4 of 4 guarantees verified · ran in 120ms · evaluated 7/8/2026, 8:23:08 AM
live
Security headers + tenant watermark active
security_middlewares_mountedPer-org collection naming enforced
tenant_db_partitioningJWT validation rejects tampered tokens
jwt_signature_validationStripe key sourced from env, never user input
stripe_key_env_onlymode: test · key type: secret
99.95%
30-day uptime
99.92%
90-day uptime
0 incidents in the last 30 days · health pings today: 0
x-cartie-org-id: unscoped x-cartie-tenant-scope: unauthenticated strict-transport-security: max-age=31536000; includeSubDomains, max-age=63072000; includeSubDomains; preload cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-site x-frame-options: DENY referrer-policy: strict-origin-when-cross-origin, strict-origin-when-cross-origin x-content-type-options: nosniff, nosniff
Verify yourself: curl -I https://cartieai.com/api/trust/live-check
Where we are, where we're going, and the controls already in place. Truthful framing — we don't claim certifications we don't have.
SOC 2-aligned controls
Following SOC 2 Type I controls (stateless cloud creds · encrypted-at-rest · JWT auth with rotation · audit log on every privileged action). Documentation generated from the open-source strongdm/comply toolkit.
GDPR-aligned data handling
30-day deletion on account close · per-tenant DEK · DPA available on request.
Multi-tenant isolation
Physical per-org MongoDB collections · X-CARTIE-Org-ID watermark on every response · 60+ leak_guard tests on every CI run.
Compliance automation platform
Evaluating Drata and Vanta (industry standards) for evidence automation. Adoption begins at customer #25 — qualifying for the startup program in either at that scale.
SOC 2 Type II audit
CPA auditor selection (likely Insight Assurance, Prescient, or Sensiba — startup-friendly $7–12K range) begins at customer #25. Typical observation window 6–12 months.
ISO 27001
Post-Series-A roadmap once SOC 2 Type II is in hand.
HIPAA-aligned BAA
On request for healthcare customers post-Series-A.
Answers we wish came pre-packaged with every InfoSec questionnaire.
No — and we don't want it. We use Stripe Restricted Keys with read-only scope on Customer / Subscription / Invoice. They cannot refund, charge, or access cards. Revocable in 5 seconds.
Four equally-valid integration paths: