Back to home

Security

We build compliance tools — security is in our DNA. Here's how we protect your data.

Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.3). Evidence files stored with time-limited signed URLs.

Infrastructure

Hosted on SOC 2 compliant infrastructure. Database powered by Convex with automatic backups and point-in-time recovery.

Authentication

Clerk-powered authentication with Google OAuth, MFA support, and session management. Role-based access control across 5 roles (admin, assessor, employee, auditor, external assessor).

Privacy by Design

Analytics capture disabled by default. No CUI data in logs. PostHog configured to mask all inputs and strip page URLs.

Security Architecture

  • All Convex mutations require authenticated JWT from Clerk
  • Subscription changes only via verified Stripe webhook signatures
  • Audit logging as internal mutations — no client-callable audit writes
  • File upload pre-validation (type, size) before URL generation
  • Rate limiting at the edge proxy layer (100 req/IP/60s)
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy

CUI Data Handling

CMMC Command is a compliance tracking platform, not a CUI enclave. We store compliance metadata — control statuses, SPRS scores, evidence descriptions, and assessment progress. We do not store, process, or transmit Controlled Unclassified Information (CUI).

  • AI features send only control metadata and company name — never user documents
  • CUI marker detection blocks any accidental CUI submission to AI endpoints
  • Integration syncs collect security tool metadata (MFA status, patch levels, sensor coverage) — not documents or CUI
  • Sentry error monitoring masks all user text and strips page URLs
  • PostHog analytics runs with autocapture disabled and input masking enabled

Compliance Roadmap

  • Hosted on SOC 2 Type II compliant infrastructure (Vercel, Convex, Clerk)
  • SOC 2 Type II certification for CMMC Command is on our 2027 roadmap
  • Penetration testing planned as part of annual security review cycle

Responsible Disclosure

If you discover a security vulnerability, please report it to security@cmmccommand.org. We will acknowledge receipt within 24 hours and provide a resolution timeline within 72 hours.