Deadline

Nov 2026: DoD CMMC L2 enforcement begins for new prime contracts. Most DIB firms aren't ready. See your gap →

Cincra
Get started

Security

Last updated: June 13, 2026

Cincra is not a C3PAO. This platform automates CMMC readiness, evidence collection, and audit preparation. It does not issue CMMC certifications and does not bind any C3PAO assessment outcome. Attestations generated here reflect the authoring auditor's professional opinion only.

Architecture

Cincra runs on Cloudflare Workers with a Supabase Postgres backend. All customer rows are protected by Row-Level Security policies scoped to the signed-in organization. Cross-tenant reads are denied at the database layer.

Encryption

Data in transit uses TLS 1.2+. Data at rest is encrypted via the underlying Postgres and Backblaze B2 object-storage encryption. Evidence files are stored in a private bucket with server-proxied uploads only.

Access & audit

Every state-changing action writes a tamper-evident, hash-chained entry to audit_logs, scoped per organization. Auditor access is gated by time-boxed engagement tokens with explicit scope flags and revocation.

Authentication

Email/password and Google OAuth via Supabase Auth. Roles are stored in user_roles and checked via a SECURITY DEFINER function to prevent privilege escalation.

CUI restriction

The platform is currently not FedRAMP / FIPS / GovCloud authorized. Do not upload real Controlled Unclassified Information. Use representative or redacted artifacts only.

Coordinated disclosure

Report vulnerabilities to security@cincra.com. See also our security.txt.