Trust Center
Where your compliance data lives, who touches it, and what we've certified.
Cincra is built for the U.S. Defense Industrial Base. This page lists every third party that processes data on our behalf, our current security posture, and the certification milestones we're working toward. We update it whenever we add or change a vendor.
Pilot environment — not authorized for CUI today.
Until our AWS GovCloud / FedRAMP Moderate cut-over completes, do not upload actual Controlled Unclassified Information. Use Cincra for assessment workflow, policy drafting, and POA&M tracking — keep CUI artifacts in your existing FedRAMP-Moderate environment and link to them from evidence records. The roadmap for this is on the Roadmap page.
Security posture
TLS 1.3 in transit. AES-256 at rest for database + object storage. Evidence files SHA-256 hashed in-browser at upload so manifests are tamper-evident.
Supabase Auth with Google OIDC. Session tokens are short-lived JWTs; refresh rotation enforced. Roles checked server-side via SECURITY DEFINER functions — never trusted from the client.
Every domain row carries org_id; PostgreSQL Row-Level Security enforces tenant isolation. Auditors get scoped, time-boxed engagement tokens — never raw credentials.
Every state-changing action writes a hash-chained entry to audit_logs (SHA-256 over canonicalized row + prev hash). Tampering breaks the chain on the next reseal.
Certifications & attestations
Readiness assessment in progress with an independent CPA firm. Target report: Q4 2026.
Observation window opens immediately after Type I issuance. 6-month window; report targeted H1 2027.
Cincra runs its own platform through the product. Current SPRS score available on request under NDA.
Separate offering tracked on the public roadmap. Targets contractor workloads that must handle CUI.
We will pursue our own CMMC L2 certification ahead of the AWS GovCloud cut-over.
SOC 2 Trust Services Criteria — current coverage
Supabase Auth + Google OIDC, JWT rotation, has_role() SECURITY DEFINER checks server-side. No client-trusted role claims.
TLS 1.3 in transit, AES-256 at rest (Postgres + Backblaze B2). Evidence SHA-256 hashed in-browser; manifests are tamper-evident.
Hash-chained audit_logs per org. Weekly storage reconciliation cron alerts platform admins on orphans above threshold.
On-call rotation 24/7. Sev-1 ack ≤ 1 hour, status page update ≤ 2 hours, customer notice ≤ 24 hours for confirmed breach affecting their data.
Multi-AZ Postgres, point-in-time recovery (35 days), B2 versioned bucket with 30-day soft delete. RTO 4h / RPO 1h targets.
Tenant isolation via Postgres RLS + current_org_id(). Auditor access scoped via has_active_auditor_engagement(); time-boxed, hashed tokens.
Subprocessors
Live from public.subprocessors — not a static list.
Loading…
We provide at least 30 days' notice via email to billing contacts before adding or replacing a subprocessor that processes customer data. Object to a change by replying to that notice; if we can't accommodate, you may terminate without penalty.
Data lifecycle
Customers own all assessment data, policies, POA&M items, and evidence files. We process strictly to operate the service; no training of foundation models on customer content.
Production data retained for the life of the subscription. On termination: 30-day grace window for self-serve export, then full purge within 60 days (DB rows + B2 objects + backups within next cycle). Audit logs retained 7 years per CMMC / DFARS expectation.
Sev-1 acknowledgement ≤ 1 hour. Status page update ≤ 2 hours. Customer notification ≤ 24 hours for any confirmed unauthorized access to tenant data. RCA shared within 5 business days.
Self-serve audit export (ZIP: assessment + controls + POA&M + policies + evidence manifest) at any time from /contractor/export. Full org export + deletion requests available from Settings → Danger Zone.
Responsible disclosure
Found a vulnerability? Email security@cincra.com with reproduction steps. We acknowledge within 2 business days and patch critical findings within 7. We don't yet run a paid bug bounty, but we credit researchers in release notes with permission.
Security questionnaire or DPA needed? Email trust@cincra.com and we'll respond within 1 business day.