# CloudRepo — Vendor Security Questionnaire Response **Date:** March 9, 2026 **Prepared by:** Chris Shellenbarger, Founder & CEO, ChenPo LLC (d/b/a CloudRepo) **Contact:** security@cloudrepo.io --- ## 1. What does CloudRepo do? CloudRepo is a cloud-native software artifact and package repository service. We provide secure, reliable hosting for software packages and build artifacts (Maven, Python, NuGet, and other repository formats). Development teams use CloudRepo to store, manage, and distribute their software artifacts throughout their CI/CD pipelines and development workflows. CloudRepo is operated by ChenPo LLC, a US-based company headquartered in Fargo, North Dakota. We were founded in 2016 and have over 10 years of operational history. We are bootstrapped and founder-led. ## 2. What data does CloudRepo collect? CloudRepo collects and processes the following categories of data: - **Software artifacts**: Binary packages and files uploaded by customers (stored in Amazon S3) - **Repository metadata**: Package names, versions, descriptions, and organizational structure (stored in Amazon DynamoDB) - **Account information**: Email addresses, usernames, hashed passwords, organization names - **Billing information**: Processed by Braintree/PayPal — CloudRepo does not store credit card numbers directly - **Usage data**: Anonymized product analytics (via Amplitude), download/upload activity logs - **Operational logs**: Application and infrastructure logs may contain user IDs for troubleshooting purposes. These logs are automatically deleted according to platform retention policies (see Question 31). - **Support interactions**: Customer support conversations (via Intercom) - **Transactional emails**: Email addresses for notifications and password resets (via Postmark) CloudRepo does not intentionally collect sensitive personal information beyond what is necessary for account and billing operations. ## 3. What technologies and service providers does CloudRepo use? CloudRepo partners exclusively with SOC 2 certified, industry-leading vendors: | Subprocessor | Purpose | Data Processed | Compliance | | ------------------------- | -------------------------------- | ---------------------------------------- | ------------------------- | | Amazon Web Services (AWS) | Infrastructure, storage, compute | All customer data and artifacts | SOC 2, ISO 27001, FedRAMP | | Braintree/PayPal | Payment processing | Billing information | PCI DSS Level 1, SOC 2 | | GitHub | Source code management | No customer data | SOC 2, ISO 27001 | | Postmark | Transactional email | Email addresses, notification content | SOC 2 | | Grafana Cloud | Monitoring and observability | System metrics, logs (no PII) | SOC 2 | | Amplitude | Product analytics | Anonymized usage data | SOC 2 | | Intercom | Customer support | Support conversations, email | SOC 2 | | Sentry | Error tracking and monitoring | Application error data, session metadata | SOC 2 | | Google Tag Manager | Marketing analytics | Anonymized browsing data | SOC 2 | | n8n (Cloud) | Workflow automation | Operational data | SOC 2 | | Supabase | Billing and operational systems | Billing contacts, operational records | SOC 2 | | Baserow (Cloud) | Billing and operational systems | Billing contacts, operational records | SOC 2 | ## 4. Is CloudRepo self-hosted, or hosted in the cloud? CloudRepo is hosted in the cloud on Amazon Web Services (AWS). Our primary infrastructure runs in the US-West (N. California) region. All customer data is stored exclusively in the United States. Our architecture is cloud-native with auto-scaling and no single points of failure. Artifacts are stored in Amazon S3 (99.999999999% durability, versioning enabled) and metadata in Amazon DynamoDB (automated backups, point-in-time recovery). AWS Shield Standard provides baseline DDoS protection across all AWS resources. ## 5. What compliance attestations does CloudRepo have? CloudRepo does not currently hold SOC 2 or ISO 27001 certifications. These certifications are cost-prohibitive for a company of our size and stage. What we do instead: - We exclusively partner with SOC 2 certified, industry-leading vendors (AWS, Braintree, Postmark, Grafana Cloud, and others — see Question 3 for the full list) - We enforce encryption at rest (AES-256) and in transit (TLS 1.2+) across all systems - We maintain strict access controls with MFA on all production and source code access - We are GDPR and CCPA compliant - We maintain over 10 years of operational history with zero known security incidents or data breaches We are transparent about this gap and compensate through strong technical controls and vendor selection. ## 6. What was the time period of CloudRepo's latest audit? CloudRepo has not undergone a formal third-party audit (such as SOC 2 Type II). We do not currently have audit reports available. See Question 