Trust Center

Current attestation status, plainly stated. We don't claim certifications we don't hold.

SOC 2 Type I

In progress

Auditor selected. Type I report targeted for the next reporting window. Type II will follow once observation period completes.

HIPAA-ready

Architecture

Two-plane isolation, AES-256 key encryption, and audit logging support BAA execution. Fire Mission is not currently HIPAA accredited.

NIST 800-53 alignment

Moderate baseline

Control mapping covers the Moderate baseline. Independent attestation is in progress.

FedRAMP

Aligned, not authorized

Architecture is FedRAMP-aligned. We are not currently FedRAMP authorized. FedRAMP Moderate readiness is on the roadmap; agency sponsorship inquiries welcome.

PCI DSS SAQ-A

In place

Card data is tokenized inside a Shift4 iframe. Fire Mission never sees PAN bytes. CSP headers enforce iframe isolation.

GDPR / CCPA

In place

Standard Contractual Clauses for EU/EEA, GPC respected for California residents. Privacy policy at /legal#privacy.

Sub-processors

These third parties may process customer metadata or facilitate payments. We do not share AI prompt or completion bytes with anyone — they pass through to your selected provider using your BYOK credentials and are not persisted.

Sub-processorPurposeRegion
Replit DeploymentsApplication hosting (US)US
Replit PostgresControl-plane metadata storage (US)US
Shift4 PaymentsPCI SAQ-A card tokenization & subscription billingUS
Customer-supplied AI providersBYOK passthrough — OpenAI, Anthropic, Google, Groq, Together AI, self-hostedPer customer choice

Data minimization

The least data you store is the least data that can be breached. Fire Mission is designed around this principle for document intelligence.

Data typeTypical RAG platformFire Mission
Document contentStored (chunks + full text)Never stored — fetched ephemerally
Vector embeddingsStored permanently in vector DBNot generated or stored
Knowledge summariesN/A (stores full chunks instead)AI-generated metadata (~400 tokens/doc)
Query / prompt textOften logged for model improvementNever persisted — metadata only
Document pointersStored (alongside content)Stored (title, path — no content)

Knowledge summaries are model-generated distillations (not document excerpts) stored as metadata alongside the document pointer. Raw document bytes never enter the Fire Mission database at any point.

Security whitepaper

A plain-language summary of the Fire Mission threat model, two-plane isolation, security scanning pipeline, and incident response posture lives at /security. A formal whitepaper PDF is available on request for prospective Team and Business customers.

Request whitepaper

Compliance language rule

We use precise wording everywhere on the public surface:

  • "FedRAMP-aligned architecture" — never "FedRAMP certified" or "FedRAMP authorized".
  • "FedRAMP Moderate readiness on roadmap" — never an unqualified FedRAMP claim.
  • "HIPAA-ready" — never "HIPAA compliant".
  • "SOC 2 Type I in progress" — never "SOC 2 certified" until the report is issued.
  • "NIST 800-53 aligned" — never "NIST 800-53 certified".

Report a vulnerability

Email mark@blackburntactical.us with subject "Security Vulnerability Report". We acknowledge within one business day. Coordinated disclosure preferred; no bounty program at this time.