Trust Center

CUcomputer

by Community Shared SuperIntelligence

How we protect credit-union data, the standards we map to, the controls we run, and how to request our audit package.

Posture nominal
Last reviewed
May 2026
Pen test cadence
Annual
Reportable breaches
None
Tenant model
Single-tenant
Per-customer Azure environment
Hosting
Microsoft Azure
Canada Central + East US
Encryption — in transit
TLS 1.2+
HTTPS-only, HSTS enforced
Encryption — at rest
AES-256
Azure Key Vault managed
Identity
Entra External ID
MFA always-on
Audit log retention
7 years
Append-only, exportable
Uptime objective
99.95%
Cross-region failover
RTO / RPO
≤ 4 h / ≤ 24 h
Tested annually
NIST CSF 2.0
Govern · Identify · Protect · Detect · Respond · Recover
NIST AI 600-1
Generative AI Profile of the AI RMF
Microsoft Zero Trust
Identity, device, and network verification on every request
OWASP ASVS
Application-tier verification baseline
PIPEDA
Canadian personal information protection compliance
GDPR / CCPA
EU + California data subject rights honoured
SOC 2 Type II
Audit in progress

Trust Services Criteria: Security, Availability, Confidentiality. Audit window opens H2 2026.

Request bridge letter
NIST AI 600-1
Aligned

Generative AI Profile of the AI Risk Management Framework — controls mapped, evidence collected.

Mapping under NDA
NIST CSF 2.0
Aligned

Cybersecurity Framework — Govern, Identify, Protect, Detect, Respond, Recover.

Crosswalk under NDA
PIPEDA
Compliant

Canadian personal information protection — full lawful basis tracking and DSAR workflow.

GDPR / CCPA
Compliant

EU and California data subject rights — access, rectification, erasure, portability honoured.

OSFI Guideline E-23
Aligned

Canadian model risk management for federally regulated institutions.

NCUA Letter 26-CU-01
Mapped

US fair-lending and model risk management priorities for credit unions.

PCI DSS
Out of scope

CUcomputer does not store, process, or transmit cardholder PAN data.

ISO 27001
Roadmap

Targeted post-SOC 2 to ease international procurement.

Audit letters, penetration test executive summaries, and our Information Security Policy are released to qualified prospects and customers under a mutual NDA. Use Request security package to start the workflow.
Documents

Policies, attestations, and legal artifacts.

Policies and attestations are released once an NDA is in place. Public documents are linked directly.

