Skip to main content
SecuritySOC 2 in preparation · NIST 800-171 mapped · FedRAMP 20x in preparation

Security you can audit.

We handle sensitive federal contracting data. Security isn't an afterthought — it's built into every layer of the platform.

Certifications

Where we stand on the frameworks that matter.

In preparation

SOC 2 Type II

A SOC 2 Type II audit covering Security, Availability, and Confidentiality is in preparation — controls are mapped to the Trust Services Criteria, but an independent CPA firm has not yet been engaged. Report available to Enterprise customers under NDA on completion.

Controls mapped

NIST 800-171

Controls mapped to NIST SP 800-171 for protecting Controlled Unclassified Information (CUI), including automatic redaction of sensitive identifiers before any third-party AI call (3.1.3), per-tenant access enforcement, and continuous-monitoring alerting. Formal assessment not yet undertaken.

In preparation (not yet authorized)

FedRAMP 20x

We are pursuing FedRAMP 20x (Low first). VETR runs in AWS GovCloud (us-gov-west-1) with all 46 Key Security Indicators mapped, an OSCAL System Security Plan, and continuous monitoring live (AWS Config + Security Hub + GuardDuty) — and we are preparing to engage an accredited 3PAO for the independent assessment. VETR is not yet FedRAMP-authorized.

Aligned

CMMC Level 2

Security controls aligned with CMMC Level 2 practices for organizations handling CUI in the defense industrial base.

WCAG 2.1 AA — 0 violations

Section 508

WCAG 2.1 Level AA: automated checks (axe-core runtime + ESLint jsx-a11y) report 0 violations across public and authenticated pages. A VPAT/ACR is maintained and available on request.

Program in place

Section 889

We maintain a review process for covered-telecommunications restrictions and supply-chain representations relevant to the platform environment. Detailed certifications available on request.

Controls

Six layers, one defense in depth.

The specifics, organized by category — every control reviewable, exportable, audit-ready.

01

Data Protection

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 encryption for all data in transit
  • Encrypted backups with geographic redundancy
  • Strict per-organization data isolation — every query is tenant-scoped

02

CUI Safeguards

  • Automatic CUI/PII redaction (SSN, EIN, financial, classification markings) before any text reaches a third-party AI model
  • Raw model output and extracted document text are kept out of application logs
  • AI-assisted CUI scanner with human-in-the-loop review for proposals
  • Practices mapped to NIST SP 800-171 controls for protecting CUI

03

Access Control

  • Mandatory multi-factor authentication (MFA) enrollment
  • Role-based access control — read-only roles cannot mutate data
  • 12-character, breach-checked passwords with brute-force lockout
  • Single Sign-On (SSO) via SAML 2.0 — Enterprise

04

Application Security

  • SSRF protection — outbound/webhook requests are blocked from reaching internal or metadata endpoints
  • Signature-verified inbound webhooks (payments, e-signature)
  • Output sanitization against stored-XSS (HTML) and spreadsheet formula injection (CSV exports)
  • Content-type-verified uploads with optional malware scanning

05

Infrastructure

  • AWS-hosted with 99.9% uptime SLA
  • Automated security patching
  • DDoS protection via AWS Shield
  • Web Application Firewall (WAF)

06

Monitoring & Response

  • 24/7 infrastructure monitoring
  • Real-time intrusion detection
  • Automated anomaly alerting
  • Documented incident-response plan (target initial response < 4 hr)

07

Development

  • Security code review for all changes
  • Dependency vulnerability scanning
  • Third-party penetration testing (planned with 3PAO assessment)
  • OWASP Top 10 compliance checks

08

Audit & Privacy

  • Comprehensive audit logging
  • Append-only audit logs (WORM/object-lock archival in progress)
  • Data retention and deletion controls
  • Privacy-by-design architecture
FedRAMP 20x Roadmap

Where we are on the FedRAMP path — milestone by milestone.

We publish our security roadmap because veteran-owned contractors deserve transparency, not vague compliance theater. Update cadence: quarterly.

Phase 1 — Foundation (Complete)

Complete
  • AES-256 at rest, TLS 1.3 in transit
  • AWS multi-AZ deployment
  • Append-only audit logging + 7-year retention (WORM archival in progress)
  • CUI redaction service shipped

Phase 2 — NIST 800-171 self-attestation documented (gaps tracked in POA&M)

Complete
  • 110-control NIST SP 800-171 r2 mapping documented
  • POA&M (Plan of Action and Milestones) maintained
  • CMMC L2 alignment review complete

Phase 3 — SOC 2 Type II audit (in preparation, not yet certified)

In progress
  • Preparing to engage an independent CPA firm; observation window not yet started
  • Type II report to follow the observation window
  • Available to Enterprise customers under NDA on completion

Phase 4 — FedRAMP 20x assessment (in preparation, not yet authorized)

In progress
  • Preparing to engage an accredited 3PAO for the independent assessment + penetration test
  • OSCAL System Security Plan + Body-of-Evidence package prepared
  • All 46 Key Security Indicators (KSIs) mapped; continuous monitoring live

Phase 5 — FedRAMP 20x authorization (planned, not yet authorized)

Planned
  • Independent 3PAO assessment → KSI validation → FedRAMP Marketplace listing
  • Starting at 20x Low; Moderate to follow
  • Built for veteran-owned / set-aside contractors handling CUI
Responsible Disclosure

Found a vulnerability? Tell us.

We acknowledge valid reports within 48 hours and work with researchers in good faith. No lawyers, no surprises.

Need our security package?

Enterprise customers receive SOC 2 reports, pen-test summaries, and architecture reviews under NDA.