SYSTEM // SECURITY POSTURE

Posture, attestations, operational reality.

We sell a security platform. That obligates us to a higher posture than most. Below is the honest, current state — including what's in progress and what's still on the roadmap.

ATTESTATION STATUS
SOC 2 TYPE II
IN PROGRESS
AUDITOR ENGAGED
FedRAMP
MODERATE PATH
PLANNED
CRYPTOGRAPHY
FIPS 140-3
VALIDATED
DEPLOYMENT
GOV · GCC HIGH
AVAILABLE
SECURITY PRACTICES
  1. P-01
    Least privilege by defaultCloud accounts onboarded with read-only scope; write scope per action class.
  2. P-02
    Tamper-evident audit logEvery platform action content-hashed; chain verifiable independent of PolicyCortex.
  3. P-03
    No PHI · No CUI · No PIIWe process configuration metadata only. Cloud APIs return resource state, not data.
  4. P-04
    SBOM + SAST + DASTContinuous supply chain scanning. Dependency vulnerabilities tracked + patched.
  5. P-05
    Pen-test annuallyIndependent third-party penetration testing on the production platform.
  6. P-06
    Incident response proceduresDocumented IR runbook · 24h notification SLA · customer-facing security report.

Have a security questionnaire (SIG-Lite, CAIQ, custom)? Email [email protected]. We respond within one business day.

Contact security
SYS: ONLINE
FOCUSCMMC L2 / L3
BUILD0aed52
CMMC DEADLINET-d
©2026 POLICYCORTEX, INC.