Federal eligibility Verified
Live SDVOSB
Verified Service-Disabled Veteran-Owned Small Business. Active SAM.gov registration. VA Vets First eligible.
§ Trust / Compliance posture
Earned, not claimed.
A live status board of every certification, framework alignment, and verifiable code we hold — current, in-progress, or planned. If a badge isn't here, we don't display it.
§ 01 / Status board
Where we are this quarter.
Federal eligibility Active
Live SAM.gov registration
UEI KNZKX28MLC42 · CAGE 9X1L4. NAICS codes registered. Reps & certs current.
Cyber framework Aligned
Aligned NIST SP 800-171
All 110 controls implemented & documented. Self-assessment on file. Available under NDA on request.
Cyber framework Pursuing
In progress CMMC L2 · third-party assessed
C3PAO engaged. Target assessment Q3 2026. We're not L2-certified today and we won't claim it until the cert is issued.
Privacy / data Aligned
Live Data Processing Addendum
Standard DPA available. Data residency selectable: US-only edge region pinning via Cloudflare. No customer data stored outside US by default.
Cloud partner Pursuing
In progress Cloudflare ASDP · Application Services
Designation requires technical validation of security, performance, reliability. We're in process and will display the badge only when issued.
Audit Planned
2027 planned SOC 2 Type II
Planned for 2027 once recurring-revenue threshold is reached. Customers requiring it before then can request a SIG-Lite or shared-responsibility memo.
Federal authorization Inheritance
Inherited FedRAMP-aware deployment
We deploy on Cloudflare's FedRAMP-aware patterns. We are not ourselves a FedRAMP-authorized service; we deliver against authorized substrate where applicable.
Insurance Active
Live Cyber + E&O
Cyber liability + Errors & Omissions in force. Limits, carrier, and certificates of insurance available on request.
§ 02 / Verify the codes
Don't take our word for it.
Every code below links to its official source of record. Federal contracting officers and prime evaluators can verify the registrations end-to-end without leaving SAM.gov.
| UEI | KNZKX28MLC42 | Verify on SAM.gov → |
|---|---|---|
| CAGE | 9X1L4 | DLA CAGE search → |
| SDVOSB | Verified · VA Vets First | VetCert → |
| SBA size | Small Business · all listed NAICS | SBA size standards → |
| DUNS | Legacy · superseded by UEI | — |
| State | Colorado LLC · in good standing | CO Sec. of State → |
| EIN | On file · provided under NDA | — |
§ 03 / Data & security ledger
How customer data is handled, in plain English.
Residency
Default: US-only.
All Worker, Vectorize, R2, D1, and AI Gateway primitives are region-pinned to US data centers by default. Customer-elected expansion to additional jurisdictions is supported but never automatic.
Inference
No training on customer data, ever.
Models invoked through AI Gateway run inference only. We use providers (Workers AI native, OpenAI, Anthropic, Google) configured to opt out of training data retention. Logs, redaction, and retention windows are configurable per engagement.
Logging
Immutable audit by default.
AI Gateway request/response, tool calls, and policy decisions are written to R2 with object-lock retention. Customers receive read-only access to their own audit trail; we don't query it absent an explicit support request and a logged ticket.
Access
Role-based, least-privilege.
Engagement principals have role-scoped access only to the customer environments they are actively building. Access is revoked on engagement close and reviewed quarterly. MFA is enforced on every console.
Encryption
In transit + at rest, end to end.
TLS 1.3 in transit; provider-managed AES-256 at rest. Customer-managed keys (CMK) supported via Cloudflare Workers Secrets and KMS-backed bring-your-own-key flows.
Incident response
24-hour notification clock.
Confirmed material incidents trigger written customer notification within 24 hours, regardless of contractual minimums. We follow the published runbook, not whatever the lawyers prefer in the moment.
§ 04 / Subprocessors
The vendors in the loop.
| Vendor | Role | Region | Status |
|---|---|---|---|
| Cloudflare | Compute, AI Gateway, storage, networking, edge inference substrate | US (region-pinned) | Primary |
| OpenAI · Anthropic · Google | Foundation-model inference, fronted by AI Gateway | US (vendor-managed) | Optional |
| GitHub | Source control, CI/CD for Worker deploys | US | Internal |
| Twilio | SMS & voice transport (PresEngage-class engagements) | US | Optional |
| Plausible Analytics | Privacy-respecting site analytics. No cookies, no PII. | EU | Internal |
Responsible disclosure
If you've discovered a security issue that affects Truvisory® or a
customer environment we operate, write to security@truvisory.com. PGP key on request. We acknowledge within one business day and
target a 90-day fix-or-public-disclosure window.
Contracting questions
For COs, primes, evaluators, or anyone needing a SIG-Lite, COI, NDA
template, or specific certification artifact: contracting@truvisory.com. Single human inbox. 24-hour reply window.