5 for our approach to compensating controls. ## 7. What was the auditor's assessment in CloudRepo's latest audit? Not applicable — CloudRepo has not undergone a formal third-party audit. See Question 5. ## 8. What exceptions or deviations, if any, were found in CloudRepo's latest audit? Not applicable — CloudRepo has not undergone a formal third-party audit. See Question 5. ## 9. How did management respond to exceptions or deviations found in CloudRepo's latest audit? Not applicable — CloudRepo has not undergone a formal third-party audit. See Question 5. ## 10. What scope of systems were tested in CloudRepo's latest audit? Not applicable — CloudRepo has not undergone a formal third-party audit. See Question 5. ## 11. What complementary user entity controls, if any, does CloudRepo require? While CloudRepo manages infrastructure and application security, customers are responsible for: - **Credential management**: Keeping their usernames, passwords, and API tokens secure - **Access control within their organization**: Managing which team members have access to their CloudRepo repositories - **Artifact content**: CloudRepo stores and serves artifacts as provided — customers are responsible for the security and licensing of the software they upload - **Network security**: Securing their own CI/CD pipelines and build systems that connect to CloudRepo ## 12. What complementary subservice organizations, if any, were present in CloudRepo's latest audit? Not applicable — CloudRepo has not undergone a formal third-party audit. See Question 5. Our full list of subprocessors is provided in Question 3. ## 13. Does CloudRepo's product support multi-factor authentication (MFA)? MFA is not currently available for end-user (customer) accounts. This capability is on our product roadmap. However, MFA is enforced on all internal systems: - AWS Console: MFA required for all production access - GitHub (source code): MFA required for all access - All internal administrative systems require MFA We encourage customers who need stronger authentication today to contact us — their input helps us prioritize our SSO and MFA roadmap. ## 14. Does CloudRepo's product support integration with an SSO provider, such as Okta? SSO via SAML and OIDC is on our roadmap for Q1/Q2 2026. We encourage customers to tell us which identity providers they need so we can prioritize accordingly. We do currently offer full SCIM 2.0 implementation for automated user provisioning, including: - Users CRUD operations - Filtering support - ServiceProviderConfig endpoint - Bearer token authentication ## 15. Does CloudRepo's product enforce password complexity requirements? CloudRepo enforces a password length requirement of 8 to 256 characters. We do not impose character-type complexity requirements (e.g., requiring uppercase, numbers, special characters), as current NIST SP 800-63B guidelines recommend against complexity rules in favor of length-based requirements. All passwords are hashed using PBKDF2 with BLAKE2b-512, 50,000 iterations, and a 12-byte random salt (via the buddy-hashers library). Plaintext credentials are never stored. Password reset uses token-based verification (UUID), with a 2-hour expiration window and one-time use. Reset emails are delivered via Postmark. ## 16. How can individuals access their personal information stored with CloudRepo? Individuals can: - **View and update** their account information (email, password, organization details) through the CloudRepo web interface - **Request data export** by contacting our support team or emailing dpo@cloudrepo.io - **Request data deletion** under GDPR or CCPA by contacting dpo@cloudrepo.io — deletion requests are processed within 30 calendar days ## 17. How long does CloudRepo's product retain data? Customer data (artifacts, repository metadata, account information) is retained for the duration of the customer's active subscription. Upon account cancellation or deletion request: - Customer artifacts and repository data are deleted from Amazon S3 and DynamoDB - GDPR/CCPA data deletion requests are processed within 30 calendar days - Backups containing customer data are rotated according to AWS automated backup retention policies We do not retain customer data indefinitely after account termination. ## 18. What written information security policies does CloudRepo have in place? CloudRepo does not maintain a formal, standalone information security policy document in the traditional enterprise sense. As a small, bootstrapped team, our security practices are embedded in our operational procedures and technical controls rather than formalized in policy binders. What we do have: - Enforced technical controls (encryption, MFA, least privilege access) that are codified in our infrastructure-as-code (Terraform) - Documented security practices on our public security page (www.cloudrepo.io/security) - A Security Practices Document available upon request that describes our controls comprehensively - This vendor questionnaire response, which details our current security posture We recognize this is an area where we can improve and are working toward more formal documentation as the company grows. ## 19. Did CloudRepo experience any recent security incidents, and how did they respond? No. CloudRepo has had no security incidents in the past 3 years and no known data breaches in the company's 10+ year history. Independent security researchers have reported potential vulnerabilities through informal security research, which were triaged and addressed. None resulted in unauthorized access to customer data. ## 20. How does CloudRepo logically separate data from other clients? CloudRepo uses a multi-tenant architecture with strict logical data separation per organization: - **Application layer**: All data access is scoped to the authenticated user's organization. Cross-organization data access is prevented by application-level authorization checks on every request. - **Storage layer**: Customer artifacts are stored in Amazon S3 using separate key prefixes per organization, ensuring physical separation of stored objects. - **Database layer**: All DynamoDB records include organization identifiers, and all queries are scoped to the requesting organization. There is no shared data surface between customer organizations. ## 21. How does CloudRepo enforce network segmentation? Network segmentation is managed through multiple layers: - **AWS VPC**: Production infrastructure runs in isolated Virtual Private Clouds with restrictive security group rules - **Security Groups**: Inbound and outbound traffic is limited to only required ports and protocols - **DDoS protection**: AWS Shield Standard provides baseline DDoS protection automatically across all AWS resources Internal services communicate within the VPC and are not exposed to the public internet unless required for the application's function. ## 22. What procedures does CloudRepo have in place for third party and vendor management? CloudRepo evaluates third-party vendors based on the following criteria: - **SOC 2 compliance**: All subprocessors are required to hold SOC 2 certification (see Question 3 — all 12 current subprocessors are SOC 2 certified) - **Data minimization**: Each vendor receives only the minimum data necessary for its function - **Ongoing review**: Vendor relationships are evaluated periodically, and vendors are replaced if they no longer meet our standards - **Subprocessor transparency**: Our full subprocessor list is published at www.cloudrepo.io/subprocessors We do not have a formal, documented vendor risk assessment program but apply these criteria consistently when selecting and retaining vendors. ## 23. What procedures does CloudRepo have in place for technical vulnerability management? CloudRepo's current vulnerability management practices include: - **Automated code analysis** as part of the development workflow - **Pre-commit validation** and testing gates in the CI/CD pipeline - **Comprehensive qualification testing** before any code is deployed to production - **Dependency monitoring** to identify known vulnerabilities in third-party libraries We are implementing formal automated vulnerability scanning tools in 2026 to supplement our existing practices. We do not currently conduct formal penetration testing, but independent security researchers have identified and reported vulnerabilities through informal security research, which were addressed promptly (only minor issues/risks found, no risk to customer data has been discovered). ## 24. What procedures does CloudRepo have in place for data encryption? **Encryption at rest:** - All artifacts stored in Amazon S3 are encrypted using AES-256 server-side encryption - Amazon DynamoDB encryption at rest is enabled for all tables - S3 versioning is enabled, providing additional protection against accidental or malicious deletion **Encryption in transit:** - TLS 1.2+ is enforced on all connections to CloudRepo services - TLS termination is handled at the AWS load balancer and application level **Credential encryption:** - All passwords are hashed using PBKDF2 with BLAKE2b-512, 50,000 iterations, and a 12-byte random salt - Plaintext credentials are never stored or logged ## 25. What procedures does CloudRepo have in place for change management? CloudRepo follows a structured development and deployment workflow: - **Source control**: All code is managed in GitHub with MFA-enforced access - **Code review**: Changes are reviewed before merge - **Automated testing**: Pre-commit validation, qualification testing, and regression suites run before deployment - **Staged deployment**: Changes go through testing and qualification phases before reaching