Security Overview

Last updated: April 17, 2026

For security teams: this page is the public summary of CivicCA's security program. Completed SIG Lite, CAIQ v4, and Higher Ed Cloud Vendor Assessment questionnaires are available under NDA on request — email security@civicca.com with your questionnaire and we will return a completed copy within five business days. For vulnerability reports, see the disclosure policy.

Architecture & Hosting

  • CivicCA runs on Amazon Web Services in US-only regions (us-west-2 primary, us-east-1 disaster-recovery). All Customer data is stored in US data centers.
  • Multi-tenant database with strict row-level scoping by municipality_id; every query is gated by tenant context. Single-tenant deployments are available on the Government plan.
  • File storage on AWS S3 with bucket policies enforcing tenant isolation, server-side encryption (AES-256), and signed-URL access only.

Encryption

  • In transit: TLS 1.2 minimum, TLS 1.3 preferred, HSTS enforced. SSL Labs A+ rating.
  • At rest: AES-256 for the application database, file storage, backups, and audit logs.
  • Secrets: AWS Secrets Manager with automatic rotation for database credentials, API keys, and signing keys.

Identity & Access

  • Passwords stored using password_hash() with bcrypt (cost factor 12+). No plaintext storage anywhere.
  • Multi-factor authentication available on all plans, required for super-admin and administrative accounts.
  • Role-based access control with five roles (super_admin, admin, editor, contributor, viewer); least-privilege defaults.
  • SSO via SAML 2.0 / OIDC available on the Government plan (Google Workspace, Microsoft Entra, Okta, Clerk).
  • Session timeout, IP-pinned sessions on request, and rate-limited authentication endpoints.
  • CivicCA staff access to Customer data is restricted to break-glass support scenarios, requires MFA, is fully logged, and is reviewed quarterly.

Audit & Logging

  • Per-action audit log (meeting_admin_log and related tables) captures who did what, when, and from where. Logs are immutable from the application layer.
  • Retention: 7 years for audit logs (consistent with California public-agency retention norms), 90 days for HTTP access logs.
  • Anomaly detection on authentication failures, privilege escalation, and bulk data export.

Application Security

  • Prepared statements for every database query — no string concatenation of user input.
  • HTML output escaping by default; explicit allowlist for trusted markup contexts.
  • CSRF tokens on all state-changing requests.
  • Strict Content-Security-Policy with inline-script nonces.
  • OWASP-aligned input validation, file-type/size checks on uploads, and PDF sanitization for ingested attachments.
  • Dependency scanning via Composer audit and weekly automated reviews; critical CVEs patched within 7 days.

Vulnerability Management

  • Routine internal vulnerability scanning of the application stack and infrastructure.
  • Annual third-party penetration test (network + application). Summary findings available under NDA.
  • Public vulnerability disclosure policy — we acknowledge reports within 48 hours and provide remediation timelines based on severity.
  • Bug bounty program available on request to qualified security researchers.

Backup & Disaster Recovery

  • Continuous database backups with point-in-time recovery to any moment within the last 7 days.
  • Daily snapshots retained for 30 days; weekly snapshots retained for 90 days.
  • S3 cross-region replication for file storage; RPO < 1 hour, RTO < 4 hours for the production environment.
  • Disaster-recovery runbook tested at least annually.

Incident Response

  • Documented incident-response plan with severity classification, escalation, and post-incident review.
  • Customer notification of confirmed Security Incidents within 72 hours per the Data Processing Addendum.
  • Coordination with Customer's required California Civil Code §1798.29 / §1798.82 breach notifications.

Vendor & Sub-Processor Management

  • Each Sub-Processor is vetted before engagement and bound by data-protection terms no less protective than those in our DPA.
  • Current Sub-Processors are published at civicca.com/subprocessors; changes notified 30 days in advance.
  • Annual review of each Sub-Processor's security posture (SOC 2, ISO 27001, or equivalent).

Privacy & Compliance

  • CCPA / CPRA: CivicCA acts as a Service Provider; see the DPA and Privacy Policy.
  • California Public Records Act: data export and retention controls support agency obligations.
  • ADA Title II: WCAG 2.1 AA conformance, see VPAT.
  • FERPA: school-district customers can sign a FERPA addendum on request.

Personnel

  • Background checks for all personnel with access to Customer Personal Information, scoped to applicable law.
  • Annual security training for all employees and contractors; role-specific training for engineers.
  • Confidentiality and acceptable-use policies signed at hire.

Reporting a Vulnerability

Email security@civicca.com or follow the policy at /security.txt. We commit to acknowledging reports within 48 hours and to working with researchers in good faith. We will not pursue legal action against researchers who comply with the disclosure policy.

Related: Data Processing Addendum · Sub-Processors · SLA · Privacy Policy · VPAT.