SIG-Lite Pre-fill
Butterfly Security's pre-filled response to the Shared Assessments Standardized Information Gathering (SIG) Lite questionnaire. Every answer maps to the standard SIG-Lite domain and question identifier so a procurement reviewer can paste our response directly into the internal tracker.
Posture as of 2026-06-13 · version 1.1.0. Where a control is in progress (for example, SOC 2 attestation targeting Q3 2026 Type 1 and Q1 2027 Type 2, or the external penetration test planned for Q4 2026 with firm selection not yet begun), the status is stated honestly with the target date. We do not claim attestations we do not yet hold.
B. Security Policy
Is there a documented information security policy?
Yes. Information Security Policy is reviewed annually. Owner: Founder (Mick Johnson).
Evidence: compliance/soc2/policies/INFORMATION-SECURITY-POLICY.md
C. Organizational Security
Is there an executive-level owner of the security program?
Yes. Mick Johnson (Founder) owns the security program. Future hires inherit role via Onboarding Policy.
Evidence: compliance/soc2/policies/ACCEPTABLE-USE-POLICY.md
D. Asset Management
Is there a documented asset inventory reviewed at least annually?
Yes. ASSET-INVENTORY.md tracks all production systems, subprocessors, and access roles. Reviewed quarterly.
Evidence: compliance/soc2/ASSET-INVENTORY.md
F. Physical Security
Where is customer data physically located?
Cloudflare R2 (customer-selected region) for backup snapshots. Supabase Postgres US-East for control-plane metadata. No Butterfly-operated data centers.
Evidence: Subprocessor list
G. Communications and Operations
Are systems hardened and patched on a defined cadence?
Critical: 72 hours. High: 7 days. Medium: 30 days. Dependabot for dependencies.
Evidence: compliance/soc2/policies/VULNERABILITY-MANAGEMENT-POLICY.md
Is multi-factor authentication required for administrative access?
Yes. MFA is mandatory for every vendor console with no exceptions. Hardware keys preferred for production secrets.
Evidence: compliance/soc2/policies/ACCESS-CONTROL-POLICY.md
How is data encrypted in transit?
TLS 1.3 only on every endpoint. HSTS enforced. No HTTP fallback.
Evidence: Cloudflare Worker default
How is data encrypted at rest?
AES-256-GCM application-layer encryption with purpose-derived subkeys via HMAC-SHA256 from a single master ENCRYPTION_KEY. Cloudflare R2 and Supabase add their own encryption-at-rest underneath.
Evidence: compliance/soc2/policies/ENCRYPTION-POLICY.md
Are audit logs collected and protected from tampering?
Yes. Every state change writes to activity_logs (365-day retention). Append-only access patterns. Customers can export a SHA-256-manifested evidence bundle via /api/export/audit-pack.
Evidence: compliance/soc2/policies/LOGGING-AND-MONITORING-POLICY.md
H. Access Control
Is least-privilege enforced?
Default-deny, role-based (super_admin / admin / backup_operator / auditor / read_only). Access review process drafted; first quarterly review scheduled Q3 2026 ahead of SOC 2 Type 1 fieldwork.
Evidence: compliance/soc2/policies/ACCESS-CONTROL-POLICY.md
Is SSO supported for customer admins?
SAML 2.0 SP-initiated and IdP-initiated supported, plus SCIM 2.0 provisioning and de-provisioning. Available on Business plan.
Evidence: src/app/api/scim/
I. System Acquisition
Is there a secure SDLC?
Pre-commit hooks (secret scan, JSON validate, ESLint, no-console). TypeScript strict on trust-critical paths. Threat modeling per-feature for trust-critical surfaces (auth, crypto, tenant binding).
Evidence: compliance/soc2/policies/SDLC-POLICY.md
J. Incident Management
Is there a documented incident-response plan?
Yes. SEV-1/2/3/4 classification. Customer notification within 72 hours of classification (GDPR Article 34 timing).
Evidence: compliance/soc2/incident-response/IR-PLAN.md
What is your customer breach-notification SLA?
72 hours from incident classification. Acknowledged within 24 hours, 7 days a week.
Evidence: compliance/soc2/incident-response/IR-PLAN.md
K. Business Continuity
What are your RPO and RTO?
RPO 24 hours. RTO 4 hours. Restore test procedure designed; first executed quarterly rehearsal scheduled Q3 2026. Butterfly's own control plane is encrypted-snapshotted to R2 daily.
Evidence: compliance/soc2/policies/BACKUP-AND-RECOVERY-POLICY.md
L. Compliance
What compliance attestations do you hold?
SOC 2 Type 1 in progress, target Q3 2026. SOC 2 Type 2 planned, target Q1 2027. GDPR and CCPA compliant. HIPAA BAAs are not currently signed; BAA program planned after SOC 2 Type 2. PCI DSS out of scope (Stripe handles all card data).
Evidence: compliance/soc2/SPRINT-90-DAY.md
Do you sign DPAs?
Yes. DPA published at /dpa. Standard Contractual Clauses cover EU-to-US transfers where applicable.
Evidence: src/app/(marketing)/dpa/
M. Privacy
How are data-subject rights handled?
GDPR Article 17 (erasure with 30-day grace) and Article 20 (portability) are self-service in /dashboard/settings/data-rights.
Evidence: src/app/api/account/{delete,export}/
Is customer data used to train AI models?
No. AI features are opt-in. Metadata is redacted before any LLM call. OpenAI and Anthropic exclude API data from training per their published terms.
Evidence: src/app/api/ai/
N. Threat Management
Do you perform penetration testing?
External penetration test planned for Q4 2026 as part of the SOC 2 Type 2 program (tracked under R-OPS-004). Firm selection has not begun. No prior third-party pen test on file.
Evidence: compliance/soc2/policies/VULNERABILITY-MANAGEMENT-POLICY.md
P. Endpoint Security
How are employee endpoints secured?
FileVault full-disk encryption, OS auto-update, application firewall, password manager, screen lock. Single-founder org today; future hires inherit endpoint baseline at onboarding.
Evidence: compliance/soc2/policies/ACCEPTABLE-USE-POLICY.md
R. Cloud Hosting Risk
Where is the application hosted?
Cloudflare Workers (global edge). Supabase Postgres US-East for control plane. Cloudflare R2 for backup snapshots, region selected by customer at connection setup.
Evidence: Subprocessor list
Is the platform multi-tenant or single-tenant?
Multi-tenant with logical isolation: Row-Level Security on every customer-data table; R2 snapshots namespaced by tenant; server-side jobs explicitly scope every query.
Evidence: src/lib/multiProvider.ts
Need a question not covered here?
Email security@butterflysecurity.org with the SIG-Lite question ID and we will return a written answer within 2 business days. For executive review, book a 30-minute reference call.