Vendor security questionnaire pre-fill
Hand this JSON to your procurement team to skip 20 hours of back-and-forth.
What you get
A single structured JSON document (under 100 KB) describing every control, subprocessor, attestation status, retention policy, and incident-response procedure Butterfly Security operates under. Field names align with SIG Lite categories and CAIQ v4 domains. Every field cites the source policy file or code path so your reviewer can audit the underlying evidence.
This document is metadata about Butterfly Security itself. It contains no customer data.
Preview
| Category | Field | Value |
|---|---|---|
| Company | Name | Butterfly Security |
| Company | Domain | butterflysecurity.org |
| Company | Security contact | security@butterflysecurity.org |
| Attestations | SOC 2 Type 1 | In progress – target Q3 2026 (Security, Availability, Confidentiality) |
| Attestations | SOC 2 Type 2 | Planned – target Q1 2027 |
| Attestations | ISO 27001 | Aligned, not certified |
| Attestations | HIPAA BAA | Available on request |
| Attestations | PCI DSS | Out of scope – Stripe handles all card data |
| Access control | MFA required | Yes (all vendor consoles) |
| Access control | SSO supported | SAML 2.0 SP-initiated, SAML 2.0 IdP-initiated, SCIM 2.0 |
| Encryption | At rest | AES-256-GCM application layer + Cloudflare R2 server-side |
| Encryption | In transit | TLS 1.3 only, HSTS enforced |
| Encryption | Key derivation | HMAC-SHA256 with purpose label (credentials / backups / integrity / idp) |
| Logging | Activity log retention | 365 days |
| Vulnerability mgmt | Patching SLAs | Critical 72h / High 7d / Medium 30d |
| Incident response | Customer notification SLA | 72 hours from classification (GDPR Article 34 timing) |
| Data residency | Customer backups | Customer-selected Cloudflare R2 region |
| Data residency | Control plane | Supabase Postgres US-East |
| Subprocessors | Active list | Cloudflare, Supabase, Stripe, Twilio SendGrid, Resend, OpenAI, Anthropic |
| AI training | Customer data used for training? | No. Opt-in only; metadata redacted; OpenAI/Anthropic API terms exclude training |
| Legal | DPA available | Yes – request via security@butterflysecurity.org |
Preview is a curated subset. Download the JSON for full per-control evidence pointers, key derivation details, full subprocessor metadata, business-continuity controls, and the 16 pre-answered most-asked questionnaire questions.
Most-asked questions
Do you sign DPAs?
Yes. Standard DPA available on request. Email security@butterflysecurity.org and we send the executable PDF within 1 business day.
Where does our data live?
Customer backups are stored in your selected Cloudflare R2 region. Control-plane metadata lives in Supabase Postgres US-East. Full subprocessor list and regions on the Trust Center.
Is your application SOC 2 compliant?
SOC 2 Type 1 + Type 2 audit prep is underway as of June 2026. Type 1 target Q3 2026. Type 2 target Q1 2027. We will publish each attestation report the moment it is issued.
Do you support SAML SSO?
Yes. SAML 2.0 SP-initiated and IdP-initiated, plus SCIM 2.0 provisioning. Available on Business plan.
What encryption do you use?
AES-256-GCM at the application layer with purpose-derived subkeys (HKDF-style via HMAC-SHA256), plus Cloudflare R2 server-side encryption. TLS 1.3 only in transit.
Supported questionnaire formats
SIG Lite (Shared Assessments)
Field names in our JSON align with SIG Lite categories – Access Control, Asset Management, Cryptography, Incident Response, Vendor Management, Supplier Risk. Map our keys to your SIG-LITE-XXX question IDs.
CAIQ v4.0.2 (CSA Cloud Controls Matrix)
JSON covers all 17 CCM domains: AIS, AAC, BCR, CCC, CEK, DCS, DSP, GRC, HRS, IAM, IPY, IVS, LOG, SEF, STA, TVM, UEM. Direct copy into your CAIQ workbook.
Custom F500 questionnaires
Most enterprise questionnaires draw from the same control families. Email security@butterflysecurity.org with the questionnaire and we will return it filled out within 2 business days.
We provide the structured data. You map our keys to your framework's question IDs. If you need help with the mapping, email security@butterflysecurity.org and we will return your questionnaire pre-filled within 2 business days.
Need a specific answer?
If your questionnaire asks something not covered in the JSON, get a written answer from Butterfly's security contact within 2 business days.
Email security@butterflysecurity.org