Procurement resource

Security Questionnaire

Plain-language answers to common enterprise security and procurement questions. Aligned with CAIQ Lite and SIG Lite topics. Use this as a starting point for vendor due diligence.

Sections10Aligned withCAIQ / SIG LiteLast reviewedMay 2026

Need a formal questionnaire response? Email support@turbofinops.com with your vendor questionnaire (Excel/Word/online portal) and we will return a completed response. NDA available before sharing detailed architecture, key-management and insurance information.

1. Company and scope

What is the legal entity behind TurboFinOps?: S.C. TURBOFINOPS S.R.L., registered in Romania (EU). Service-of-process and contracting entity details are provided in the executed Order Form.
What services are in scope of this questionnaire?: The TurboFinOps SaaS control plane, including the web dashboard, public API, scanner workers, action engine, billing and audit subsystems. AI features operate under the Bring-Your-Own-AI model documented at /ai.
Where are the production services hosted?: Primary infrastructure runs in the EU (Frankfurt, eu-west-2). Subprocessors and their regions are published at /subprocessors. US data residency is opt-in only.

2. Governance and policies

Do you have a written information security policy?: Yes. Internal information security, acceptable use, incident response and change management policies are maintained. Public-facing extracts are available at /security, /security/incident-response and /acceptable-use.
Are policies reviewed regularly?: At least annually, and after any material incident or regulatory change.
Do you carry cyber-liability insurance?: Coverage is in place. Certificate of insurance is available on request to Enterprise customers under NDA.

3. Compliance and certifications

Are you SOC 2 certified?: Not yet. SOC 2 Type II is on our roadmap. Internal controls and rule-to-control mappings are already implemented in-product; the formal external audit is future work. See /trust-center for current status.
Are you ISO 27001 certified?: Not yet. ISO 27001 is on our roadmap and the product maps findings to ISO 27001 Annex A controls. See /trust-center.
Are you GDPR compliant?: TurboFinOps operates as a data controller for account data and as a data processor for Customer Personal Data. Full Privacy Policy at /privacy. Enterprise customers may execute the DPA at /legal/dpa, which includes SCCs and the UK IDTA.
Do you handle PHI (HIPAA)?: No. TurboFinOps is not designed for, and customers should not process, protected health information through the platform.
Do you handle cardholder data (PCI DSS)?: No payment card data is stored, processed or transmitted by TurboFinOps. Stripe is the PCI-compliant payment processor.

4. Data protection

What customer data is stored?: Cloud resource metadata, findings, audit logs, billing records and user profile data. The platform does not access or store workload contents (object storage payloads, database rows, application logs). See /docs/data-handling.
How is data encrypted in transit?: TLS 1.2 or higher for all external traffic. HSTS is enforced. Internal service-to-service traffic runs over provider-managed encrypted networks.
How is data encrypted at rest?: AES-256 envelope encryption for sensitive secrets (cloud credentials, AI provider keys), with key material protected by a managed KMS (AWS KMS, Azure Key Vault or GCP Cloud KMS via our HSM integration). PostgreSQL storage is encrypted by the Supabase platform.
How is tenant isolation enforced?: Every database query is scoped by organizationId, validated server-side on every request. An automated tenant-isolation regression suite runs in CI to prevent cross-tenant leaks.
How long is data retained?: Plan-differentiated: 30 days (Free), 6 months (Pro), or customer-defined (Enterprise) for operational data. Billing records: 7 years. Backups: 30-day rolling. See /privacy section 8.
How can data be deleted on request?: GDPR Articles 15-22 rights are honored. Account holders can request export or deletion via privacy@turbofinops.com. Enterprise DPA includes return-or-destroy provisions on termination.

5. Identity and access

Do you support SSO?: Yes. SAML SSO is available for Enterprise customers. Configuration UI is exposed under Settings.
Do you support SCIM?: Yes. SCIM v2.0 provisioning endpoints support user creation, deactivation and group sync.
How is RBAC implemented?: Five built-in roles (Admin, FinOps, Security, Auditor, Viewer). Enforcement is server-side on every API request. Client-side role claims are never trusted.
Is MFA required?: MFA is supported via Supabase Auth and can be enforced organization-wide for Enterprise tenants. SSO enforcement supersedes social OAuth for SSO-required orgs.
How is administrative access controlled?: Internal admin access uses individual SSO accounts, hardware MFA, principle of least privilege, and every action is recorded in the immutable audit trail.

6. Operations and resilience

What is the platform RPO/RTO?: RPO and RTO are both ≤ 24 hours for the control plane. See /security/business-continuity for the full DR program.
How often are backups tested?: Restore tests are conducted quarterly against an isolated environment with schema and integrity validation.
What is your incident-response process?: Six-phase process: detect, triage, contain, notify, recover, review. Customer notification target for confirmed breaches is ≤ 72 hours, aligned with GDPR Article 33. Full policy at /security/incident-response.
Is there a public status page?: Yes — /status reports real-time API, database and queue readiness.
What SLA do you offer?: Pro 99.9 %, Enterprise 99.95 % monthly availability with a service-credit schedule. Full terms at /sla. Enterprise Order Forms may negotiate stricter terms.

7. Secure development and change management

How is code reviewed before production?: All changes go through pull-request review with required approvals, automated tests, type-checking, lint and dependency-audit gates before merging to main.
Are dependencies scanned for vulnerabilities?: Yes. CI includes production dependency audit gates. Critical findings block release until remediated or formally accepted.
Do you conduct penetration testing?: External penetration testing is planned as part of SOC 2 readiness. Internal threat modeling and continuous security review run today. Attestation letters will be made available to Enterprise customers under NDA when complete.
How do you handle vulnerability reports from researchers?: Coordinated disclosure with safe-harbor terms, 3-business-day acknowledgement and 10-business-day triage. See /security/vulnerability-disclosure.

8. Subprocessors and third parties

What subprocessors do you use?: Supabase (auth, PostgreSQL, storage; EU), Aiven (Redis; EU), Stripe (billing), Resend (transactional email), Sentry (error telemetry). Current list, regions and transfer mechanisms at /subprocessors.
How is customer data shared with subprocessors?: Each subprocessor is contractually bound and receives only the minimum data required for its function. Transfers outside the EEA use SCCs or the EU-US Data Privacy Framework where applicable.
How are new subprocessors communicated?: Customers under an active DPA receive at least 14 days advance notice of any material change, during which they may object.

9. AI features and data flow

Does TurboFinOps train AI models on customer data?: No. AI is offered under a Bring-Your-Own-AI (BYOAI) model — customers configure their own provider credential (OpenAI, Anthropic, Azure OpenAI, Gemini, etc.) and that provider receives requests under terms the customer has accepted. TurboFinOps does not run or fine-tune its own customer-facing models.
What data is sent to the AI provider?: Only structured finding text, rule identifiers, resource metadata the customer has chosen to scan, and user-typed prompts. Cloud credentials, workload contents and personal data beyond resource metadata are never sent. See /ai for the full list.
Can AI be disabled?: Yes. Removing the AI provider credential immediately disables all AI surfaces and falls back to deterministic, rule-based recommendations.

10. Contacts

Who do I contact for security questions?: security@turbofinops.com — vulnerability reports, incident questions, security architecture review.
Who do I contact for privacy and GDPR rights?: privacy@turbofinops.com — data subject requests, DPA inquiries, supervisory authority correspondence.
Who do I contact for legal matters?: legal@turbofinops.com — contract questions, service of process, AUP appeals.
Who do I contact for procurement and questionnaires?: support@turbofinops.com — questionnaire customization, NDA workflow, full security packet request.

Related procurement resources

Get started

Find recoverable spend before the next invoice lands.

Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.

Read-only scan first. Approval gates before remediation.

Connect a cloud scope See pricing