CAIQ-Lite Pre-fill
Butterfly Security's pre-filled response to the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v4.0.2, mapped to Cloud Controls Matrix v4.0 control domains. Yes / No / N/A answers with evidence pointers and in-progress qualifiers where applicable.
Posture as of 2026-06-13 · version 1.1.0. Where we answer No or where a control is in progress, the notes field states the honest status and target date. In particular: SOC 2 attestation is in preparation (Type 1 target Q3 2026, Type 2 target Q1 2027); external penetration testing is planned for Q4 2026 and firm selection has not begun. We do not claim attestations we do not yet hold.
AIS – Application & Interface Security
Are applications subject to security testing prior to a production release?
Pre-commit lefthook (secret scan, JSON validate, ESLint, no-console) plus regression tests on trust-critical paths. External pen test planned for Q4 2026 (firm selection not yet begun).
AAC – Audit Assurance & Compliance
Do you produce audit assertions on a recurring basis (e.g., SOC 2, ISO 27001)?
SOC 2 Type 1 in progress, target Q3 2026. SOC 2 Type 2 planned, target Q1 2027. No attestation report has been issued yet.
BCR – Business Continuity & Resilience
Is there a documented business continuity plan?
Documented in compliance/soc2/policies/BACKUP-AND-RECOVERY-POLICY.md. RPO 24h, RTO 4h. Single-founder compensating controls: vendor HA + self-backup of control plane + restore-test design + transparent health endpoint.
Are backup procedures tested at least annually?
Restore test procedure designed (compliance/soc2/backup-restore-tests/2026-06-01-design.md); first executed quarterly rehearsal scheduled Q3 2026 ahead of SOC 2 Type 1 fieldwork. Customer-facing dry-run restore preview is available in product today.
CCC – Change Control & Configuration
Are changes to systems reviewed and approved before being deployed?
Pull-request workflow + self-review checklist (solo founder compensating control). Pre-commit hooks enforced.
CEK – Cryptography, Encryption & Key Management
Is data encrypted in transit using strong protocols?
TLS 1.3 only. HSTS enforced. HTTP fallback disabled.
Is data encrypted at rest?
AES-256-GCM application-layer encryption with purpose-derived subkeys. Cloudflare R2 and Supabase add encryption at rest underneath.
Are cryptographic keys managed throughout their lifecycle?
Master key stored as Cloudflare Worker secret. Subkeys derived per purpose. Annual rotation target. JWKS overlap window for signing keys. HSM not used today.
DCS – Datacenter Security
Do you rely on third-party datacenters? If so, do they have attestation?
All hosting via Cloudflare (SOC 2 Type 2, ISO 27001, PCI DSS 4.0) and Supabase (SOC 2 Type 2, HIPAA-eligible). Butterfly operates no datacenters.
DSP – Data Security & Privacy Lifecycle
Is customer data classified?
Four levels: Public, Internal, Confidential, Restricted. Customer data defaults to Restricted.
Can customers request export and deletion of their data?
GDPR Article 17 (erasure with 30-day grace) and Article 20 (portability) implemented in /dashboard/settings/data-rights.
Is customer data used for AI model training?
AI features are opt-in. Metadata is redacted before any LLM call. OpenAI and Anthropic exclude API data from training per their published terms.
GRC – Governance, Risk & Compliance
Do you have a written information security program?
Information Security Policy + supporting policies (Access Control, Encryption, Incident Response, etc.). Annual review.
HRS – Human Resources
Are background checks performed on personnel with system access?
Single founder today. Background-check requirement encoded in Onboarding Policy for any future hire.
IAM – Identity & Access Management
Is MFA required for administrative access?
Mandatory on every vendor console and on Butterfly's own admin sign-in.
Is SAML 2.0 or OIDC supported for customer admins?
SAML 2.0 SP-initiated and IdP-initiated. SCIM 2.0 user provisioning and de-provisioning. Available on Business plan.
Are access reviews performed at least annually?
Access review process drafted in Access Control Policy; first executed quarterly review scheduled Q3 2026 ahead of SOC 2 Type 1 fieldwork.
IPY – Interoperability & Portability
Is customer data exportable in a standard, machine-readable format?
JSON export of every team-scoped row via /api/account/export. Backup snapshots are downloadable encrypted JSON.
IVS – Infrastructure & Virtualization Security
Is tenant isolation enforced in shared infrastructure?
Row-Level Security on every customer-data table. R2 snapshots namespaced by tenant. Server-side jobs explicitly scope every query.
LOG – Logging & Monitoring
Are audit logs retained?
365-day retention on activity_logs. Tamper-evident export via /api/export/audit-pack with SHA-256 manifest.
SEF – Security Incident Management, E-Discovery, & Cloud Forensics
Is there a documented incident response plan with customer notification timelines?
Customer notification within 72 hours of classification (GDPR Article 34 timing). SEV-1/2/3/4 classification.
STA – Supply Chain Management, Transparency, & Accountability
Are subprocessors disclosed and reviewed?
Subprocessor list published at /subprocessors. Annual vendor security review plus on-onboarding.
Are customers notified before a new subprocessor is added?
New subprocessors are announced in /changelog before activation.
TVM – Threat & Vulnerability Management
Are vulnerabilities patched on a defined cadence?
Critical: 72 hours. High: 7 days. Medium: 30 days. Dependabot + GitHub native secret scanning.
Is third-party penetration testing performed?
Planned for Q4 2026 as part of the SOC 2 Type 2 program (tracked under R-OPS-004). Firm selection has not begun.
UEM – Universal Endpoint Management
Are corporate endpoints centrally managed and hardened?
FileVault, OS auto-update, application firewall, password manager, screen lock. Single-founder org today.
Need a clarifying answer?
Email security@butterflysecurity.org with the CAIQ question ID and we will return a written answer within 2 business days. For executive review, book a 30-minute reference call.