Security Statement
Custodia is committed to protecting your data. This statement describes our security practices and commitments.
1. Our Security Commitment
As a platform serving defense contractors, we understand the sensitivity of compliance data. We implement security controls aligned with industry best practices to protect the confidentiality, integrity, and availability of your data. Security is a continuous process, and we regularly assess and improve our practices.
2. Data Encryption
All data transmitted between your browser and Custodia is encrypted using TLS 1.2 or higher. Data stored in our databases is encrypted at rest using AES-256 encryption. Encryption keys are managed securely and rotated periodically. Backups are also encrypted.
3. Access Controls
We implement the principle of least privilege for all systems and personnel. Employee access to customer data is limited to those with a legitimate business need, such as support personnel responding to your request. Access is authenticated using strong credentials and, where applicable, multi-factor authentication. Access logs are maintained and reviewed.
4. Infrastructure Security
Custodia is hosted on reputable cloud infrastructure providers (Vercel, Neon) that maintain SOC 2, ISO 27001, and other certifications. We leverage their physical security, network security, and operational security controls. Our application architecture follows secure development practices.
5. Application Security
We follow secure software development practices including: (a) security-focused code reviews; (b) dependency vulnerability scanning; (c) input validation and output encoding; (d) protection against common vulnerabilities (OWASP Top 10); (e) regular updates and patching. We use modern frameworks that provide built-in security features.
6. Evidence File Hashing
When you upload evidence files, Custodia calculates and stores SHA-256 cryptographic hashes. This allows you to detect if a file has been modified after upload. IMPORTANT LIMITATIONS: This feature is a technical aid for your internal processes. It does not establish legal chain of custody, guarantee file authenticity, or replace proper evidence handling procedures required by CMMC or legal proceedings.
7. Monitoring and Logging
We maintain logs of system activities, security events, and access attempts. Logs are monitored for anomalies and potential security incidents. We employ automated alerting for suspicious activities. Log retention periods balance security needs with privacy considerations.
8. Incident Response
We maintain an incident response plan for security events. In the event of a data breach affecting your information, we will: (a) notify you within 72 hours; (b) provide details about the nature and scope of the incident; (c) describe remediation steps taken; (d) cooperate with your incident response efforts. Report security concerns to security@custodiallc.com.
9. Vulnerability Disclosure
If you discover a security vulnerability in Custodia, please report it responsibly to security@custodiallc.com. Include: (a) description of the vulnerability; (b) steps to reproduce; (c) potential impact. We will acknowledge receipt within 48 hours and work to address valid reports promptly. We do not currently offer a formal bug bounty program.
10. Business Continuity
We implement measures to ensure service availability including: (a) regular automated backups; (b) geographic redundancy through our infrastructure providers; (c) monitoring and alerting for service disruptions; (d) tested recovery procedures. While we strive for high availability, we do not guarantee specific uptime percentages.
11. Your Security Responsibilities
Security is a shared responsibility. You are responsible for: (a) using strong, unique passwords; (b) not sharing account credentials; (c) reporting suspected unauthorized access; (d) ensuring your own systems meet CMMC requirements; (e) properly handling exported data. Custodia securing your data in our systems does not make your organization CMMC compliant.
Questions about this policy?
Contact us and we'll help clarify.