We build compliance tools. Security is in our DNA. Here's how we protect your data.
Encryption
All data encrypted at rest (AES-256) and in transit (TLS 1.3). Evidence files stored with time-limited signed URLs.
Infrastructure
Hosted on SOC 2 compliant infrastructure with automatic backups and point-in-time recovery.
Authentication
Enterprise-grade identity provider with Google OAuth, MFA support, and session management. Role-based access control across 5 roles (admin, assessor, employee, auditor, external assessor).
Privacy by Design
Analytics capture disabled by default. No CUI data in logs. All analytics configured to mask inputs and strip page URLs.
Security Architecture
All database mutations require authenticated JWT from our identity provider
Subscription changes only via verified payment processor webhook signatures
Audit logging as internal mutations. No client-callable audit writes
File upload pre-validation (type, size) before URL generation
Rate limiting at the edge proxy layer (100 req/IP/60s)
CMMC Command is a compliance tracking platform, not a CUI enclave. We store compliance metadata: control statuses, SPRS scores, evidence descriptions, and assessment progress. We do not store, process, or transmit Controlled Unclassified Information (CUI).
AI features send only control metadata and company name, never user documents
CUI marker detection blocks any accidental CUI submission to AI endpoints
Integration syncs collect security tool metadata (MFA status, patch levels, sensor coverage), not documents or CUI
Error monitoring masks all user text and strips page URLs
Product analytics runs with autocapture disabled and input masking enabled
Compliance Roadmap
Hosted on SOC 2 Type II compliant infrastructure
SOC 2 Type II certification for CMMC Command is on our 2027 roadmap
Penetration testing planned as part of annual security review cycle
Responsible Disclosure
If you discover a security vulnerability, please report it to security@cmmccommand.org. We will acknowledge receipt within 24 hours and provide a resolution timeline within 72 hours.