Skip to main content
← Trust Center/CAIQ-Lite Pre-fill
Cloud Security Alliance · CCM v4.0 · Updated 2026-06-13

CAIQ-Lite Pre-fill

Butterfly Security's pre-filled response to the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v4.0.2, mapped to Cloud Controls Matrix v4.0 control domains. Yes / No / N/A answers with evidence pointers and in-progress qualifiers where applicable.

20Yes
5No
1N/A
26total

Posture as of 2026-06-13 · version 1.1.0. Where we answer No or where a control is in progress, the notes field states the honest status and target date. In particular: SOC 2 attestation is in preparation (Type 1 target Q3 2026, Type 2 target Q1 2027); external penetration testing is planned for Q4 2026 and firm selection has not begun. We do not claim attestations we do not yet hold.

AIS – Application & Interface Security

AIS-01.1

Are applications subject to security testing prior to a production release?

Yes

Pre-commit lefthook (secret scan, JSON validate, ESLint, no-console) plus regression tests on trust-critical paths. External pen test planned for Q4 2026 (firm selection not yet begun).

AAC – Audit Assurance & Compliance

AAC-01.1

Do you produce audit assertions on a recurring basis (e.g., SOC 2, ISO 27001)?

No

SOC 2 Type 1 in progress, target Q3 2026. SOC 2 Type 2 planned, target Q1 2027. No attestation report has been issued yet.

BCR – Business Continuity & Resilience

BCR-01.1

Is there a documented business continuity plan?

Yes

Documented in compliance/soc2/policies/BACKUP-AND-RECOVERY-POLICY.md. RPO 24h, RTO 4h. Single-founder compensating controls: vendor HA + self-backup of control plane + restore-test design + transparent health endpoint.

BCR-11.1

Are backup procedures tested at least annually?

No

Restore test procedure designed (compliance/soc2/backup-restore-tests/2026-06-01-design.md); first executed quarterly rehearsal scheduled Q3 2026 ahead of SOC 2 Type 1 fieldwork. Customer-facing dry-run restore preview is available in product today.

CCC – Change Control & Configuration

CCC-01.1

Are changes to systems reviewed and approved before being deployed?

Yes

Pull-request workflow + self-review checklist (solo founder compensating control). Pre-commit hooks enforced.

CEK – Cryptography, Encryption & Key Management

CEK-03.1

Is data encrypted in transit using strong protocols?

Yes

TLS 1.3 only. HSTS enforced. HTTP fallback disabled.

CEK-04.1

Is data encrypted at rest?

Yes

AES-256-GCM application-layer encryption with purpose-derived subkeys. Cloudflare R2 and Supabase add encryption at rest underneath.

CEK-10.1

Are cryptographic keys managed throughout their lifecycle?

Yes

Master key stored as Cloudflare Worker secret. Subkeys derived per purpose. Annual rotation target. JWKS overlap window for signing keys. HSM not used today.

DCS – Datacenter Security

DCS-01.1

Do you rely on third-party datacenters? If so, do they have attestation?

Yes

All hosting via Cloudflare (SOC 2 Type 2, ISO 27001, PCI DSS 4.0) and Supabase (SOC 2 Type 2, HIPAA-eligible). Butterfly operates no datacenters.

DSP – Data Security & Privacy Lifecycle

DSP-01.1

Is customer data classified?

Yes

Four levels: Public, Internal, Confidential, Restricted. Customer data defaults to Restricted.

DSP-04.1

Can customers request export and deletion of their data?

Yes

GDPR Article 17 (erasure with 30-day grace) and Article 20 (portability) implemented in /dashboard/settings/data-rights.

DSP-10.1

Is customer data used for AI model training?

No

AI features are opt-in. Metadata is redacted before any LLM call. OpenAI and Anthropic exclude API data from training per their published terms.

GRC – Governance, Risk & Compliance

GRC-01.1

Do you have a written information security program?

Yes

Information Security Policy + supporting policies (Access Control, Encryption, Incident Response, etc.). Annual review.

HRS – Human Resources

HRS-04.1

Are background checks performed on personnel with system access?

N/A

Single founder today. Background-check requirement encoded in Onboarding Policy for any future hire.

IAM – Identity & Access Management

IAM-02.1

Is MFA required for administrative access?

Yes

Mandatory on every vendor console and on Butterfly's own admin sign-in.

IAM-05.1

Is SAML 2.0 or OIDC supported for customer admins?

Yes

SAML 2.0 SP-initiated and IdP-initiated. SCIM 2.0 user provisioning and de-provisioning. Available on Business plan.

IAM-09.1

Are access reviews performed at least annually?

No

Access review process drafted in Access Control Policy; first executed quarterly review scheduled Q3 2026 ahead of SOC 2 Type 1 fieldwork.

IPY – Interoperability & Portability

IPY-02.1

Is customer data exportable in a standard, machine-readable format?

Yes

JSON export of every team-scoped row via /api/account/export. Backup snapshots are downloadable encrypted JSON.

IVS – Infrastructure & Virtualization Security

IVS-09.1

Is tenant isolation enforced in shared infrastructure?

Yes

Row-Level Security on every customer-data table. R2 snapshots namespaced by tenant. Server-side jobs explicitly scope every query.

LOG – Logging & Monitoring

LOG-01.1

Are audit logs retained?

Yes

365-day retention on activity_logs. Tamper-evident export via /api/export/audit-pack with SHA-256 manifest.

SEF – Security Incident Management, E-Discovery, & Cloud Forensics

SEF-03.1

Is there a documented incident response plan with customer notification timelines?

Yes

Customer notification within 72 hours of classification (GDPR Article 34 timing). SEV-1/2/3/4 classification.

STA – Supply Chain Management, Transparency, & Accountability

STA-04.1

Are subprocessors disclosed and reviewed?

Yes

Subprocessor list published at /subprocessors. Annual vendor security review plus on-onboarding.

STA-09.1

Are customers notified before a new subprocessor is added?

Yes

New subprocessors are announced in /changelog before activation.

TVM – Threat & Vulnerability Management

TVM-02.1

Are vulnerabilities patched on a defined cadence?

Yes

Critical: 72 hours. High: 7 days. Medium: 30 days. Dependabot + GitHub native secret scanning.

TVM-04.1

Is third-party penetration testing performed?

No

Planned for Q4 2026 as part of the SOC 2 Type 2 program (tracked under R-OPS-004). Firm selection has not begun.

UEM – Universal Endpoint Management

UEM-02.1

Are corporate endpoints centrally managed and hardened?

Yes

FileVault, OS auto-update, application firewall, password manager, screen lock. Single-founder org today.

Need a clarifying answer?

Email security@butterflysecurity.org with the CAIQ question ID and we will return a written answer within 2 business days. For executive review, book a 30-minute reference call.