production - **Infrastructure as code**: Infrastructure changes are managed through Terraform, providing version-controlled, reviewable infrastructure modifications We do not maintain a formal, enterprise-style Change Advisory Board, but all changes are reviewed and tested before production deployment. ## 26. What procedures does CloudRepo have in place for employee security training? CloudRepo does not have a formal employee security training program. As a small, founder-led company, the team is led bythe founder (25+ years of industry experience, including time as a Principal Engineer at Microsoft). Security awareness is maintained through: - Direct involvement of the founder in all security-relevant decisions - MFA enforcement across all systems - Principle of least privilege applied to all access As the team grows, we plan to implement formal security awareness training. ## 27. What procedures does CloudRepo have in place for employee background checks? Background checks are conducted on all employees and contractors prior to granting access to production systems or customer data. ## 28. What procedures does CloudRepo have in place for Intrusion Detection and/or Intrusion Prevention? Intrusion detection and prevention is handled through multiple layers: - **AWS Shield Standard**: Provides automatic DDoS protection across all AWS resources - **AWS security controls**: AWS provides network-level protections including VPC flow logging capabilities and security group enforcement - **Application monitoring**: Grafana Cloud provides real-time monitoring and alerting on anomalous system behavior - **Error tracking**: Sentry captures application-level errors and anomalies that may indicate attempted exploitation We do not run a dedicated, standalone IDS/IPS appliance or WAF — our approach relies on AWS network controls, application-level monitoring, and security group enforcement. ## 29. What procedures does CloudRepo have in place for antivirus? CloudRepo does not perform antivirus scanning on uploaded artifacts. As a software artifact repository, customers upload compiled binaries, packages, and libraries that they have built and are responsible for. Scanning customer-uploaded content for malware is outside our current scope. Our infrastructure protection relies on: - AWS managed infrastructure security controls - Application-level input validation and security controls ## 30. What procedures does CloudRepo have in place for access management? - **Principle of least privilege**: Production access is limited to essential personnel only - **MFA everywhere**: MFA is required for AWS Console (production access), GitHub (source code), and all internal administrative systems - **No shared credentials**: Every individual has their own account with MFA on all systems - **Customer access controls**: Organizations manage their own user access within CloudRepo, with organization-scoped permissions - **SCIM 2.0**: Full SCIM implementation allows customers to automate user provisioning and deprovisioning through their identity provider - **Password reset security**: Token-based (UUID), 2-hour expiration, one-time use ## 31. What procedures does CloudRepo have in place for logging and monitoring? - **Application monitoring**: Grafana Cloud provides real-time dashboards, metrics collection, and alerting for system health and performance - **Error tracking**: Sentry captures and aggregates application errors with full context for investigation - **Infrastructure logging**: AWS provides CloudTrail and VPC flow log capabilities for infrastructure-level audit trails - **Alerting**: Automated alerts are configured for anomalous system behavior, error rate spikes, and resource utilization thresholds Logs are automatically deleted according to platform retention policies: - **Grafana Cloud**: 30-day retention - **AWS CloudWatch**: Retained longer for troubleshooting capabilities Logs may contain user IDs for troubleshooting purposes but are automatically purged at the end of their retention period. ## 32. What procedures does CloudRepo have in place for physical security? CloudRepo is a fully cloud-hosted service. We do not operate our own data centers, server rooms, or physical infrastructure. All physical security is managed by Amazon Web Services (AWS), which maintains SOC 2, ISO 27001, and FedRAMP certifications for their data center facilities. AWS data centers implement comprehensive physical security controls including biometric access, 24/7 security staff, video surveillance, and environmental controls. Details on AWS physical security controls are available in the AWS SOC 2 report and at https://aws.amazon.com/compliance/data-center/controls/. ## 33. What procedures does CloudRepo have in place for data backups? - **Artifact storage (S3)**: Amazon S3 provides 99.999999999% (11 nines) durability. Versioning