{"questionnaire":"SIG Lite","version":"2025","vendor":"Atestaria","completed_at":"2026-05-03","answers":{"A.1 Risk assessment":"Performed annually using NIST 800-30; threat model maintained in repo.","B.1 Security policy":"Information Security Policy published internally and reviewed annually.","C.1 Organizational security":"Security responsibilities documented; SecOps on-call rotation 24x7.","D.1 Asset management":"Asset inventory in CMDB; classification levels Public/Internal/Confidential/Restricted.","E.1 Human resources":"Background checks for staff with prod access; mandatory annual security training.","F.1 Physical & environmental":"Hosted on Replit / managed cloud (SOC 2 inherited).","G.1 Communications & operations":"Hardened OS images; centralized logging; OpenTelemetry tracing.","H.1 Access control":"RBAC + SSO/SAML/OIDC + SCIM 2.0; MFA enforced for prod access; least privilege.","I.1 Information systems acquisition":"SAST and dependency audit on every commit; secure SDLC documented.","J.1 Incident management":"Documented incident response runbook; max RTO 5 min, RPO 1 min for prod.","K.1 Business continuity":"Multi-region active-passive; quarterly failover tests planned for Phase 4.","L.1 Compliance":"GDPR, LGPD, CCPA, PIPEDA, POPIA. SOC 2 Type I in progress; ISO 27001 in progress.","M.1 Cryptography":"TLS 1.2+; AES-256-GCM at rest; Ed25519 server signing via KMS; quantum-safe ML-DSA available.","N.1 Privacy":"Privacy by design; only hashes stored. DSAR endpoints at /privacy.","O.1 Threat & vulnerability":"Public bug bounty program; quarterly pen tests planned.","P.1 Server security":"Immutable infrastructure; rate limiting; WAF planned.","Q.1 Endpoint security":"MDM-managed laptops; full-disk encryption; EDR.","R.1 Network security":"TLS everywhere; private networking; egress-restricted prod.","S.1 Application security":"OWASP ASVS L2; SAST/DAST; dependency scanning.","T.1 Cloud hosting":"Replit / Polygon / Base; provider SOC 2 inherited."}}