4 of 4 guarantees verified · ran in 154ms · evaluated 5/28/2026, 7:59:25 PM
live
Security headers + tenant watermark active
security_middlewares_mountedPer-org collection naming enforced
tenant_db_partitioningJWT validation rejects tampered tokens
jwt_signature_validationStripe key sourced from env, never user input
stripe_key_env_onlymode: test · key type: secret
99.95%
30-day uptime
99.92%
90-day uptime
0 incidents in the last 30 days · health pings today: 0
Verify yourself: curl -I https://cartieai.com/api/trust/live-check
Where we are, where we're going, and the controls already in place. Truthful framing — we don't claim certifications we don't have.
SOC 2-aligned controls
Following SOC 2 Type I controls (stateless cloud creds · encrypted-at-rest · JWT auth with rotation · audit log on every privileged action). Documentation generated from the open-source strongdm/comply toolkit.
GDPR-aligned data handling
30-day deletion on account close · per-tenant DEK · DPA available on request.
Multi-tenant isolation
Physical per-org MongoDB collections · X-CARTIE-Org-ID watermark on every response · 60+ leak_guard tests on every CI run.
Compliance automation platform
Evaluating Drata and Vanta (industry standards) for evidence automation. Adoption begins at customer #25 — qualifying for the startup program in either at that scale.
SOC 2 Type II audit
CPA auditor selection (likely Insight Assurance, Prescient, or Sensiba — startup-friendly $7–12K range) begins at customer #25. Typical observation window 6–12 months.
ISO 27001
Post-Series-A roadmap once SOC 2 Type II is in hand.
HIPAA-aligned BAA
On request for healthcare customers post-Series-A.
Answers we wish came pre-packaged with every InfoSec questionnaire.
No — and we don't want it. We use Stripe Restricted Keys with read-only scope on Customer / Subscription / Invoice. They cannot refund, charge, or access cards. Revocable in 5 seconds.
Four equally-valid integration paths: