Fail-closed Postgres RLS
FORCE-enabled row-level security. A query that never sets the tenant context returns nothing. Cross-tenant isolation is a test in CI, not a convention.
SOC 2 CC6.1 · HIPAA §164.312(a)(1)
Security & procurement
What to expect from Caisson.
For security teams, procurement reviewers, and budget-holders: the scope of the technical controls, the boundary between what Caisson ships and what remains yours, and how to request documentation.
The boundary
Caisson ships the technical controls. The audit remains yours.
Caisson is a codebase. It implements the technical requirements SOC 2 and HIPAA demand — fail-closed access control, tamper-evident logging, WORM storage, and encrypted field storage. It generates evidence artifacts you hand to an auditor. It does not replace the auditor, the audit engagement, or the organizational controls (HR, vendor management, incident response) the frameworks also require. Caisson is not itself SOC 2 or HIPAA certified, and never claims to be.
Technical controls
Compliance edition: what it ships.
S3 Object-Lock WORM storage
Evidence buckets in COMPLIANCE mode with a default retention period. Objects cannot be overwritten or deleted inside the window — for any caller, including an operator with a leaked root key.
SOC 2 CC7.2 · HIPAA §164.312(c)(1)
Append-only SHA-256 audit chain
Every privileged action hashes into a chain. Tampering with any historical row breaks every link after it — the break is detectable, provable, and exportable to an auditor.
SOC 2 CC7.2 · HIPAA §164.312(b)
Per-tenant field encryption
AES-256-GCM authenticated encryption at the column level. Each tenant's key material is scoped to their row context. No plaintext key material in the application layer.
HIPAA §164.312(a)(2)(iv)
Documentation requests
How to request security docs.
We respond to documented requests from security reviewers and procurement teams within 5 business days.
Architecture & data-flow
System architecture diagram, data-flow documentation, and infrastructure topology. Available on request.
Control mapping
A mapping of Caisson modules to SOC 2 TSC and HIPAA §164.3xx control clauses. Downloadable in CSV and PDF.
Vulnerability reporting
Email security@caisson.sh with a description and reproduction steps. We triage every valid report. No formal bug-bounty yet.
Procurement questionnaires
Send your standard security questionnaire to security@caisson.sh. We respond to documented requests from qualified buyers.
Procurement FAQ
Common questions.
Is Caisson SOC 2 or HIPAA certified?
No. Caisson is a codebase that ships the technical controls required by those frameworks. The certification, the audit engagement, and the organizational controls (HR, vendor management, incident response) remain yours. Caisson generates the evidence; you close the audit. That boundary is stated plainly in the documentation and is intentional.
What controls does Caisson cover?
The Compliance edition covers the technical controls in SOC 2 CC6.1 (logical access), CC7.2 (change detection, stored evidence), and HIPAA §164.312(a)(1) (access control), §164.312(b) (audit controls), §164.312(c)(1) (integrity), and §164.312(a)(2)(iv) (encryption/decryption). The organizational and administrative controls remain the operator's responsibility.
How do I request security documentation?
Email security@caisson.sh with your organization name and what you need (architecture diagram, control mapping, data-flow documentation). We respond to documented requests within 5 business days.
How do I report a vulnerability?
Email security@caisson.sh with a description and reproduction steps. We do not currently run a formal bug-bounty program, but we acknowledge and triage every valid report. A security.txt file is available at https://caisson.sh/.well-known/security.txt.
Where is data processed and stored?
Caisson is a codebase deployed into your infrastructure — it does not process or store your data on Caisson-operated systems. The RLS, WORM, and audit-chain controls run inside your Postgres and S3-compatible storage.
Get started
For security documentation, procurement questionnaires, or to discuss the technical controls in detail, email security@caisson.sh. Ready to purchase or evaluate? See pricing.