Trust Center

CAIQ-Lite

Cloud Security Alliance CAIQ v4.0 (lite subset, ~50 most-asked questions for mid-market B2B sales). Full CAIQ v4.0 (~270 questions) available on request via security@powerquant.dk.

Last updated 2026-05-05. Reviewer: pending specialiseret IT-/AI-advokatfirma security/compliance counsel.

Application + Interface Security (AIS)

ID	Question	PowerQuant answer
AIS-01	Application security policies documented?	Yes. SECURITY.md + pre-commit secret-leak prevention.
AIS-02	Vulnerability assessments run regularly?	Quarterly external code-review. Trivy scans on Docker images.
AIS-03	Penetration tests conducted?	Annual third-party pen-test scheduled post-Day-180 milestone.

Audit Assurance + Compliance (AAC)

ID	Question	PowerQuant answer
AAC-01	SOC 2 Type II?	Roadmap Day 545 (post 75K kr/md MRR gate). Currently pre-SOC-2; manual evidence kit.
AAC-02	ISO 27001?	Not currently certified. Internal controls map to ISO 27002 reference.
AAC-03	EU GDPR compliance?	Yes. Article 28 DPA available. DPO: dpo@powerquant.dk.
AAC-04	EU AI Act compliance?	AI provider per Article 4. Article 4 register maintained. Article 50 disclosure on /trust/article-50.
AAC-05	NIS2 compliance?	Sub-50 FTE / sub-75M kr revenue → not directly classified essential or important entity. Support customers' Article 21(d) supplier-oversight obligations.

Business Continuity + Operational Resilience (BCR)

ID	Question	PowerQuant answer
BCR-01	Backup strategy?	Hetzner encrypted snapshots, 30-day rolling. Restore-tested quarterly.
BCR-02	RPO / RTO?	RPO ≤24h. RTO ≤4h tier-1 systems.
BCR-03	Disaster recovery plan?	Documented internally; sample available NDA-bound.

Change Control + Configuration Management (CCC)

ID	Question	PowerQuant answer
CCC-01	Change-management process?	All canonical-path changes require Council pre-flight (multi-agent + human sign-off) + signed audit-log entry.
CCC-02	Code review before deploy?	Yes. Pre-commit hook + Tech Sentinel review.

Data Security + Lifecycle (DSL)

ID	Question	PowerQuant answer
DSL-01	Data classification?	Customer data classified customer-confidential. Strategic data internal-confidential.
DSL-02	Encryption at rest?	Hetzner volumes (LUKS). Supabase Postgres native.
DSL-03	Encryption in transit?	TLS 1.3 enforced. HSTS on powerquant.dk.
DSL-04	Key management?	Ed25519 signing keys, 0600 perms, rotation-ready.
DSL-05	Data retention?	Customer evidence-bundles 7 years (audit-trail). Logs 90 days. PII minimised.

Datacenter Security (DCS)

ID	Question	PowerQuant answer
DCS-01	Datacenter certifications?	Hetzner DE: ISO 27001/27017/27018 + EN 50600. Vercel: SOC 2 Type II + ISO 27001. Supabase: SOC 2 Type II + HIPAA.
DCS-02	Physical security?	Hetzner: badge + biometric + 24/7 staff. Vercel: AWS-tier physical security.

Encryption + Key Management (EKM)

ID	Question	PowerQuant answer
EKM-01	Key rotation?	Quarterly review; immediate rotation on suspicion.
EKM-02	HSM / KMS?	File-system-stored Ed25519 keys, 0600 perms. HSM migration scheduled Day 545+ pre-SOC-2.

Governance + Risk Management (GRM)

ID	Question	PowerQuant answer
GRM-01	Risk-assessment process?	Quarterly Council pre-flight on roadmap. Annual external code-review.
GRM-02	Policies + procedures?	Internal canonical repo (read-only for non-founder).
GRM-03	Insurance?	E&O + cyber insurance scheduled (~90-165K kr/år budget allocated).

Human Resources Security (HRS)

ID	Question	PowerQuant answer
HRS-01	Background check?	Founder + Technical Officer: Danish CVR-listed; criminal record check on request.
HRS-02	Security training?	Annual self-administered + IAPP CIPP/E + AIGP credentialing for founder (in progress).
HRS-03	Off-boarding?	Documented runbook (one founder + one Technical Officer currently).

Identity + Access Management (IAM)

ID	Question	PowerQuant answer
IAM-01	MFA enforcement?	Yes — GitHub, Stripe, Hetzner, Supabase, Cloudflare all MFA-enforced.
IAM-02	RBAC?	Founder = root. Technical Officer = read-only canonical + write omega/agents.
IAM-03	Access reviews?	Quarterly. Documented in audit-log.
IAM-04	Privileged access management?	sudo NOPASSWD only on dedicated deploy user; bot runs as unprivileged agent.

Infrastructure + Virtualisation Security (IVS)

ID	Question	PowerQuant answer
IVS-01	Network segmentation?	Hetzner private VLAN between web/db. Cloudflare WAF in front.
IVS-02	Hardening?	CIS-baseline applied to Hetzner Ubuntu 24.04 LTS. UFW + fail2ban.

Security Incident, Event Forensics (SEF)

ID	Question	PowerQuant answer
SEF-01	Incident-response plan?	Documented internally. Notification: 24h to customer, 72h GDPR Article 33.
SEF-02	Recent incidents?	None currently disclosable as of 2026-05-05.

Supply Chain Management (STA)

ID	Question	PowerQuant answer
STA-01	Sub-processor list?	/trust/sub-processors — 10 entries (Hetzner, Cloudflare, Vercel, Supabase, Anthropic, OpenAI, Cohere, Stripe, Resend, Telegram).
STA-02	Sub-processor changes?	30-day customer notice + 14-day objection window.

Threat + Vulnerability Management (TVM)

ID	Question	PowerQuant answer
TVM-01	CVE monitoring?	Daily Trivy scan + npm audit + pip-audit on dependencies.
TVM-02	Patch management?	Critical CVEs: 24-72h. High: 7 days. Medium: 30 days.

AI-Specific (PowerQuant addendum)

ID	Question	PowerQuant answer
AI-01	Models used?	Anthropic Claude, Google Gemini, Groq Llama, OpenAI GPT. Heterogeneous failover.
AI-02	Training data?	We do NOT fine-tune on customer data. Anthropic + OpenAI confirm zero-retention API mode.
AI-03	Prompt-injection defence?	Anti-fab veto + verbatim-grep + Council 4-method consensus.
AI-04	Hallucination defence?	Every claim cross-checked against primary EU regulation text. Ed25519 signature on each approval.
AI-05	Article 50 disclosure?	Yes. /trust/article-50.