Information Security Policy
NDA
Request
Acceptable Use Policy
NDA
Request
Data Processing Agreement (DPA)
NDA
Request
Sub-processor List (named)
NDA
Request
Business Continuity & Disaster Recovery Plan
NDA
Request
Incident Response Plan
NDA
Request
Vendor Risk Management Policy
NDA
Request
Encryption & Key Management Policy
NDA
Request
Access Control Policy
NDA
Request
Change Management Policy
NDA
Request
Penetration Test — Executive Summary (latest)
NDA
Request
SOC 2 Bridge Letter
On request post-audit
Request
Privacy Policy
Public
View
Terms of Service
Public
View
Vulnerability Disclosure Policy
Public
View
Standard MSA — security exhibit excerpt
On request
Request
  • Sign-in is brokered through Microsoft Entra External ID (CIAM). No locally-stored passwords.
  • Multi-factor authentication is mandatory for every user — admin and standard. MFA cannot be disabled.
  • Session JWTs are short-lived. Privileged operations require step-up authentication.
  • Role-based access control (RBAC) — every API call validates tenant scope and role on the server side.
  • Service accounts and API keys are stored in a tenant-scoped Azure Key Vault and rotated on a published cadence.
  • Access reviews of internal staff are performed semi-annually. Deprovisioning is automated on HR offboarding events.
  • Privileged Identity Management (PIM): production access is just-in-time and time-bound, not standing.
  • Failed-login lockout, password complexity, and credential breach detection are inherited from Entra.
  • All traffic served over TLS 1.2+ with HSTS preload. Weak ciphers and SSL/TLS 1.0/1.1 are disabled.
  • Data at rest encrypted with AES-256 using FIPS 140-2 validated cryptographic modules.
  • Customer-bound keys held in Azure Key Vault — one vault per tenant. Platform staff cannot read tenant secrets.
  • Key rotation is automated for managed keys; customer-managed keys are supported on request.
  • Application secrets never appear in source code, environment files, or container images.
  • JWT signing keys rotate on a fixed schedule. Old tokens are explicitly invalidated.
  • Single-tenant architecture: every customer gets a dedicated Azure resource group, database, key vault, and search index.
  • Cross-tenant access is structurally impossible — there is no global accessor in the data path.
  • The query engine is bound to the authenticated tenant via a server-side context; tenant ID cannot be overridden by client input.
  • Connection IDs prevent data collision when multiple accounts of the same source are connected.
  • Backups inherit the same isolation policy as primary stores. There is no shared backup store.
  • Customer data is exportable on demand via authenticated, signed URL.
  • Web application firewall on the edge with managed rule sets (OWASP Top 10, bot mitigation).
  • DDoS protection at the platform tier.
  • Internal services communicate over private virtual networks; no production database is publicly addressable.
  • Strict CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers enforced site-wide.
  • All administrative access requires VPN + MFA + privileged role activation.
  • Inbound IP allow-listing available on customer request.
  • Mandatory peer code review on every change. No direct push to production branches.
  • Branch protection enforces required reviewers, signed commits, and passing CI before merge.
  • Static application security testing (SAST) on every PR via GitHub Advanced Security.
  • Dependency vulnerability monitoring via Dependabot — high/critical findings block merge.
  • Software supply chain hardening: every npm and pip dependency is pinned to an exact version. Overrides forcibly pin transitive versions of any package known to have been compromised.
  • Annual third-party penetration test (network + application). Critical and high findings are remediated before release.
  • Threat modeling on major feature releases. Security review is part of the release checklist.
  • Segregated environments: development, staging, and production. No production data in non-production environments.
  • Secrets scanning blocks commits containing credential-shaped strings.
  • Infrastructure-as-code: every cloud resource is provisioned through reviewed templates.
  • All changes follow Git-based change management — pull request, review, approval, automated deployment.
  • Production deployments are auditable: who deployed what, when, with which review trail.
  • Patch management is automated for managed services; we track first-party CVE feeds for our runtime stack.
  • Configuration drift detection runs continuously against expected state.
  • All authentication events, secret accesses, and AI tool calls are logged with actor, input, output, and timestamp.
  • Audit logs are append-only with 7-year retention. Customer administrators can export their tenant log on demand.
  • Detection-as-code rules cover credential abuse, anomalous tenant access, and prompt-injection patterns.
  • Application performance and security telemetry feed a 24/7 alerting pipeline.
  • Continuous secrets monitoring on internal repositories.
  • Documented Incident Response Plan with named owner, severity matrix, and customer notification SLAs.
  • Severity-1 incidents trigger customer notification within 24 hours of confirmation.
  • Tabletop incident exercises run at least annually.
  • Post-incident reviews are written, retained, and acted on. Findings feed our control roadmap.
  • Reportable privacy incidents to date: zero.
  • Primary region active-warm with cross-region replication of databases and object storage.
  • Recovery Time Objective (RTO): ≤ 4 hours. Recovery Point Objective (RPO): ≤ 24 hours.
  • Annual BCP/DR exercise — restoration is tested end-to-end, not just declared.
  • Backups are encrypted, versioned, and immutable. Restoration playbooks are kept in escrow.
  • Uptime SLA: 99.95% in standard agreements; higher tiers available.
  • Customer data export available within 30 days of contract end.
  • Critical-vendor risk review before any new subprocessor is integrated.
  • Subprocessors are restricted to least-privilege access. No third party has production data access.
  • Subprocessor SLAs and BCP/DR plans are confirmed at onboarding and reviewed at renewal.
  • Customer notification before any material subprocessor change, with an objection window.
  • Background checks mandatory for all employees and contractors with production access.
  • Confidentiality and IP-assignment agreements signed at hire.
  • Acceptable Use Policy and Information Security Policy reviewed and acknowledged annually.
  • Security and privacy training on hire and every six months thereafter.
  • Role-separation between development, deployment, and customer-data access where commercially feasible.
  • Company-managed endpoints: full-disk encryption, MDM-enforced screen lock, automated patching.
  • EDR / antivirus on every workstation. Tampering is detected and alerted.
  • Production access from approved devices only.
  • Physical security of data centres is inherited from our cloud provider's SOC 2 + ISO 27001 attestations — we operate no private data centres.
  • Data minimization: we collect only what's needed for the service, and only at the boundary you connect.
  • Customer data is never used to train, fine-tune, or improve any model that benefits another customer.
  • Data Subject Access Request (DSAR) workflow honours access, rectification, erasure, and portability.
  • Personal information is segregated from operational telemetry; PII in logs is redacted at write time.
  • Data residency: hosting region selected at provisioning. Cross-border transfer requires explicit configuration.
  • Customer data deletion within 30 days of contract end, with written attestation on request.
  • Every external AI action — email, post, message, payment, export — passes through a human-approval gate before execution.
  • Reasoning model providers operate under zero-retention enterprise agreements. Prompts are not stored, logged, or used for training.
  • Tool-use permissions are scoped per agent, per tenant, and per role. Agents cannot reach data the user could not.
  • Every prompt, tool call, and tool result is logged. Replay is supported for forensics.
  • Output validation: SQL is validated before execution; external content is reviewed before send.
  • Prompt-injection and jailbreak resistance is part of the release-test checklist.
  • Annual enterprise-risk assessment. Risk register reviewed quarterly.
  • Internal control testing on the SOC 2 control set; external auditor engagement in progress.
  • Customer audit rights: the standard MSA permits scheduled security and compliance audits under NDA.
  • Material litigation: none.
  • Security awareness training within 30 days of hire and every six months thereafter.
  • Role-specific training: secure coding for engineers, privacy for support, fraud awareness for customer ops.
  • Phishing simulations run on a rolling basis. Failures route to remedial training, not punitive action.
Where is our data stored?

