTL-010 | Subprocessor Management Subprocessors used to deliver the platform are documented. Subprocessor list is maintained… | Vendor / Subprocessor Management | NIST CSF 2.0 GV.SCSOC 2 CC9.2 | Legal / Engineering | implemented | 1 | 1 | annual |
| CTL-011 | Secure Software Development Lifecycle (SDLC) Code changes are reviewed via pull request before deployment. Dependencies are tracked. Kn… | Secure SDLC | NIST CSF 2.0 PR.PSSOC 2 CC8.1 | Engineering | in progress | 1 | 1 | semi-annual |
| CTL-012 | Change Management Production changes are deployed via CI/CD pipeline with automated checks. Infrastructure c… | Change Management | NIST CSF 2.0 PR.PS-04SOC 2 CC8.1 | Engineering | implemented | 1 | 1 | quarterly |
| CTL-013 | Least Privilege Access Access to platform data and functions is scoped to the minimum necessary for each role. Su… | Access Control | NIST CSF 2.0 PR.AA-05SOC 2 CC6.3 | Engineering | implemented | 2 | 1 | quarterly |
| CTL-014 | Risk Assessment A risk assessment process identifies, evaluates, and prioritizes security risks. Findings … | Risk Management | NIST CSF 2.0 ID.RASOC 2 CC3.2 | Engineering Lead | in progress | 0 | 1 | annual |
| CTL-015 | DPA / Legal Agreements A Data Processing Agreement (DPA) template is available for customer execution. Pilot enga… | Legal / Contractual | SOC 2 CC1.4 | Legal | implemented | 1 | 1 | annual |