This is the question every defense contractor asks first. It is the right question. Here is the direct, complete answer.
You describe how your company handles Controlled Unclassified Information (CUI). You do not upload CUI. You do not paste classified documents. You do not share export controlled files. The questionnaire asks about your environment and practices in plain English. Your answers, the SSP Verdiex generates from those answers, and your account information are what Verdiex stores. That is all.
Classified information of any kind. Controlled Unclassified Information documents or files. Export controlled technical data. Personally Identifiable Information beyond what is necessary for your account. If you are unsure whether something you are about to enter qualifies as CUI, do not enter it. Describe your practices instead.
Verdiex is designed so that you never need to upload sensitive data to use it. The questionnaire asks about how you handle CUI. It does not ask for the CUI itself. You might answer a question like "do you encrypt CUI stored on laptops" with "yes, all laptops use BitLocker with recovery keys stored in Active Directory." You describe the control. You do not paste the data.
The System Security Plan that Verdiex generates from your answers is itself a compliance document, not a classified document. It describes your security practices. It does not contain classified material, and it should not. An SSP is a document you share with your C3PAO during assessment.
The Verdiex marketing website (this site) is served by Netlify from United States infrastructure. Form submissions (early access, contact) are processed and stored by Netlify within their US infrastructure.
The Verdiex product application (the SSP tool, launching soon) will be hosted on AWS commercial region infrastructure in the United States. Your questionnaire responses, your SSP drafts, your POA&M data, and your account information will be stored in a database hosted in the US. No data will be routed through or stored outside US infrastructure.
All data resides on US infrastructure. No data leaves US jurisdiction. This applies to both the marketing site and the product application.
Your data is accessible to:
Your data is never sold to third parties. It is never shared with third parties for marketing or advertising purposes. It is never shared with other contractors, assessment organizations, or DoD entities without your explicit authorization.
All data transmitted between your browser and Verdiex is encrypted over TLS. Verdiex enforces HTTPS on all pages and redirects HTTP requests.
Data at rest in the product database is encrypted using AES-256 (the AWS default for RDS and S3). Encryption keys are managed by AWS KMS.
Account passwords are hashed using a cryptographic hashing algorithm. Verdiex never stores plaintext passwords and cannot retrieve them. If you lose your password, a reset flow issues a new one.
Product database backups run daily. Backups are retained for 30 days. Backups are stored in the same AWS region as the primary database, encrypted at rest.
Account data is retained until you close your account or request deletion. After account closure, your data is retained for 30 days to allow account recovery, then deleted permanently from production databases. Backup copies may persist for up to 30 additional days before being purged from the backup rotation.
Marketing site form submissions (early access list, contact form, checklist downloads) are retained for up to 24 months of inactivity or until you request deletion, whichever comes first.
To request deletion of any data Verdiex holds about you, email octavio@verdiex.net with "Data Deletion Request" in the subject line.
AWS GovCloud is a set of AWS regions specifically designed to host sensitive data controlled under US government regulations, including certain categories of CUI. GovCloud regions are accessible only to vetted US persons and entities.
Verdiex currently runs on AWS commercial infrastructure (not GovCloud). This is appropriate for the data Verdiex stores: your questionnaire answers about your practices, your SSP document, and your account information. None of these are themselves classified or CUI.
If you are handling CUI that is subject to requirements for GovCloud hosting in the systems you use to process it, that requirement applies to your CUI systems, not to Verdiex, because Verdiex does not store the CUI itself. If you have specific regulatory requirements or questions about your particular classification environment, consult your contracting officer or legal counsel.
Verdiex uses AWS commercial infrastructure, which is appropriate for storing questionnaire responses and SSP documents. If your environment requires GovCloud for actual CUI storage, that requirement applies to your CUI systems, not to Verdiex.
Verdiex is a product before launch. Here is an honest picture of where things stand.
TLS everywhere. Database encryption at rest. Access controls on production infrastructure. Dependency scanning. Secure password storage. Input validation and sanitization.
AWS commercial US region. Netlify CDN. Minimal attack surface on marketing site (static HTML, all form processing handled by Netlify).
SOC 2 Type I audit. Penetration test. Bug bounty program or responsible disclosure policy. Terms of Service update reviewed by an attorney.
SOC 2 Type II. Formal vendor security reviews. Incident response plan documented. Employee security training policy.
We do not have a SOC 2 report today. We are stating this plainly. The commitment is to complete SOC 2 Type I before the product begins charging customers. No defense contractor should be relying on unaudited infrastructure for sensitive compliance workflows, and we take that seriously.
To report a security concern, disclose a potential vulnerability, or ask a question about our security practices, contact:
Email: octavio@verdiex.net
Subject line: Security Report or Security Question
We will respond within one business day. Responsible disclosure reports are taken seriously and responded to promptly. We do not currently have a formal bug bounty program, but we will acknowledge and credit responsible reporters.