CyberGrid · Procurement Template 05
Vendor Security Questionnaire
Pre-filled answers to the standard procurement security questions. Aligns with SIG Lite, CAIQ, and Vanta-style vendor-review templates.
If your security review uses a different framework (SIG Core, CAIQ, ISO 27001 SoA mapping, your in-house Excel sheet), email hello@thecybergrid.com and we'll respond in your preferred format within one business day.
A. Company & governance
A.1 Company background — when was the vendor founded, ownership structure, legal entity?
CyberGrid is a privately-held security testing services company. Legal entity name and incorporation details available on request under NDA.
A.2 Number of employees with access to customer environments or data?
Small, engineering-led team. The named lead on every engagement is the engineer performing the work; access is on a per-engagement basis under a signed Statement of Work.
A.3 Information security governance — is there a designated security owner?
Yes. The engineering lead is responsible for information security policy, incident response, and access management. Policies are reviewed annually and after any material incident.
A.4 Industry certifications (SOC 2, ISO 27001, etc.)?
CyberGrid does not currently hold a SOC 2 Type II or ISO 27001 certification. We sell security testing, not a SaaS product that stores ongoing customer production data, so most certification frameworks are oversized for our risk surface. We implement the underlying controls (see the technical and organizational measures in our DPA) and provide evidence on request.
A.5 Cybersecurity insurance / errors & omissions coverage?
Coverage details available on request to enterprise customers under NDA.
B. Personnel security
B.1 Background checks on personnel with access to customer environments?
Conducted where permitted by local law for any personnel with access to customer environments or data.
B.2 Security training for personnel?
All personnel with access to customer environments are bound by written confidentiality agreements and receive role-specific security training annually.
B.3 Confidentiality agreements?
Yes — all personnel and contractors with access to customer data sign written confidentiality agreements. Customer NDAs flow down to any individual touching the engagement.
C. Access control
C.1 Multi-factor authentication for administrative accounts?
Required for all administrative accounts (GitHub, Netlify, Neon, Stripe, Fly.io, email, password manager).
C.2 Principle of least privilege?
Yes. Access to customer data and production systems is granted on a per-engagement, time-limited, role-based basis. Access reviews conducted quarterly.
C.3 Customer authentication on the CyberGrid platform?
Magic-link email authentication with hashed token storage (SHA-256). Session cookies are HttpOnly, Secure, SameSite=Lax. Tokens expire within 15 minutes; sessions can be revoked at any time.
C.4 Password / credential storage?
CyberGrid does not store user passwords (passwordless auth via magic link). Customer secrets (API keys, etc.) provided for testing are held in environment-managed secret stores (Netlify env, Fly secrets) and destroyed at engagement end.
D. Data handling
D.1 Data encryption at rest?
All data encrypted at rest. Database: Neon Postgres (AES-256). File storage: Netlify Blobs (encrypted at rest). Backups: encrypted.
D.2 Data encryption in transit?
TLS 1.2 or higher for all customer-facing and inter-service connections. TLS 1.0 / 1.1 are explicitly disabled.
D.3 Data residency / hosting location?
All customer data is hosted in the United States (US-East primary). EU / UK data residency available on request for enterprise customers.
D.4 Data retention?
Customer reports + attestations: retained for the life of the customer account, plus 90 days after closure. Engagement test data: deleted within 30 days of final report delivery. Audit logs: 12 months. See the DPA for full retention schedule.
D.5 Data deletion on customer request?
Yes. Customer-requested data deletion is honored within 30 days. A signed certificate of destruction is provided on request.
D.6 Co-mingling of customer data?
Customer data is logically segregated by organization ID in our database. Engagement-specific data (testing artifacts, findings) is segregated by engagement ID with row-level access control.
E. Infrastructure security
E.1 Cloud / hosting providers?
Application: Netlify (US). Database: Neon Postgres (US). Scan compute: Fly.io (US, isolated region). Email: Resend. Payments: Stripe. All listed and updated on thecybergrid.com/trust-package.
E.2 Network segmentation?
Production environment isolated from development. Scan-worker compute runs in an isolated single-region container with no inbound access (worker polls outbound for jobs). Ingress to the web application restricted to authorized origins.
E.3 Patching and vulnerability management?
Dependencies tracked via npm; security advisories monitored. Critical patches applied within 7 days; high within 30 days. Underlying platform patches (Netlify, Neon, Fly.io) applied automatically by providers.
E.4 Secret management?
All secrets stored in environment-managed secret stores (Netlify env variables, Fly secrets). Never committed to source. Quarterly secret rotation.
