Customer security questionnaire
Procurement security questionnaires are repetitive. Claresia maintains pre-filled answers for the most common forms (CAIQ-Lite, SIG-Lite) so your procurement team can drop them in directly.
Downloadable artifacts:
- CAIQ-Lite (CSA Consensus Assessment Initiative Questionnaire) at trust.claresia.com/caiq
- SIG-Lite (Standardized Information Gathering) at trust.claresia.com/sig
- NIS2-specific addendum (Q3 2026)
- EU AI Act compliance addendum
Top 25 standing answers
Section titled “Top 25 standing answers”This is the cheat sheet — drop-in answers for the most common procurement questions.
Identity + Access
Section titled “Identity + Access”Q: Do you support SSO? A: Yes — SAML 2.0 + OIDC day 1. WorkOS-fronted. Native configs for Okta, Azure AD / Entra ID, Google Workspace, JumpCloud, OneLogin, Keycloak. See Identity → Overview.
Q: Do you support MFA? A: MFA is delegated to your IdP. We honor your IdP’s Conditional Access (e.g., Entra Conditional Access, Okta Sign-On Policies).
Q: Do you support SCIM 2.0? A: Yes. Per-tenant SCIM endpoint with bearer-token auth. Real-time deprovisioning (<60s from your IdP webhook to user losing skill access). See SCIM 2.0 reference.
Q: Do you support RBAC? A: Yes — three-layer: IdP groups → cc-061 archetype mapping → per-archetype skill entitlements. Plus per-group augments and per-skill blocklists.
Encryption
Section titled “Encryption”Q: How is data encrypted? A: AES-256 at rest, TLS 1.3 in transit. CMEK in Mode B/C with customer-managed KMS keys (AWS KMS, Azure Key Vault, GCP KMS). Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256. No SSL or TLS ≤1.1.
Q: Are your cryptographic modules FIPS 140-2 validated?
A: Yes — KMS modules are FIPS 140-2 Level 2 / 3 depending on region. Open-source
cryptography library deployed in FIPS mode where required.
Data residency
Section titled “Data residency”Q: Where is our data stored? A: Depends on deployment mode. Mode A: eu-south-1 only. Mode B: eu-south-1 OR eu-central-1 (your choice). Mode C: your own cloud, your chosen region. See Deploy overview.
Q: Can we keep data in the EU? A: Yes — Mode B with eu-central-1 region, or Mode C in your own EU cloud.
Q: Is data ever transferred outside the EU for EU customers? A: For Mode B eu-central-1: data stays in EU. For Mode A: data is in eu-south-1. For Mode C: customer-controlled.
Compliance
Section titled “Compliance”Q: SOC 2 Type 2? A: Audit window opens Q1 2026, Type 1 report Q2 2026, Type 2 report Q4 2026. Continuous monitoring via Vanta/Drata is live today. See SOC 2 status.
Q: ISO 27001? A: Q2 2027 (in flight after SOC 2 Type 2).
Q: GDPR? A: Yes — Schrems II compliant DPA at DPA template. Data subject rights honored per Retention.
Q: NIS2 Readiness Pack? A: Q3 2026. Roadmap.
Q: EU AI Act?
A: Built-in. The cc-050 Hub schema’s governance_event chain provides Article
12 logging. Article 13 transparency met via this docs site. Article 14 human
oversight met via decision records.
Sub-processors
Section titled “Sub-processors”Q: Who are your sub-processors? A: See Sub-processors and the live list at trust.claresia.com/subprocessors.
Q: Will we be notified if you add a new sub-processor? A: Yes — 14-day notice, 90-day notice if it would process Hub records. Right to object within 30 days.
Vulnerability management
Section titled “Vulnerability management”Q: When was your last pen test? A: First annual pen test scheduled for Q2 2026. We will share the executive summary under NDA.
Q: Do you have a bug bounty? A: Q3 2026.
Q: How quickly do you patch? A: For CVSS ≥ 7.0: customer notification within 72h, internal fix targeted within 7 days. We follow CVE coordination practices.
Availability + DR
Section titled “Availability + DR”Q: What’s your SLA? A: Mode A 99.5%, Mode B 99.9%. See Customer journey → SLA.
Q: What’s your RPO/RTO? A: Mode A: RPO 5min, RTO 4h. Mode B: RPO 5min, RTO 1h. Mode C: customer-controlled. See Backup + restore.
Q: Where is your Status Page? A: status.claresia.com. Subscribe by region + service.
Audit + Logging
Section titled “Audit + Logging”Q: Do you log every privileged action?
A: Yes — governance_event Hub records, 7-year retention, SHA-256 + co-signed
provenance. See Provenance + Audit.
Q: Can we export the audit log? A: Yes — via the Hub API or Command Center → Compliance → Export. Format: JSON-Lines, CSV, Parquet.
Q: How long do you retain audit data?
A: 7 years for governance_event (regulatory floor). Other record types per
Retention.
Customer-side controls
Section titled “Customer-side controls”Q: Can we use our own encryption keys (CMEK / BYOK)? A: Yes in Mode B (AWS KMS, Azure Key Vault) and Mode C (your KMS).
Q: Can we keep all data in our own cloud (BYOC)? A: Yes — Mode C. See Mode C BYOC.
Custom questionnaire support
Section titled “Custom questionnaire support”If your procurement uses a non-standard form, send it to
compliance@claresia.com. Standard turnaround 5 business days for forms
≤ 200 questions.