CISO Top-50
The 50 most-asked security questions across SIG-Lite, CAIQ v4, and VSA short form — answered for AscendCore. Tight format for CISOs who want the high-leverage subset, not the full reference.
Do you support SSO via SAML or OIDC?
Yes — OIDC SSO via Microsoft Entra ID and Okta is live in production. SAML on roadmap as customer demand surfaces.
Is MFA enforced for admin access?
Yes — mandatory IdP-mediated MFA. Admin auth runs through the customer's identity provider; MFA enforced at the IdP per their conditional access policy. Optional mandatory-SSO mode disables password fallback entirely (env var ADMIN_REQUIRE_SSO=true).
What authentication factors are supported?
Whatever the customer's IdP supports — TOTP, FIDO2/WebAuthn, push notifications, hardware tokens, biometric, SMS (where allowed). AscendCore delegates to the IdP; we don't reimplement MFA.
Do you implement role-based access control?
Yes — three roles (Owner / Demo / Guest) with server-side enforcement on every mutation route. Verified in audit commit 2411594.
How are privileged actions audited?
Every approve / deny / execution event appended to a SHA-256 tamper-evident audit chain in Postgres. Each record links to the prior record's hash; customer-exportable for independent cryptographic verification.
What is your password policy?
For legacy password fallback (most customers use SSO instead): 12+ chars, mixed case, number, special char, bcrypt cost-factor-12 storage, rate-limited. We recommend mandatory-SSO mode to eliminate the password attack surface.
How are service accounts and API keys managed?
Customer API: Stripe-style bearer tokens with 256-bit entropy, per-key rate limits, per-key revocation, scoped permissions. Customer integration credentials: per-org Doppler vaults, scoped to minimum required permissions per documented manifests in /docs/onboarding.
Do you support just-in-time access provisioning?
Customer-side: yes — runbooks like role-change and new-hire orchestrate JIT permission grants with audit-chain logging. AscendCore-side: founder-only today; will formalize with first technical hire.
How is credential rotation handled?
Customer integration credentials follow the customer's own rotation cadence (we accept whatever IdP enforces). AscendCore-side platform credentials rotated annually or after any suspected compromise; Vanta tracks rotation evidence.
Do you support customer-managed encryption keys (BYOK)?
On roadmap H1 2027 — bring-your-own-KMS architecture for application-level data encryption, targeted at customers with regulatory requirements that mandate dedicated key custody.
How is data encrypted in transit?
TLS 1.3 minimum across all customer-facing surfaces. HSTS enforced with 1-year max-age + preload. Internal service-to-service traffic also TLS 1.3 (no plaintext bus).
How is data encrypted at rest?
AES-256 across all stored data: Neon Postgres (provider-managed), Cloudflare R2 (AES-256-GCM), Netlify Blobs (AES-256-GCM), Doppler secret vaults (AES-256 envelope encryption).
What hash algorithms do you use?
SHA-256 for the audit chain (NIST FIPS 180-4). bcrypt cost-factor-12 for password storage. HMAC-SHA256 for outbound webhook signing + inbound Slack webhook verification. Timing-safe comparison via Node's crypto.timingSafeEqual.
Do you use any deprecated cryptography?
No — MD5, SHA-1, DES, 3DES, RC4, TLS < 1.2 are not used anywhere in production. Dependency scanning (Dependabot + npm audit) flags weak crypto in transitive deps.
How are encryption keys managed?
Today: provider-managed (Neon, Cloudflare R2, Netlify, Doppler). BYOK / customer-managed keys on roadmap H1 2027.
Where is customer data stored geographically?
Primary: US-East-1 (Neon). Object storage: US (Cloudflare R2). Edge cache: global CDN (no customer data persisted at edge). EU-only data residency available as custom Enterprise engagement (quoted on request).
Are you GDPR compliant?
Yes — as a data processor on behalf of customer-controllers. Standard Contractual Clauses (SCCs) included in master DPA. GDPR-required breach notification (72-hr supervisory authority + affected data subjects) is part of the incident response runbook.