By default in Microsoft Azure Canada Central, with cross-region replication to East US for disaster recovery. Customer-elected residency is supported at provisioning.

Do you train your AI on our data?

No. Customer data is never used to train, fine-tune, or improve any model. Our model providers operate under zero-retention enterprise agreements — your prompts are not stored or logged on their side.

Can we get a single-tenant or on-premises deployment?

Single-tenant is the default — every customer runs in their own dedicated Azure environment. Self-hosted deployment in a customer-owned Azure subscription is available for enterprise contracts.

What happens if a region fails?

We fail over to the secondary region. RTO is ≤ 4 hours and RPO is ≤ 24 hours. The runbook is exercised annually under the BCP/DR program.

Who at CUcomputer can access our data?

Production access is limited to a named on-call engineering rotation, just-in-time-elevated, time-bound, and audited. No third party has production access. Access reviews run semi-annually.

How do we revoke access if we offboard?

Customer admins can revoke any user from the admin console. Connectors are revocable per-source. On contract end, your data is exported within 30 days and deleted with written attestation on request.

Have you ever had a security or privacy breach?

No reportable breaches to date.

How do we report a vulnerability?

Email trust@cucomputer.com with the subject 'Security disclosure'. We acknowledge within one business day and triage within three.

Where do we send a privacy request (DSAR, deletion, export)?

Email privacy@cucomputer.com. Requests are acknowledged within five business days and resolved within the regulatory window of your jurisdiction.

Is CUcomputer SOC 2?

SOC 2 Type II audit is in progress. We can provide an auditor engagement letter and our internal control mapping under NDA today, and a bridge letter once the report issues.

Do you carry cyber insurance?

Yes — comprehensive general business, professional liability, and cyber liability coverage. Certificates of insurance are released under NDA.

Responsible disclosure

Found something? Tell us first.

We acknowledge within one business day, triage within three, and credit you publicly with permission once the issue is fixed.

Out of scope: denial-of-service testing, social engineering of employees, physical attacks, and automated scanner output without a working proof of concept.

trust@cucomputer.comTalk to an engineer