CivStart Trust Center
Security, Privacy & Compliance
Effective Date: July 1, 2026
The role of the local government leader has never been more demanding. In an era defined by rapid technological shifts, evolving public expectations, and economic volatility, the mandate is no longer just to manage — it is to lead through profound complexity. To do so requires trust.
Welcome to the CivStart Trust Center. This space provides transparency in who we are, what we do, and how we do it. We believe that the effectiveness of government is grounded in trust — and that trust starts with us.
CivStart is a secure online environment where public-sector leaders can define real challenges, and where their peers, solution providers, and partners can engage transparently based on genuine intent rather than market hype.
We maintain a strict no-competitive-disadvantage policy: CivStart prohibits the use of client metrics, structured KPIs, or platform insights to unfairly advantage a competitor or compromise procurement rules.
- NIST CSF aligned
- US-only data residency
- Encrypted at rest & in transit
- SOC 2 in progress
How to read this
Each control is marked with one of two statuses:
- Live
- Control is in place and operating. CivStart can demonstrate or provide evidence on request.
- In Progress
- Control is formally scoped and underway. Target completion date is noted where available.
The controls and commitments described in this document reflect CivStart's operational practices as of the effective date. They are not warranties and do not modify the terms of any agreement between CivStart and its clients. This document is subject to change. Material updates will be recorded in the Changelog (Section 8). Continued use of the platform following any update constitutes acknowledgment of the revised Trust Center.
1. Data & Privacy
CivStart collects only what is necessary to operate the platform. Government users retain ownership and control of their challenge data.
1.1 Data we collect
| Control | Status | Notes |
|---|---|---|
| Customer PII | Live | Opt-in only |
| Employee PII | Live | Opt-in only |
| Credit card / payment data | Live | Vendor accounts only, processed by Stripe |
| Personal health information | Live | Not collected |
1.2 Data handling
| Control | Status | Notes |
|---|---|---|
| Data retention policy established | Live | Documented retention schedules per data class |
| Customer data deleted upon request | Live | Honored within 30 days of written request |
| Data classification policy | Live | Internal doc classifying data by sensitivity tier |
| Data encrypted at rest | Live | AWS S3 + RDS encryption enabled by default |
| Data encrypted in transit | Live | TLS 1.2+ enforced; HSTS enabled |
1.3 Sub-processors
CivStart uses the following third-party sub-processors. All are bound by written data protection agreements. This list is current as of July 1, 2026. CivStart will provide advance notice of material sub-processor changes. Updates are recorded in Section 8 (Changelog).
| Control | Status | Notes |
|---|---|---|
| Amazon Web Services (AWS) | Live | Primary cloud infrastructure; US regions only |
| Google Cloud Platform | Live | Secondary compute; US regions only |
| Stripe | Live | Payment processing; vendor accounts only |
| SOVRA | Live | Public-sector data enrichment; unified data-protection parameters |
2. Organizational Security
| Control | Status | Notes |
|---|---|---|
| Code of conduct policy | Live | Acknowledged by all employees and contractors at hire |
| Confidentiality agreements | Live | Signed by all employees and contractors at onboarding |
| Employee background checks | Live | Completed on all new hires prior to access provisioning |
| Password policy enforced | Live | Configured in IdP; minimum complexity and rotation requirements |
| MFA enforced for remote access | Live | Required for all production system access |
| Security awareness training | Live | Required within 30 days of hire and annually thereafter |
| Asset disposal procedures | Live | Certificates of destruction issued for all physical media |
| Portable media encrypted | Live | Required policy for all removable devices |
| Anti-malware technology | Live | Deployed and auto-updated across all endpoints |
| Production asset inventory | Live | Formal inventory of production system assets maintained |
| Mobile device management (MDM) | Live | Centrally managed; covers all devices with prod access |
| Organizational chart maintained | Live | Current org chart with reporting lines documented |
3. Infrastructure Security
The controls listed below describe CivStart's current operational practices. They reflect how the platform is built and operated and are maintained on an ongoing basis. They are not contractual warranties. For CivStart's full security posture in a contractual context, refer to the Security Practices clause of your Client Services Agreement.