F. Application security
F.1 Secure software development lifecycle?
Code review required on the production branch. Signed commits on protected branches. Linting + automated tests on every PR. Internal security testing of the CyberGrid platform itself.
F.2 Third-party penetration testing of your own systems?
CyberGrid runs its own automated security assessments against its production infrastructure. A responsible-disclosure program is published at thecybergrid.com/trust; security researchers can report vulnerabilities to security@thecybergrid.com with a commitment to acknowledge within 2 business days and remediate per severity.
F.3 Input validation and output encoding?
All user input parameterized in database queries (no string-concatenated SQL). HTML output escaped via templating engine. Content-Security-Policy header restricts inline scripts.
G. Logging & monitoring
G.1 Audit logs?
Audit logs maintained for: authentication events, data access, administrative actions, and any change to customer scope. Logs retained 12 months.
G.2 Log tampering protection?
Logs stored in append-only fashion on managed platforms (Netlify function logs, Neon Postgres audit logging, Fly.io machine logs). Access to log infrastructure is restricted to administrative accounts with MFA.
G.3 Monitoring and alerting?
Real-time alerting on authentication anomalies, error-rate spikes, and infrastructure health. Alerts routed to the on-call engineer (same engineer who runs engagements).
H. Incident response
H.1 Documented incident response plan?
Yes. Incident response plan covers detection, containment, eradication, recovery, customer notification, and post-incident review. Available to enterprise customers on request under NDA.
H.2 Customer notification SLA for security incidents?
For security incidents affecting customer data: notification within 72 hours of confirmed incident (faster for critical incidents). For Personal Data breaches under GDPR: notification within 72 hours of becoming aware, per the DPA.
H.3 Incidents in the last 12 months?
None resulting in customer data exposure.
I. Business continuity & disaster recovery
I.1 Backup frequency?
Database: continuous backup with point-in-time recovery (Neon's built-in PITR, ~5-minute granularity). Application code: version-controlled (GitHub).
I.2 Recovery time objective (RTO) / Recovery point objective (RPO)?
Stated targets: RTO 24 hours, RPO 1 hour. Actual recovery time for typical incidents (function failure, deploy revert) is minutes due to platform-provided rollback. Database PITR allows recovery to any point within the retention window.
I.3 Disaster recovery testing?
Annual restoration tests of the database from backup; quarterly verification of the deployment-rollback procedure.
J. Sub-processors & third parties
J.1 Are sub-processors used?
Yes — list maintained at thecybergrid.com/trust-package and in Annex B of the DPA. Includes Netlify (hosting), Neon (database), Fly.io (compute), Stripe (payments), Resend (email).
J.2 Process for adding or changing sub-processors?
Customer notified at least 14 days before any sub-processor change, per the DPA. Customer may object on data-protection grounds.
J.3 Sub-processor diligence?
Sub-processors selected based on security posture, certifications (where applicable), and contractual obligations no less protective than the DPA between us and Customer.
K. Regulatory & compliance
K.1 GDPR compliance?
DPA includes GDPR Article 28 processor terms, SCC reference for EU→US transfers, sub-processor list, and TOMs annex.
K.2 CCPA / CPRA compliance?
DPA includes CCPA/CPRA service-provider provisions. CyberGrid does not sell or share Personal Information.
K.3 HIPAA — do you sign Business Associate Agreements?
For engagements involving Protected Health Information, CyberGrid will execute a Business Associate Agreement. Email hello@thecybergrid.com to request the BAA template.
K.4 PCI DSS scope?
Payment processing is handled entirely by Stripe; CyberGrid never sees, stores, or processes cardholder data. PCI DSS scope is Stripe's.
L. Customer rights & assurance
L.1 Right to audit?
Customers may audit CyberGrid's compliance with the DPA once per year, with reasonable advance notice. Provider may satisfy this by providing current third-party reports.
L.2 Termination assistance & data return?
Upon termination, all customer data is returned or deleted (Customer's choice) within 30 days, per the DPA.
L.3 Contract amendments & flow-down?
Customer-specific terms negotiated case-by-case. CyberGrid honors flow-down obligations from Customer's own customers where commercially reasonable.
Anything not answered here? Email hello@thecybergrid.com. A real engineer (the same one who runs the engagement) responds within one business day. We're happy to fill out your specific spreadsheet, walk through these answers on a call, or provide additional evidence under NDA.
CyberGrid · Vendor Security Questionnaire · v1.0thecybergrid.com/trust-package