CapchaCloud 20 control themes — strong security practices and transparency. We do not guarantee legal or regulatory outcomes.
Each item links to a dedicated page. Internal engineering playbooks live in the repo under docs/compliance/ (for operators and contributors).
How we describe controls alongside common frameworks—without claiming certification.
What we operate vs. what you configure (domains, keys, BYOB, webhooks).
DPA/SCC posture; how to request an executed agreement.
Who we rely on and how we notify material changes.
Data classes and lifecycle—in principle and by configuration.
How preservation requests work alongside deletion.
Append-only operational logs and hash-chain tamper evidence.
TLS, platform crypto, BYOB; CMK roadmap.
Severity model and customer communication principles.
How we drill breaches and outages—cadence and scope.
Access reviews and production change discipline.
Phishing-resistant MFA and break-glass expectations.
Known-good settings, drift reduction, infrastructure-as-code.
Disclosure intake and remediation targets.
Dependencies, provenance, CycloneDX artifacts in CI.
Gates: review, scans, secrets hygiene, release discipline.
Third-party testing cadence and remediation tracking.
Cloudflare regions and roadmap for tenant pinning.
PR checklist: minimization, purpose, sensitive fields.
How we assemble audit artifacts—controls, logs, policies, exports.
Operate with counsel for jurisdictional requirements. Contact: serviceautomations.ai.