Our own security, out in the open.
A CMMC consultancy should hold itself to the standard it sells. This page is the honest version — what we actually do, what we haven't done yet, and where our supply chain lives.
Data we collect (and what we don't)
From prospects minimal
Tool-form submissions (email, name, self-reported SPRS score, free-text message). Stored in Cloudflare Workers KV in the EU/US edge network. Retention: 24 months, then deleted.
From clients per engagement
We execute against a read-only IAM role in your AWS account — no write access, no data exfiltration. Findings live in your S3 bucket, not ours.
CUI, PHI, SSP content never
Our infrastructure is explicitly out of scope for CMMC L2 and HIPAA by design. CUI telemetry never leaves client boundaries. See ADR-003.
Analytics cookie-free
Cloudflare Web Analytics only. No Google Analytics, no Facebook pixel, no session replay. No cookie banners because no cookies.
Supply chain
Every artifact we publish is pinned, sha256-signed, and traceable to its upstream source. The pinned OSCAL catalogs we build SSPs from live at signalplane.co/registry — each version ships with PROVENANCE.md and SHA256SUMS.
| Component | Source | Pinning |
|---|---|---|
| NIST SP 800-171 Rev 3 catalog | usnistgov/oscal-content | sha256, see registry |
| NIST SP 800-171 Rev 2 catalog | FATHOM5CORP/oscal (CC0-1.0) | sha256, see registry |
| Prowler compliance fork | prowler-cloud/prowler | schema-compatible fork in controls/cmmc-l2/compliance.json |
| compliance-trestle | oscal-compass/compliance-trestle 4.0.1 | version-pinned in requirements.txt |
| SOCFortress CoPilot | socfortress/CoPilot | deployed per-client, hardened per ADR-015 |
Our stack — at a glance
| Surface | Where it runs | What it knows |
|---|---|---|
| signalplane.co | Cloudflare Pages (static) | No server-side state. All tools run client-side. |
| /api/lead | Cloudflare Worker | Lead form payloads, honeypot-filtered, stored in KV. |
| /registry/ | Cloudflare Pages (static) | Public OSCAL catalogs only. No client data. |
| Engagement tooling | GitHub-Actions-pinned CI | Runs against client AWS accounts via read-only role. |
Vulnerability disclosure
Report security issues to security@signalplane.co. We respond within 72 hours. Public disclosure policy: coordinated, with a 90-day window unless actively exploited. See also security.txt.
What we haven't done yet
Honest list — we'll update as things move.
- not yet SOC 2 Type II — not relevant to our risk profile pre-first-client; will pursue once sustained client volume warrants it.
- in progress Public SBOM (CycloneDX) — scaffolded, publishing to
/registry/sbom/on next release. - in progress
copilot-log-notarysidecar (ADR-014) — Rekor-backed tamper-evident log notary for per-client CoPilot deployments.
Legal
Privacy Policy · Terms of Service · DMCA/abuse: abuse@signalplane.co