Are you CCPA compliant?
Yes — privacy notice published at /privacy reflects CCPA disclosure requirements; data subject requests routed via security@ascendcore.ai with 30-day SLA. We act as a service provider under CCPA terms; do not sell personal information.
What customer data do you process?
Customer admin identity (email, name, role); customer end-user identity (email, name) when a runbook targets them; per-org integration credentials (in Doppler); approval metadata in the audit chain; transient natural-language ticket text routed to LLM for intent classification.
What data do you NOT process?
We do not store email body content, endpoint device data, customer financial records, customer health records, or customer source code. We're a workflow orchestrator, not a data warehouse.
What is your data retention policy?
Audit chain: lifetime of customer relationship + 7 years (or per MSA). Application logs: 30 days. Security event logs: 90 days. Integration credentials: deleted within 24 hours of customer churn. Admin identity records: 30 days post-churn then purged unless legal hold.
How is data deleted on customer offboarding?
Integration credentials: purged from Doppler within 24 hours of churn + tombstone audit record. Admin identity: 30 days post-churn then hard-purged. Audit chain retained per MSA term (default 7 years; customer can request shorter via contractual amendment).
What data is sent to the LLM provider?
Only natural-language intent classification prompts (unprocessed ticket text from Slack/Teams). LLM returns a runbook classification — never sees credentials, never has execution access, never sees the actual customer system data. Anthropic ZDR enabled for Enterprise tier.
Do you maintain a list of sub-processors?
Yes — published at /security/overview. 30-day advance notice of changes per DPA. Major sub-processors: Neon (DB), Netlify (hosting), Cloudflare R2 (storage), Doppler (secrets), Anthropic (LLM), Stripe (billing), BetterStack (monitoring), Resend (email), Vanta (SOC-2 evidence).
Do you sign DPAs with sub-processors?
Yes — DPA in force with every sub-processor handling customer data. Sub-processor DPAs reviewed during procurement legal review and disclosed in our master DPA template upon request.
How do you evaluate sub-processor security posture?
Selection prefers vendors with completed SOC-2 Type II + EU/US data-flow compliance. Evaluation criteria: public security posture (SOC-2/ISO), DPA quality, data residency, minimum-required-scope feasibility, customer-level revocation ability.
What audit logging do you maintain?
Every approve / deny / execution event appended to a per-org SHA-256 tamper-evident audit chain in Postgres. Records include timestamp, actor, action, resource, outcome, mode, prev_hash, this_hash. Append-only — UPDATE/DELETE denied at the database role layer.
Can customers verify audit log integrity independently?
Yes — customers can export the full audit chain via CSV from the dashboard. The chain hash is cryptographically verifiable using a published verification routine (same code AscendCore runs internally). Tampering breaks chain hash verification immediately.
How long are audit logs retained?
Customer audit chain: 7 years post-churn (default) or per MSA. Application logs: 30 days minimum. Security event logs: 90 days minimum, longer if part of an active investigation.
What anomalous-activity detection do you have?
Today: 5xx spike alerts, rate-limit hit alerts surfaced to dashboard, audit-chain hash-verification failure fires P1. In progress (Step 5 of bootstrap roadmap): Sentry + Axiom for structured anomaly detection — pattern-based alerts on unusual API key usage, geographic anomalies, time-of-day deviation.
How is log access controlled?
Customer audit chains: read-only to the customer's owner-role users. AscendCore staff have no casual read access to customer data; production access requires named-justification break-glass procedure logged immutably.
Do you have a documented incident response process?
Yes — five-stage runbook (detection, containment, eradication, recovery, post-mortem). Severity definitions and response targets written into customer MSA. P1: 30-min ack, 4-hr resolution. P2: 2-hr ack, 1 business day. P3: 1 business day ack, best-effort. SOC-2 Type I (Q3 2026) formalizes to audit standard.
What's your customer notification SLA for security incidents?
1 hour for any confirmed data incident affecting customer-controlled data (subject to applicable legal counsel review). Notification via dedicated Slack Connect channel + email to designated security contact + public status page if cross-customer impact.
