Security — CAPA Resolve

This page describes CAPA Resolve's current security approach in plain language. We do not claim certifications, audit reports, or compliance frameworks that have not been confirmed. This page will be updated as the platform matures and as additional security controls are implemented.

Our approach

Security is a core operational concern at CAPA Resolve, not an afterthought. Because the CAPA platform is designed to handle sensitive dispute and case information, we apply a deliberate, conservative approach to how infrastructure is built, accessed, and maintained — starting from the beginning of the platform's development, not as a retrofit.

At this stage, the public website is a minimal static site. The security principles described below reflect the approach we are applying as the platform is built, not claims about production capabilities that do not yet exist.

Least privilege

Access to systems, data, and infrastructure is granted on a minimum-necessary basis. Individuals and services receive only the access they require to perform their specific function. We do not use shared credentials or broadly-permissioned accounts. Access is reviewed as roles and responsibilities change.

Auditability

We design infrastructure to produce clear, tamper-resistant audit logs of access and changes. Administrative actions, data access events, and configuration changes should be traceable. The intent is to ensure that any anomaly can be identified and investigated, and that a reliable record exists for any security review.

Controlled disclosure

Sensitive information — whether belonging to users or to internal operations — is disclosed only to those with a demonstrated need to receive it, within clearly defined boundaries. This applies both to how the platform handles user data and to how we handle information internally. CAPA's design principle is that unnecessary exposure is itself a risk.

Secure infrastructure

This public website is served over HTTPS with strict transport security headers applied. We use reputable, well-maintained hosting and infrastructure providers. Dependencies are kept minimal to reduce attack surface.

As the CAPA platform is built out, production infrastructure will be isolated by environment, and access will be gated by strong authentication. Specific infrastructure choices will be documented in the Subprocessors page as they are confirmed.

Ongoing hardening

Security is not a one-time configuration. We treat it as an ongoing practice: reviewing configuration, monitoring for anomalies, updating dependencies, and reviewing access permissions as the platform evolves. We do not rely solely on infrastructure defaults.

What we are not claiming

We do not currently hold any formal security certifications (such as SOC 2, ISO 27001, or similar). We have not undergone a third-party penetration test at this stage of development. We do not claim compliance with specific regulatory frameworks beyond what is strictly applicable to our current operating context.

We will update this page as formal security reviews, certifications, or assessments are completed. We believe it is more credible to be accurate about our current position than to claim a security posture we cannot yet evidence.

Security contact

If you believe you have identified a security vulnerability in this website or in CAPA Resolve's infrastructure, please contact us responsibly before any public disclosure. We ask that you give us reasonable time to investigate and address the issue.

Email: legal@caparesolve.com — use "Security Disclosure" in the subject line
Privacy-related security concerns: privacy@caparesolve.com

We do not offer a formal bug bounty programme at this time, but we take all responsible disclosures seriously and will acknowledge your report.