is enabled on all buckets, allowing recovery of previous versions of any object. - **Database (DynamoDB)**: Automated backups are enabled with point-in-time recovery, allowing restoration to any second within the retention window. - **Infrastructure as code**: All infrastructure configuration is stored in version-controlled Terraform, allowing full environment recreation if needed. Backups are stored within the same AWS region (US-West, N. California) and benefit from AWS's built-in redundancy across multiple availability zones. ## 34. What procedures does CloudRepo have in place for formal incident reporting and response? CloudRepo's incident response process: - **Triage**: Security issues are triaged and responded to within 24 business hours - **Contact**: Security incidents can be reported to security@cloudrepo.io - **Communication**: Affected customers are notified of security incidents that impact their data - **Status page**: System availability incidents are communicated via status.cloudrepo.io - **Track record**: No security incidents in the past 3 years; no known data breaches in company history We do not maintain a formal, written incident response plan document but follow consistent practices for triage, investigation, remediation, and communication. Formalizing this into a documented plan is on our improvement roadmap. ## 35. What procedures does CloudRepo have in place for asset inventory and ownership? CloudRepo's infrastructure is defined and managed entirely through Terraform (infrastructure as code), which serves as our authoritative asset inventory. All cloud resources — compute instances, storage buckets, databases, networking components — are version-controlled and auditable. Subprocessors and third-party services are tracked and published at www.cloudrepo.io/subprocessors. We do not maintain a separate, formal asset register beyond what is captured in our infrastructure-as-code repository. ## 36. What procedures does CloudRepo have in place for developing code securely? - **Source control**: All code is managed in GitHub with MFA-enforced access - **Code review**: Changes are reviewed before merge to the main branch - **Pre-commit validation**: Automated checks run before code is committed - **Automated testing**: Comprehensive test suites run as part of the CI/CD pipeline - **Qualification gates**: Multi-phase qualification testing (static analysis, unit tests, integration tests, security checks) before production deployment - **Infrastructure as code**: Terraform manages infrastructure changes with review and version control - **Credential handling**: Passwords hashed with PBKDF2+BLAKE2b-512 (50,000 iterations, 12-byte salt). No plaintext credentials stored or logged. - **Input validation**: Application-level validation on all user inputs - **Dependency management**: Third-party dependencies are monitored for known vulnerabilities ## 37. Where is CloudRepo's public help center or customer facing documentation? Our public documentation is available at **https://www.cloudrepo.io/docs**. ## 38. Where is CloudRepo's public security page? Our public security page is available at **https://www.cloudrepo.io/security**. Our dedicated Trust Center with downloadable security documentation is at **https://www.cloudrepo.io/trust**. ## 39. Where is CloudRepo's public status page? Our public status page is available at **https://status.cloudrepo.io**. ## 40. Where is CloudRepo's list of subprocessors with respect to GDPR or CCPA? Our subprocessor list is published at **https://www.cloudrepo.io/subprocessors**. CloudRepo is compliant with both GDPR and CCPA. Data deletion requests are processed within 30 calendar days. ## 41. What is CloudRepo's Data Protection Officer's name, email, and phone number? - **Name:** Chris Shellenbarger, Founder & CEO - **Email:** dpo@cloudrepo.io - **Phone:** +1 (415) 484-2608 ## 42. What is CloudRepo's security point of contact's name, email, and phone number? - **Name:** Chris Shellenbarger, Founder & CEO - **Email:** security@cloudrepo.io - **Phone:** +1 (415) 484-2608 ## 43. Does CloudRepo carry security liability insurance? CloudRepo does not currently carry specific cybersecurity liability (cyber) insurance. As a bootstrapped company, we are evaluating appropriate coverage options as the business grows. --- ## Accompanying Documentation The following documents are available upon request or at our Trust Center (www.cloudrepo.io/trust): - **Security Practices Document** — Comprehensive overview of our security controls and practices - **Data Processing Agreement (DPA)** — GDPR Article 28 compliant, ready to countersign - **Compliance Status Letter** — Founder letter on our security commitment - **Subprocessor List** — Published at www.cloudrepo.io/subprocessors For questions or to request these documents, contact security@cloudrepo.io.