Trust Center — grc.engineering

A CMMC consultancy should hold itself to the standard it sells. This page is the honest version — what we actually do, what we haven't done yet, and where our supply chain lives.

Data we collect (and what we don't)

From prospects minimal

Tool-form submissions (email, name, self-reported SPRS score, free-text message). Stored in Cloudflare Workers KV in the EU/US edge network. Retention: 24 months, then deleted.

From clients per engagement

We execute against a read-only IAM role in your AWS account — no write access, no data exfiltration. Findings live in your S3 bucket, not ours.

CUI, PHI, SSP content never

Our infrastructure is explicitly out of scope for CMMC L2 and HIPAA by design. CUI telemetry never leaves client boundaries. See ADR-003.

Analytics cookie-free

Cloudflare Web Analytics only. No Google Analytics, no Facebook pixel, no session replay. No cookie banners because no cookies.

Supply chain

Every artifact we publish is pinned, sha256-signed, and traceable to its upstream source. The pinned OSCAL catalogs we build SSPs from live at signalplane.co/registry — each version ships with PROVENANCE.md and SHA256SUMS.

Component	Source	Pinning
NIST SP 800-171 Rev 3 catalog	usnistgov/oscal-content	sha256, see registry
NIST SP 800-171 Rev 2 catalog	FATHOM5CORP/oscal (CC0-1.0)	sha256, see registry
Prowler compliance fork	prowler-cloud/prowler	schema-compatible fork in `controls/cmmc-l2/compliance.json`
compliance-trestle	oscal-compass/compliance-trestle 4.0.1	version-pinned in `requirements.txt`
SOCFortress CoPilot	socfortress/CoPilot	deployed per-client, hardened per ADR-015

Component

Source

Pinning

NIST SP 800-171 Rev 3 catalog

usnistgov/oscal-content

sha256, see registry

NIST SP 800-171 Rev 2 catalog

FATHOM5CORP/oscal (CC0-1.0)

sha256, see registry

Prowler compliance fork

prowler-cloud/prowler

schema-compatible fork in controls/cmmc-l2/compliance.json

compliance-trestle

oscal-compass/compliance-trestle 4.0.1

version-pinned in requirements.txt

SOCFortress CoPilot

socfortress/CoPilot

deployed per-client, hardened per ADR-015

Our stack — at a glance

Surface	Where it runs	What it knows
signalplane.co	Cloudflare Pages (static)	No server-side state. All tools run client-side.
/api/lead	Cloudflare Worker	Lead form payloads, honeypot-filtered, stored in KV.
/registry/	Cloudflare Pages (static)	Public OSCAL catalogs only. No client data.
Engagement tooling	GitHub-Actions-pinned CI	Runs against client AWS accounts via read-only role.

Surface

Where it runs

What it knows

signalplane.co

Cloudflare Pages (static)

No server-side state. All tools run client-side.

/api/lead

Cloudflare Worker

Lead form payloads, honeypot-filtered, stored in KV.

/registry/

Cloudflare Pages (static)

Public OSCAL catalogs only. No client data.

Engagement tooling

GitHub-Actions-pinned CI

Runs against client AWS accounts via read-only role.

Vulnerability disclosure

Report security issues to security@signalplane.co. We respond within 72 hours. Public disclosure policy: coordinated, with a 90-day window unless actively exploited. See also security.txt.

What we haven't done yet

Honest list — we'll update as things move.

not yet SOC 2 Type II — not relevant to our risk profile pre-first-client; will pursue once sustained client volume warrants it.

in progress Public SBOM (CycloneDX) — scaffolded, publishing to /registry/sbom/ on next release.

in progress copilot-log-notary sidecar (ADR-014) — Rekor-backed tamper-evident log notary for per-client CoPilot deployments.

Our own security, out in the open.