| Control | Status | Notes |
|---|---|---|
| Access control policy established | Live | Documents add / modify / remove user procedures |
| Production access restricted to authorized users | Live | Role-based; requires documented approval |
| Access revoked on termination | Live | Revocation completed within 24 hours of separation |
| Unique authentication for production systems | Live | SSH key or unique username + password required |
| Remote access via encrypted connection only | Live | Approved VPN with MFA gate |
| Encryption key access restricted | Live | Privileged access limited to authorized personnel |
| Production database access restricted | Live | Least-privilege access; DBA review required |
| Firewall in place and configured | Live | Prevents unauthorized access; AWS Security Groups |
| Network segmentation | Live | Production environment isolated via AWS VPC |
| Log management in place | Live | Centralized logging; alerts on threshold events |
| Infrastructure performance monitoring | Live | Automated alerting on predefined thresholds |
| Intrusion detection system | In Progress | AWS GuardDuty implementation underway; target Q3 2026 |
| Firewall ruleset reviewed annually | In Progress | First scheduled review: Q4 2026 |
| Quarterly access reviews | In Progress | Process defined; first review scheduled Q3 2026 |
4. Product Security
| Control | Status | Notes |
|---|---|---|
| No competitive disadvantage use | Live | Strictly prohibits use of client data to advantage competitors |
| Intent integrity | Live | Government challenge data structured into anonymized signals; no predatory scraping |
| Vulnerability and system monitoring policy | Live | Formal policy covering vulnerability management and monitoring |
| Penetration testing | In Progress | Annual third-party pentest scoped; target completion Q3 2026 |
| Automated vulnerability scanning | In Progress | Tooling selected; quarterly cadence to begin Q3 2026 |
| Control self-assessments | In Progress | Annual self-assessment process defined; first assessment Q4 2026 |
5. Internal Procedures
| Control | Status | Notes |
|---|---|---|
| Incident response policy established | Live | Documented and communicated to all authorized users |
| Security and privacy policies reviewed annually | Live | Review cycle established; next review Q1 2027 |
| Roles and responsibilities documented | Live | Assigned in job descriptions and roles policy |
| Management roles for information security defined | Live | Oversight responsibilities formally assigned |
| Change management procedure enforced | Live | All production changes authorized, documented, and tested |
| Third-party agreements in place | Live | Written agreements with all critical vendors; includes confidentiality obligations |
| Cybersecurity insurance maintained | Live | Active policy covering business disruption and data incidents |
| System changes communicated externally | Live | Customers notified of critical changes affecting their processing |
| External support system available | Live | Users can report failures, concerns, or complaints via compliance@civstart.com |
| Whistleblower policy + anonymous channel | In Progress | Policy drafted; anonymous reporting channel deployment Q3 2026 |
| Business continuity plan (BCP) | In Progress | Plan drafted; tabletop test scheduled Q3 2026 |
| Disaster recovery plan (DRP) | In Progress | Plan drafted; first test scheduled Q3 2026 |
| Incident response plan tested annually | In Progress | First test scheduled Q4 2026 |
| Vendor management program | In Progress | Critical vendor inventory and review process underway |
| Risk management program | In Progress | Threat inventory and risk rating documentation in progress |
| SOC 2 Type II audit | In Progress | Readiness partner selected; audit window target H1 2027 |
6. Compliance Frameworks
CivStart designs its security program in alignment with the following frameworks. Formal certification or attestation status is noted for each.
| Control | Status | Notes |
|---|---|---|
| NIST Cybersecurity Framework (CSF) | Live | Program structure aligned to Identify / Protect / Detect / Respond / Recover |
| NIST AI Risk Management Framework | In Progress | Alignment assessment underway; target Q4 2026 |
| SOC 2 (AICPA Trust Services Criteria) | In Progress | Readiness platform active; Type I target H2 2026 |
7. Frequently Asked Questions
Do you encrypt data at rest?
How does CivStart encrypt data in transit?
Who can see government challenge data?
Can we request deletion of our data?
Do you have cybersecurity insurance?
When will SOC 2 Type II be complete?
8. Changelog
This document is versioned. Material changes — including updates to sub-processors, security controls, and compliance status — are recorded here. The sub-processor list in Section 1.3 is current as of the date shown below.
| Date | Event |
|---|---|
| July 1, 2026 | Trust Center published. Live controls documented. |
| (Upcoming) | Penetration test completed — date TBD |
| (Upcoming) | Business continuity / disaster recovery tabletop completed — date TBD |
| (Upcoming) | SOC 2 Type I report issued — target H2 2026 |