Are you GDPR-compliant for breach notification?
Yes — 72-hour notification to supervisory authority + affected data subjects is built into the runbook. Counsel review precedes external regulatory notification.
Do you conduct tabletop exercises?
Quarterly exercises documented internally — first formal drill cycle begins Q3 2026 alongside SOC-2 evidence window. Pre-formal: ad-hoc walkthroughs of top-3 likely scenarios (credential compromise, integration outage cascade, audit-chain corruption).
Do you have an after-hours on-call rotation?
Founder-only today, with after-hours P1 paging via BetterStack alert routing. After-hours coverage is documented as a customer-MSA term (limited to P1 events; P2/P3 follow business-hours response). Expands with first technical hire.
What is your RPO and RTO?
RPO 1 hour (Neon point-in-time recovery captures every write with 1-hour-or-better granularity). RTO 4 hours for full cold-restore (Neon restore + Netlify redeploy + Doppler secret resync). Most outages recover automatically at the provider level with much shorter RTO.
How often do you back up data?
Continuous: Neon point-in-time recovery captures every write. Daily snapshots retained 30 days. Weekly snapshots retained 1 year. Audit chains have additional immutability protection at the application layer.
Do you test backups?
Quarterly restore drills documented internally — first formal cycle Q3 2026 alongside SOC-2 evidence. Pre-formal: ad-hoc restore tests after any material schema change.
Is your infrastructure multi-region?
Single-region today (US-East-1 + Netlify US edge). Multi-region failover on roadmap for 2027 when customer SLA tier exceeds 99.5%. Custom Enterprise engagements available today for stricter availability requirements.
What is your status page URL?
https://status.ascendcore.ai — synthetic monitoring from 4 global regions at 3-minute cadence via BetterStack. Subscribe via email, SMS, Slack, or webhook. 90-day uptime history public per service.
Do you have a secure SDLC?
Yes — source in private GitHub repos, branch-based with required reviews on critical paths (auth, audit chain, multi-tenancy, billing). 705+ unit tests on every commit. Static analysis (TypeScript strict + ESLint + npm audit). Atomic deploys via Netlify with single-click rollback.
Do you perform security code review?
Every change touching auth, audit chain, customer data flow, or integration credentials is reviewed against threat-model docs. Security-relevant tests pinned in the suite (auth bypass tests, demo-mode enforcement, audit-chain integrity, signature verification).
What dependency vulnerability scanning do you have?
GitHub Dependabot + npm audit on every commit. Snyk integration on roadmap Q3 2026 alongside SOC-2 evidence collection.
When do you conduct penetration testing?
Independent third-party pen test scheduled Q3 2026, after multi-tenancy Phase 3 + observability story complete. Reports available under NDA for active procurement conversations.
Do you have a vulnerability disclosure / bug bounty program?
Coordinated disclosure via security@ascendcore.ai — acknowledged within 1 business day. Formal bug bounty program on roadmap H2 2026 (post-SOC-2 Type I cert).
What certifications do you hold today?
SOC-2 Type I path locked as of 2026-05-14 — Vanta enrolled this week, audit window open, Type I certification targeted Q3 2026. No other formal certifications today.
Are you HIPAA / PCI / FedRAMP compliant?
HIPAA: demand-driven, BAA template ready, activated when first healthcare customer signs. PCI: not in scope (Stripe handles payment processing, Level 1 compliant). FedRAMP: out of scope for current target market (mid-market commercial).
When will you have SOC-2 Type II?
Roadmap H2 2027 — after Type I cert (Q3 2026) + standard observation period (~12 months) for the Type II window.
Can you share your latest SOC-2 report?
Type I is in progress as of 2026-05-14. When the cert lands, the report will be available under NDA for active procurement conversations. Interim: Vanta evidence-collection state is reviewable under NDA for customers who want to verify controls being assessed.
Need more detail?
The Master Reference is the comprehensive ~6,500-word version with full context per topic. Includes governance, asset management, SDLC, BCP/DR, and physical security.
