# Perathos Security Questionnaire Helper

This helper is generated from `content/trust-controls.json`. It is not a certification, audit report, or signed legal commitment.

## Are you SOC 1 or SOC 2 certified?

No. Perathos does not currently claim SOC 1 or SOC 2 certification. We are building a control roadmap and will pursue formal audit readiness as customer scale and audit scope justify it.

## Do you have MFA?

MFA should be required for administrative systems. If a customer requires evidence, Perathos will provide configuration evidence for the systems in scope during diligence.

## How do you manage secrets?

Secrets must not be stored in source code or shared in chat/docs. Managed secret storage or deployment environment secret facilities are the target operating model. If write-only secret handling is enabled in the product, it should be evidenced during onboarding before being represented as a live control.

## How do you control access?

Access is based on least privilege and business need. Customer workspace administration, user removal, and role controls should be demonstrated from the live product before being used as procurement evidence.

## How do you log and monitor activity?

Operational logging and run history are expected control areas. Logs, timestamps, metrics, and errors should be shown from the product environment in scope before being treated as live audit evidence.

## Do you support data deletion?

Deletion support depends on the deployment and data store in scope. If automated deletion is not yet implemented, Perathos should handle deletion requests manually and document completion.

## Do you support customer isolation?

Customer isolation should be implemented through tenant scoping and least-privilege access. Dedicated or stronger isolation patterns can be planned for enterprise deployments when required.

## How do you handle incidents?

Perathos uses a lightweight incident flow: identify, contain, investigate, recover, communicate, and document corrective actions. Customer notification terms should be agreed in the contract or pilot terms.

## What is your retention policy?

Retention should be defined by data type, customer agreement, and operational need. Perathos should avoid retaining customer content longer than needed for service delivery, support, security, or legal obligations.

## How do you use AI in development and operations?

AI may assist with drafting, coding, testing, and operations. Secrets, credentials, restricted customer data, and regulated data should not be entered into unapproved AI tools. Human review remains required.

## Do you train AI models on customer data?

Perathos should not train models on customer data unless explicitly agreed in writing. If model training or vendor improvement is not technically disabled in a specific environment, that limitation must be disclosed before production use.