FedRAMP NIST Controls TLP Enforcement Data Handling Audit Log Sub-processors Honest Disclosure Contact

Security & Trust

Trust without proof is the same as liability.

ThreatRecall is built to FedRAMP Moderate. Every control, every gap, every sub-processor is documented here — because prospects evaluating us for CUI workloads deserve more than marketing language.

FedRAMP Moderate — Assessment in progress (Phase 4 of 4) Updated 2026-05-29 Changelog →

1 · FedRAMP Moderate Assessment Status

Honest current state — not a promise.

Phase 0 — Initiation ✓ Phase 1 — Documentation ✓ Phase 2 — Testing ✓ Phase 3 — SAR review ✓ Phase 4 — Authorization (in progress)

We are in Phase 4 remediation — working findings from Phase 3, targeting package completion in Q3 2026. Bi-weekly cadence with the assessment team. The traceability matrix, control evidence, and remediation plan are available in the public changelog with each gate.

We do not claim ATO or authorization. This page and all marketing materials will be updated the day authorization is granted. Until then, we will not tell you we have something we don't.

Phase 4 target: Q3 2026. Package completion → JAB review → Authorization.
Post-authorization plan: GovCloud migration, FedRAMP-authorized hosting boundary.

2 · NIST 800-53 Rev 5 Moderate — Control Families

20 families assessed. Here is how ThreatRecall addresses each.

AC Access Control — RBAC per tenant, session invalidation on offboarding, API key auth for agents

AT Awareness & Training — Role-based training records in tenant settings

AU Audit & Accountability — Write-once audit_logs table (DB triggers block UPDATE/DELETE), signed export

CA Assessment & Authorization — Phase 0–3 complete, Phase 4 remediation in progress

CM Configuration Management — 9 CI gates, versioned migrations, immutable audit trail

CP Contingency Planning — Azure PostgreSQL backups, connection pooling, graceful shutdown

IA Identification & Auth — JWT sessions, TOTP 2FA, login rate limiting (4 fails → 15min lockout)

IR Incident Response — Incident records table, evidence provenance, memory correction log

MA Maintenance — In-process scheduler guarded by IN_PROCESS_CRONS_ENABLED; disabled by default for Azure hosting

MP Media Protection — TLP markings required on ingest; AMBER/RED content never sent to LLM

PE Physical & Environmental — Cloud-hosted; CSP boundaries documented; post-Seed GovCloud plan

PL Planning — System security plan, contingency plan, incident response plan in FedRAMP package

PS Personnel Security — Tenant-scoped user management; API key scoped to workspace

PT PII Processing & Transparency — PT-2 closed 2026-05-29; strict CSP on /auth/* blocks third-party trackers

RA Risk Assessment — Periodic review of findings; Azure authorization package in progress

SA System & Services Acquisition — CI gates on supply chain, license compliance, container scan

SC System & Comms Protection — TLS required, CSP headers, no plaintext credentials in transit

SI System & Info Integrity — Slow query log, perf middleware (p50/p95/p99), performance regressions = bugs

SR Supply Chain Risk — Trivy container scan, npm audit, license compliance gate (no GPL/AGPL)

PM Program Management — Cross-team security ownership; SEV-1 incident playbook; post-Seed GovCloud

3 · TLP Enforcement Model — The Differentiator

TLP:AMBER and TLP:RED content never leave your workspace.

This is not a policy. This is a structural guarantee enforced at two points: ingest (classification on write) and query (filter on read). The enforcement lives in the same SQL filter that ships in the /try public demo — it is the same code, the same logic, in the same database query path.

TLP:WHITE / GREEN

Recall search OK

Visible in recall results, graph, evidence panel, and STIX exports. Embeddable in reports.

TLP:AMBER

Filtered at ingest — never sent to LLM

Stored in your workspace DB only. Never crossed to OpenAI. Not in /try/r/:slug permalinks.

Never in query string sent to LLM
Never in embedding vector
Not in workspace permalink exports
Not in shared result payloads

TLP:AMBER

Workspace isolation enforced

Row-level security policies on all tables enforce tenant isolation at the DB layer. A workspace's AMBER content is not visible to any other workspace.

TLP:RED

Filtered at ingest — all integrations blocked

Strictest restriction. Same enforcement as AMBER, plus: excluded from all API integrations, no export via STIX bundle, no share via permalink.

All TLP:RED enforcement from AMBER
No API integration access
No STIX bundle export
No cross-workspace export under any condition

SQL enforcement — same filter in /try

The TLP filter is a PostgreSQL WHERE tlp IN ('WHITE','GREEN') clause in the recall query path. It ships identically in the public demo at /api/public/try/recall. The filter is applied server-side — it cannot be bypassed by a client-side request. Proof: /try cannot surface AMBER or RED content regardless of query intent.

Ingest enforcement

Every kg_nodes write requires a tlp field (WHITE/GREEN/AMBER/RED). Nodes without a marking are staged and require explicit classification before commit — automated triage is not allowed for unmarked content. ingest_batches tracks every batch's TLP distribution for audit.

4 · Data Handling

What we store, what OpenAI sees, how long we keep it.

Where data lives

Azure Database for PostgreSQL, East US 2. Tenant-scoped schema with RLS policies. All tables carry tenant_id. No cross-tenant visibility at the DB layer.

What OpenAI sees

Query strings only. The analyst's plain-text search (e.g. "APT29 lateral movement TTPs") — used for intent extraction and embedding. No node content, no evidence records, no CUI, no AMBER/RED marks.

