Trust Center
Current attestation status, plainly stated. We don't claim certifications we don't hold.
SOC 2 Type I
In progressAuditor selected. Type I report targeted for the next reporting window. Type II will follow once observation period completes.
HIPAA-ready
ArchitectureTwo-plane isolation, AES-256 key encryption, and audit logging support BAA execution. Fire Mission is not currently HIPAA accredited.
NIST 800-53 alignment
Moderate baselineControl mapping covers the Moderate baseline. Independent attestation is in progress.
FedRAMP
Aligned, not authorizedArchitecture is FedRAMP-aligned. We are not currently FedRAMP authorized. FedRAMP Moderate readiness is on the roadmap; agency sponsorship inquiries welcome.
PCI DSS SAQ-A
In placeCard data is tokenized inside a Shift4 iframe. Fire Mission never sees PAN bytes. CSP headers enforce iframe isolation.
GDPR / CCPA
In placeStandard Contractual Clauses for EU/EEA, GPC respected for California residents. Privacy policy at /legal#privacy.
Sub-processors
These third parties may process customer metadata or facilitate payments. We do not share AI prompt or completion bytes with anyone — they pass through to your selected provider using your BYOK credentials and are not persisted.
| Sub-processor | Purpose | Region |
|---|---|---|
| Replit Deployments | Application hosting (US) | US |
| Replit Postgres | Control-plane metadata storage (US) | US |
| Shift4 Payments | PCI SAQ-A card tokenization & subscription billing | US |
| Customer-supplied AI providers | BYOK passthrough — OpenAI, Anthropic, Google, Groq, Together AI, self-hosted | Per customer choice |
Data minimization
The least data you store is the least data that can be breached. Fire Mission is designed around this principle for document intelligence.
| Data type | Typical RAG platform | Fire Mission |
|---|---|---|
| Document content | Stored (chunks + full text) | Never stored — fetched ephemerally |
| Vector embeddings | Stored permanently in vector DB | Not generated or stored |
| Knowledge summaries | N/A (stores full chunks instead) | AI-generated metadata (~400 tokens/doc) |
| Query / prompt text | Often logged for model improvement | Never persisted — metadata only |
| Document pointers | Stored (alongside content) | Stored (title, path — no content) |
Knowledge summaries are model-generated distillations (not document excerpts) stored as metadata alongside the document pointer. Raw document bytes never enter the Fire Mission database at any point.
Security whitepaper
A plain-language summary of the Fire Mission threat model, two-plane isolation, security scanning pipeline, and incident response posture lives at /security. A formal whitepaper PDF is available on request for prospective Team and Business customers.
Request whitepaperCompliance language rule
We use precise wording everywhere on the public surface:
- "FedRAMP-aligned architecture" — never "FedRAMP certified" or "FedRAMP authorized".
- "FedRAMP Moderate readiness on roadmap" — never an unqualified FedRAMP claim.
- "HIPAA-ready" — never "HIPAA compliant".
- "SOC 2 Type I in progress" — never "SOC 2 certified" until the report is issued.
- "NIST 800-53 aligned" — never "NIST 800-53 certified".
Report a vulnerability
Email mark@blackburntactical.us with subject "Security Vulnerability Report". We acknowledge within one business day. Coordinated disclosure preferred; no bounty program at this time.