Security Self-Assessment

CloudRepo does not currently hold SOC 2 or ISO 27001 certifications. These certifications are cost-prohibitive for a company of our size and stage. What we do instead:

• Exclusively partner with SOC 2 certified vendors (all 12 subprocessors)
• Enforce encryption at rest (AES-256) and in transit (TLS 1.2+) across all systems
• Maintain strict access controls with MFA on all production and source code access
• GDPR and CCPA compliant
• Over 10 years of operational history with zero known security incidents or data breaches

We are transparent about this gap and compensate through strong technical controls and vendor selection.

While CloudRepo manages infrastructure and application security, customers are responsible for:

• Credential management: Keeping their usernames, passwords, and API tokens secure
• Access control within their organization: Managing which team members have access to their CloudRepo repositories
• Artifact content: Customers are responsible for the security and licensing of the software they upload
• Network security: Securing their own CI/CD pipelines and build systems that connect to CloudRepo

MFA is not currently available for end-user (customer) accounts. This capability is on our product roadmap. However, MFA is enforced on all internal systems:

• AWS Console: MFA required for all production access
• GitHub (source code): MFA required for all access
• All internal administrative systems require MFA

We encourage customers who need stronger authentication today to contact us — their input helps us prioritize our SSO and MFA roadmap.

SSO via SAML and OIDC is on our roadmap for Q2 2026. We encourage customers to tell us which identity providers they need so we can prioritize accordingly.

We do currently offer full SCIM 2.0 implementation for automated user provisioning, including Users CRUD operations, filtering support, ServiceProviderConfig endpoint, and bearer token authentication.

• View and update account information through the CloudRepo web interface
• Request data export by contacting support or emailing dpo@cloudrepo.io
• Request data deletion under GDPR or CCPA by contacting dpo@cloudrepo.io — deletion requests are processed within 30 calendar days

CloudRepo does not maintain a formal, standalone information security policy document in the traditional enterprise sense. As a small, bootstrapped team, our security practices are embedded in our operational procedures and technical controls.

What we do have: enforced technical controls (encryption, MFA, least privilege access) codified in our infrastructure-as-code (Terraform), documented security practices on our public security page, a Security Practices Document available at our Trust Center, and this vendor questionnaire response.

We recognize this is an area where we can improve and are working toward more formal documentation as the company grows.

CloudRepo uses a multi-tenant architecture with strict logical data separation per organization:

• Application layer: All data access is scoped to the authenticated user's organization. Cross-organization data access is prevented by application-level authorization checks on every request.
• Storage layer: Customer artifacts are stored in Amazon S3 using separate key prefixes per organization, ensuring physical separation of stored objects.
• Database layer: All DynamoDB records include organization identifiers, and all queries are scoped to the requesting organization.

There is no shared data surface between customer organizations.

Network segmentation is managed through multiple layers:

• AWS VPC: Production infrastructure runs in isolated Virtual Private Clouds with restrictive security group rules
• Security Groups: Inbound and outbound traffic is limited to only required ports and protocols
• DDoS protection: AWS Shield Standard provides baseline DDoS protection automatically across all AWS resources

Internal services communicate within the VPC and are not exposed to the public internet unless required for the application's function.

CloudRepo evaluates third-party vendors based on:

• SOC 2 compliance: All subprocessors are required to hold SOC 2 certification (all 12 current subprocessors are SOC 2 certified)
• Data minimization: Each vendor receives only the minimum data necessary for its function
• Ongoing review: Vendor relationships are evaluated periodically, and vendors are replaced if they no longer meet our standards
• Subprocessor transparency: Our full subprocessor list is published at /subprocessors

CloudRepo's current vulnerability management practices include:

• Automated code analysis as part of the development workflow
• Pre-commit validation and testing gates in the CI/CD pipeline
• Comprehensive qualification testing before any code is deployed to production
• Dependency monitoring to identify known vulnerabilities in third-party libraries

We are implementing formal automated vulnerability scanning tools in 2026. Independent security researchers have identified and reported vulnerabilities through informal research, which were addressed promptly (only minor issues found, no risk to customer data).

Encryption at rest: All artifacts in Amazon S3 are encrypted using AES-256 server-side encryption. DynamoDB encryption at rest is enabled for all tables. S3 versioning is enabled for additional protection against accidental or malicious deletion.

Encryption in transit: TLS 1.2+ is enforced on all connections. TLS termination is handled at the AWS load balancer and application level.

Credential encryption: All passwords are hashed using PBKDF2 with BLAKE2b-512, 50,000 iterations, and a 12-byte random salt. Plaintext credentials are never stored or logged.

• Source control: All code is managed in GitHub with MFA-enforced access
• Code review: Changes are reviewed before merge
• Automated testing: Pre-commit validation, qualification testing, and regression suites run before deployment
• Staged deployment: Changes go through testing and qualification phases before reaching production
• Infrastructure as code: Infrastructure changes are managed through Terraform, providing version-controlled, reviewable modifications

Intrusion detection and prevention is handled through multiple layers:

• AWS Shield Standard: Automatic DDoS protection across all AWS resources
• AWS security controls: Network-level protections including VPC flow logging capabilities and security group enforcement
• Application monitoring: Grafana Cloud provides real-time monitoring and alerting on anomalous system behavior
• Error tracking: Sentry captures application-level errors and anomalies that may indicate attempted exploitation

We do not run a dedicated, standalone IDS/IPS appliance or WAF — our approach relies on AWS network controls, application-level monitoring, and security group enforcement.

• Principle of least privilege: Production access is limited to essential personnel only
• MFA everywhere: Required for AWS Console, GitHub, and all internal administrative systems
• No shared credentials: Every individual has their own account with MFA
• Customer access controls: Organizations manage their own user access with organization-scoped permissions
• SCIM 2.0: Full implementation allows automated user provisioning and deprovisioning
• Password reset security: Token-based (UUID), 2-hour expiration, one-time use

• Application monitoring: Grafana Cloud provides real-time dashboards, metrics, and alerting for system health and performance
• Error tracking: Sentry captures and aggregates application errors with full context
• Infrastructure logging: AWS provides CloudTrail and VPC flow log capabilities for infrastructure-level audit trails
• Alerting: Automated alerts for anomalous behavior, error rate spikes, and resource utilization thresholds

Logs are automatically deleted per retention policies: Grafana Cloud (30 days), AWS CloudWatch (retained longer for troubleshooting).

• Artifact storage (S3): Amazon S3 provides 99.999999999% (11 nines) durability. Versioning is enabled on all buckets.
• Database (DynamoDB): Automated backups with point-in-time recovery, allowing restoration to any second within the retention window.
• Infrastructure as code: All configuration stored in version-controlled Terraform, allowing full environment recreation.

Backups are stored within the same AWS region (US-West, N. California) with multi-AZ redundancy.

• Triage: Security issues are triaged and responded to within 24 business hours
• Contact: Security incidents can be reported to security@cloudrepo.io
• Communication: Affected customers are notified of incidents that impact their data
• Status page: System availability incidents are communicated via status.cloudrepo.io
• Track record: No security incidents in the past 3 years; no known data breaches in company history

• All code managed in GitHub with MFA-enforced access
• Code review required before merge to the main branch
• Pre-commit validation and automated checks
• Comprehensive test suites in the CI/CD pipeline
• Multi-phase qualification gates (static analysis, unit tests, integration tests, security checks)
• Infrastructure as code via Terraform with review and version control
• Passwords hashed with PBKDF2+BLAKE2b-512 (50,000 iterations, 12-byte salt)
• Application-level input validation on all user inputs
• Dependency monitoring for known vulnerabilities