OpenAI data retention

30-day retention. OpenAI does not use API data for model training. Enterprise Data Exclusion available for Pro/Enterprise customers.

Air-gapped / self-hosted path

Set OLLAMA_BASE_URL to your local endpoint. All LLM calls stay on your infrastructure. Air-gapped mode falls back to keyword search — no LLM dependency.

Audit log retention and deletion

Retention period

Audit logs retained for 3 years (configurable per tenant). Write-once enforced by PostgreSQL triggers — UPDATE and DELETE blocked at the DB layer.

Deletion SLA

Workspace deletion: complete within 30 days of account closure request. Data export before deletion supported — use Settings → Export Data. Individual record deletion: Settings → Delete Account within 14 days.

5 · Audit Log Capability

Every action attributable. Every export signed.

Audit logs cover analyst interactions, AI agent actions, and system events. Export in CSV or JSONL via /docs/api#tag/Audit. Each export is signed with a UUID event_id that cannot be modified post-export.

// Sample audit log row — synthetic, illustrative only
{
  "event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "timestamp": "2026-05-30T14:32:07.000Z",
  "user_id": "usr_4f8a9b2c1d3e",
  "action": "recall_query",
  "resource_type": "kg_nodes",
  "resource_id": "node_apt29_001",
  "workspace_id": "ws_demo",
  "tlp": "WHITE",
  "query_text": "APT29 lateral movement techniques",
  "result_count": 7,
  "user_agent": "Mozilla/5.0 ThreatRecall/1.0",
  "ip_hash": "sha256:3a4b5c...",
  "api_key_id": "key_hashed",
  "session_id": "sess_9f8e7d6c"
}

Write-once guarantee

PostgreSQL triggers on audit_logs block UPDATE and DELETE. Export generates a deterministic checksum from the row contents so downstream consumers can detect tampering.

System sentinel rows

AI agent requests authenticated by API key are logged with a system sentinel user (not a human). Every automated action is attributable. Token hash stored in sessions for per-session revoke.

Memory provenance

Every kg_nodes record carries source, source_type, tlp, confidence, ingested_at, and linked_evidence_ids. Corrections and rejections snapshotted in memory_versions with version_number and changed_by.

24h correction rollback

Memory corrections (reject/correct/merge) can be rolled back via /api/admin/rollback-correction/:id within 24 hours of application. Pre-change state preserved in memory_versions.

6 · Third-Party Processors

Full sub-processor list, honest scope.

Updated 2026-05-29. Replaces any prior partial disclosure.

Processor	Region	Purpose	Data Category
Azure Database for PostgreSQL azure.microsoft.com	East US 2	Primary database — CTI nodes, evidence, incidents, audit logs, user accounts, sessions	CTI nodes evidence records audit logs user accounts
Azure App Service azure.microsoft.com	East US 2	Application hosting — Express web service, session handling, API routing	app traffic request logs ATO not claimed
Postmark postmarkapp.com	US	Transactional email — onboarding drip, password reset, pilot confirmations, notification alerts	email addresses no CTI content
OpenAI openai.com	US	Query intent extraction and embedding generation on recall — query strings only, explicit scope	search query strings no node content no CUI no AMBER/RED
Stripe stripe.com	US	Subscription billing, payment processing, invoice management	billing data no CTI content

Scope: All CTI content (TLP:AMBER, TLP:RED, CUI) is processed exclusively within the Azure PostgreSQL database in your workspace tenant. No sub-processor listed above receives, stores, or processes CTI node content, evidence records, or incident data.

7 · Honest Disclosure

Gaps we document rather than hide.

Putting this in writing builds more trust than leaving it out.

Known gaps in the current infrastructure

ThreatRecall cloud ATO

ThreatRecall is not FedRAMP Authorized today. Azure hosting is the primary boundary, but authorization is not claimed until the package is complete.

Azure PostgreSQL

Database lives in the tenant-isolated application schema. Row-level security enforces tenant isolation at the DB layer. FedRAMP/CUI use still requires the customer-approved boundary until authorization is complete.

Authorization path

Complete Azure deployment evidence, control inheritance mapping, and customer-ready boundary documentation. ATO timing is driven by the authorizing agency, not only product readiness.

Today for CUI workloads

For federal/CUI workloads that require an authorized CSP boundary today: use the self-hosted deployment. This gives you a fully isolated, air-gapped ThreatRecall instance inside your approved boundary. Contact patrick@threatengram.com for self-hosted licensing.

What we do not claim

SOC 2 Type II

Not done. Not in progress.

ISO 27001

Not done. Not in progress.

FedRAMP Authorized / ATO

Phase 4 in progress. We will not represent ourselves as authorized until authorization is granted.

8 · Contact & Responsible Disclosure

Security contact and vulnerability reporting.

Inbox

security@threatengram.com — monitored by the engineering team. Response within 1 business day.

Disclosure

90-day coordinated disclosure. We ask that you give us 90 days to fix before public disclosure. Good-faith researchers credited in our security changelog unless anonymity is requested.

Safe harbor

Good-faith researchers following this policy will not face legal action or account termination. We do not have a formal bug bounty program yet — on the roadmap.

In scope

app.threatrecall.ai, *.threatengram.com, *.threatrecall.ai

Out of scope

Third-party services we integrate with (Azure, Postmark, OpenAI, Stripe) — report to those vendors. Denial-of-service testing. Social engineering. Physical security.

Questions before signing?

30-day Design Partner Pilot. No charge. Export everything on exit.

Apply for pilot →

← Pricing Compare Integrations Changelog Security questionnaire →