Trust FAQ & security questionnaire

The full pack mirrors CAIQ-style controls across data protection, tenant isolation, sub-processors, incident response, retention, and application security — version 2026-06.1. Items flagged for confirmation state the honest current position.

DCM-01Do you store standing credentials to the customer's cloud environments?

No. We store no standing write credential to any connected cloud. Microsoft reads run under read-only consent (or a customer-owned app registration whose secret is encrypted in our vault); AWS reads use sts:AssumeRole with a per-customer external ID; GCP reads use workload identity federation. Remediation writes use a session-only delegated token authorized by the customer's admin, held in memory for under an hour.

DCM-02Is data encrypted in transit and at rest?

Yes. All connections use TLS in transit. Database storage is encrypted at rest by our managed-database sub-processor, and OAuth tokens are additionally encrypted at the application layer.

DCM-03Is the product read-only against customer environments?

Reads are read-only across every connected Microsoft, AWS, and GCP cloud. The only write path is the session-only delegated remediation flow the customer explicitly authorizes; operators are blocked from write actions by an assertReadOnly boundary.

IAC-01How is customer data isolated?

Every query is scoped by customer ID at the application boundary, and cross-customer isolation is enforced by an automated end-to-end test that is a deploy blocker. Data from all of a customer's connected clouds is isolated to that customer.

IAC-02How is internal access to customer data controlled?

Access is role-limited and least-privilege. A read-only operator console exists for support; opening it requires the customer's explicit, revocable consent, every operator read is recorded in the customer's audit log, and a customer-controlled kill-switch ends any live operator session.Pending written confirmation

IAC-03Do you enforce MFA and SSO for internal access?

Internal access to the platform authenticates through Microsoft Entra ID. Confirm the enforced conditional-access / MFA posture for staff before treating this as a committed control.Pending written confirmation

SDR-01Who are your sub-processors?

The maintained, versioned register lists each sub-processor, its purpose, the data categories it processes, its region, and its transfer basis, plus our change-notification commitment. See the sub-processor register in the Trust Center.

SDR-02Where is data stored and processed?

The data-residency statement gives the layer-by-layer location of storage and processing and the cross-border transfer basis for each hop (standard contractual clauses, and the Data Privacy Framework where a sub-processor is certified). The controller entity, DuneCodeForge Ltd, is UAE-incorporated.

IRB-01What is your breach-notification commitment?

We notify affected customers of a personal-data breach within the timeframe stated on our breach-notification page, with the nature of the breach, likely consequences, and measures taken — the notice that lets a customer meet its own regulator obligation (for UK controllers, the 72-hour ICO window).

IRB-02What is your incident-response process and maturity?

We contain, investigate scope, revoke affected credentials on our side, and notify. The formal incident-response runbook, tabletop cadence, and program maturity are facts the founder must confirm before they are represented as a committed program.Pending written confirmation

RDC-01What is your data-retention and deletion policy?

Inventory state is replaced each sync; activity-log and findings windows are tier-based and published. On account closure, customer-scoped data is deleted within a 30-day frozen deletion window, or immediately on request, save for billing/tax and deletion-audit records the law requires.

RDC-02What happens to our data if you are breached, acquired, or wound down?

The data-continuity statement answers all three: containment + notification on breach; successor obligations, notice, and a termination right on acquisition; and the 30-day frozen deletion window plus an export-before-shutdown commitment on wind-down. A compromise of Permafrost is not a compromise of your clouds because no standing write credential is stored.

AIS-01Do you perform penetration testing and vulnerability scans?

Penetration-test cadence and provider are a fact the founder must confirm. We operate a vulnerability-disclosure policy with a published reporting channel and safe-harbor terms; see the vulnerability-disclosure page.Pending written confirmation

AIS-02How do you monitor and capture application errors?

Error monitoring is first-party: errors are captured in our own infrastructure with secrets and customer PII scrubbed at the point of capture. No customer error data is sent to a third-party error-tracking provider.

AIS-03Do you conduct employee background checks and security training?

Background-check policy and security-training cadence are facts the founder must confirm before they are represented as committed controls.Pending written confirmation

CMP-01Which certifications do you hold?

The certification-status page states, with dates, what Permafrost holds, what is underway, and what is inherited from the infrastructure provider. We never list a certification we do not hold as held.Pending written confirmation

CMP-02Which laws govern your processing?

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) governs, and we honor the EU and UK GDPR and the California CCPA/CPRA for the data subjects and processing they cover. A Data Processing Agreement is available, with an in-app clickwrap and a downloadable summary.

Every answer above traces to a canonical Trust Center page. Use these to confirm the detail behind any response.