Federal eligibility Verified
Live SDVOSB
Verified Service-Disabled Veteran-Owned Small Business. Active SAM.gov registration. VA Vets First eligible.
§ Trust / Compliance posture
Earned, not claimed.
A live status board of every certification, framework alignment, and verifiable code we hold — current, in-progress, or planned. If a badge isn't here, we don't display it.
§ 01 / Status board
Where we are this quarter.
Federal eligibility Active
Live SAM.gov registration
UEI KNZKX28MLC42 · CAGE 0HPQ0. NAICS codes registered. Reps & certs current.
Cyber framework Aligned
Aligned NIST SP 800-171
All 110 controls implemented & documented. Self-assessment on file. Available under NDA on request.
Standards alignment Aligned
Aligned Section 508 / WCAG 2.1 AA
Every public-facing interface we build conforms to WCAG 2.1 AA and Section 508 of the Rehabilitation Act. Conformance is a delivery standard on citizen-facing work, validated before launch.
Standards alignment Aligned
Aligned TIC 3.0
We deploy Cloudflare's TIC 3.0 security capabilities — shifting the boundary from one or two data centers to a globally distributed architecture, at 50%+ lower TIC operating cost than legacy stacks. Capability mapping in Platform references below.
TIC 3.0 brief ↗ Cyber framework Pursuing
In progress CMMC L2 · third-party assessed
C3PAO engaged. Target assessment Q3 2026. We're not L2-certified today and we won't claim it until the cert is issued.
Privacy / data Aligned
Live Data Processing Addendum
Standard DPA available. Data residency selectable: US-only edge region pinning via Cloudflare. No customer data stored outside US by default.
Cloud partner Pursuing
In progress Cloudflare ASDP · Application Services
Designation requires technical validation of security, performance, reliability. We're in process and will display the badge only when issued.
Audit Planned
2027 planned SOC 2 Type II
Planned for 2027 once recurring-revenue threshold is reached. Customers requiring it before then can request a SIG-Lite or shared-responsibility memo.
Federal authorization Inherited (substrate)
Inherited FedRAMP — inherited where provisioned
For federal engagements requiring it, we deploy on Cloudflare for Government, which is FedRAMP Moderate Authorized and "In Process" for High. Truvisory is not itself a FedRAMP-authorized service, and engagements on commercial Cloudflare do not inherit that authorization.
FedRAMP architecture brief ↗ Insurance Active
Live Cyber + E&O
Cyber liability + Errors & Omissions in force. Limits, carrier, and certificates of insurance available on request.
§ 02 / Verify the codes
Don't take our word for it.
Every code below links to its official source of record. Federal contracting officers and prime evaluators can verify the registrations end-to-end without leaving SAM.gov.
| UEI | KNZKX28MLC42 | — |
|---|---|---|
| CAGE | 0HPQ0 | DLA CAGE search → |
| SDVOSB | Verified · VA Vets First | VetCert → |
| SBA size | Small Business · all listed NAICS | SBA size standards → |
| DUNS | Legacy · superseded by UEI | — |
| State | Colorado LLC · in good standing | CO Sec. of State → |
| EIN | On file · provided under NDA | — |
§ 03 / Data & security ledger
How customer data is handled, in plain English.
Residency
Default: US-only.
All Worker, Vectorize, R2, D1, and AI Gateway primitives are region-pinned to US data centers by default. Customer-elected expansion to additional jurisdictions is supported but never automatic.
Inference
No training on customer data, ever.
Models invoked through AI Gateway run inference only. We use providers (Workers AI native, OpenAI, Anthropic, Google) configured to opt out of training data retention. Logs, redaction, and retention windows are configurable per engagement.
Logging
Immutable audit by default.
AI Gateway request/response, tool calls, and policy decisions are written to R2 with object-lock retention. Customers receive read-only access to their own audit trail; we don't query it absent an explicit support request and a logged ticket.
Access
Role-based, least-privilege.
Engagement principals have role-scoped access only to the customer environments they are actively building. Access is revoked on engagement close and reviewed quarterly. MFA is enforced on every console.
Encryption
In transit + at rest, end to end.
TLS 1.3 in transit; provider-managed AES-256 at rest. Customer-managed keys (CMK) supported via Cloudflare Workers Secrets and KMS-backed bring-your-own-key flows.
Incident response
24-hour notification clock.
Confirmed material incidents trigger written customer notification within 24 hours, regardless of contractual minimums. We follow the published runbook, not whatever the lawyers prefer in the moment.
§ 04 / Subprocessors
The vendors in the loop.
| Vendor | Role | Region | Status |
|---|---|---|---|
| Cloudflare | Compute, AI Gateway, storage, networking, edge inference substrate | US (region-pinned) | Primary |
| OpenAI · Anthropic · Google | Foundation-model inference, fronted by AI Gateway | US (vendor-managed) | Optional |
| GitHub | Source control, CI/CD for Worker deploys | US | Internal |
| Twilio | SMS & voice transport (PresEngage-class engagements) | US | Optional |
| Plausible Analytics | Privacy-respecting site analytics. No cookies, no PII. | EU | Internal |
§ 05 / Platform references
The substrate, documented by the vendor.
We don't ask you to take our word for the platform's compliance posture. Cloudflare's authoritative briefs, with how we apply each:
FedRAMP architecture
↗
How every service stays available in the authorized footprint with no enclave; the substrate for our federal work.
TIC 3.0
↗
The TIC 3.0 security capabilities we deploy to extend your boundary globally.
NIST CSF 2.0 whitepaper
↗
Cloudflare's service-to-control mapping across the CSF functions; complements our own 800-171 self-assessment above.
AI Blueprint
↗
The federal AI threat model our deployments are built against.
Cloudflare for Defense
↗
Tactical-edge, OCONUS, and multi-tiered DDoS posture for DoD engagements.
Responsible AI (Cloudflare)
↗
Corroborates our no-training-on-customer-data position above.
Responsible disclosure
If you've discovered a security issue that affects Truvisory® or a
customer environment we operate, write to security@truvisory.com. PGP key on request. We acknowledge within one business day and
target a 90-day fix-or-public-disclosure window.
Contracting questions
For COs, primes, evaluators, or anyone needing a SIG-Lite, COI, NDA
template, or specific certification artifact: contracting@truvisory.com. Single human inbox. 24-hour reply window.