This page is the public CAIQ-Lite (Cloud Security Alliance Lightweight) for MonteKristo. Auto-generated from /about/trust. Updated when posture changes.
Need the full CAIQ or SIG-Lite questionnaire? Email security@montekristo.co. We respond within 1 business day.
Identity & access
Is multi-factor authentication enforced for all administrative access?
Yes. WebAuthn or TOTP on every admin account across GitHub, Vercel, Supabase, GHL, Anthropic, OpenAI.
Are admin credentials shared?
No. Per-individual accounts. Shared service accounts use vault-managed credentials.
Is least-privilege enforced?
Yes. Per-service IAM scoped to required capability set. Reviewed quarterly.
Data protection
Is data encrypted at rest?
Yes. Supabase + Vercel Postgres + Cloudflare R2 all AES-256 at rest by default.
Is data encrypted in transit?
Yes. TLS 1.3 everywhere. HSTS preload on montekristo.co.
How do you handle PII?
Per-engagement DPA. Contact form data lives in GHL with audit trail. Voice demo audio retained 7 days.
Backups?
90-day rolling encrypted backups of production database. Tested quarterly.
Incident response
Public security contact?
security@montekristo.co
SLA?
<1h P0 acknowledgment, <4h resolution. <4h P1 acknowledgment.
Disclosure?
Public post-mortem within 30 days for any incident affecting client data.
Compliance
SOC 2 Type II?
Vanta engagement Q3 2026. First audit window Q1 2027.
ISO 27001?
Evaluation Q2 2027.
HIPAA?
BAA available per-engagement when scope requires.
EU AI Act?
Limited risk classification. Voice agents disclose AI nature on greeting.
Vendor management
Sub-processors?
Public list at /about/trust.
Vendor security review?
Yes — every sub-processor required to have SOC 2 or equivalent before onboarding.
Notification of vendor changes?
We notify clients 30 days before adding a sub-processor that handles their data.