Enterprise Security Packet

Effective Date: March 25, 2026Last Updated: March 25, 2026Version: 1.1

1. Company Overview

CAIRL is a privacy-first identity verification platform operated by reAPPlicate Incorporated, a Florida corporation. The platform provides:

  • Identity verification using government-issued documents and biometric matching
  • Secure encrypted document storage
  • OAuth 2.0-based verification claims delivery (PKCE enforced, no raw PII exposure)
  • Proxy email services (CAIRL/mail)
  • Passkey-first authentication (CAIRL/keys)

CAIRL provides verification signals and infrastructure, not legal identity certification. CAIRL does not act as a financial intermediary, data broker, or custodian of funds.

2. Data Handling Model

2.1 Data Minimization

CAIRL is designed to collect only the data necessary to verify identity, prevent fraud, and provide authorized services.

2.2 Claims-Based Architecture

Connected services receive verification claims only (e.g., "age_18_plus: true", "identity_verified: true"). No raw identity documents, biometric data, or full personal details are shared with connected services unless explicitly authorized by the user through a comparison claim.

CAIRL APIs do not expose raw identity documents or biometric data to connected services.

Claims are generated per request and are not reused across services without user authorization.

2.3 Pairwise Identifiers

Each integration receives a unique, non-correlatable identifier (HMAC-SHA256) for each user. Raw user IDs never leave the CAIRL platform. This prevents cross-platform user correlation.

2.4 Biometric Data Handling

AttributeDetail
Collection triggerUser-initiated identity verification
Consent mechanismExplicit UI consent screen, separate from ToS acceptance
ProcessorAWS Rekognition (under CAIRL control and instruction)
AWS model trainingAWS processes biometric data solely on CAIRL's behalf and under its instructions. CAIRL does not permit the use of this data for model training.
Session data retentionNot retained beyond what is required to complete the session
Biometric reference (embedding)May be retained for uniqueness enforcement and fraud prevention
EncryptionAES-256 at rest
Deletion triggerAccount closure, deletion request, or consent withdrawal
Deletion timelineWithin 30 days of trigger event
Sale/sharingNot permitted and not part of CAIRL's data processing practices
Use for tracking/profilingNot permitted and not part of CAIRL's data processing practices
Use for AI/ML trainingNot permitted and not part of CAIRL's data processing practices

3. Infrastructure

3.1 Architecture

ComponentProviderPurpose
Application hostingVercelEdge-distributed hosting with DDoS protection
Cloud infrastructureAWSCompute, storage (S3), identity verification (Rekognition, Textract), serverless (Lambda)
DatabasePostgreSQL (Supabase)Primary data store
Caching / rate limitingUpstash RedisSession management, rate limiting, abuse prevention
Bot protectionCloudflareTurnstile challenge on sensitive flows
PaymentsStripeBilling, subscription, wallet management
Bank linkingPlaidBank account verification
EmailMailgunTransactional email and proxy relay (CAIRL/mail)
Phone verificationTwilioOTP delivery and phone number verification

3.2 Environment Isolation

EnvironmentDatabaseStorageURL
Developmentcairl-devcairl-dev-documentslocalhost / Vercel preview
Stagingcairl-stagingcairl-staging-documentsstaging.cairl.app
Productioncairl-productioncairl-production-documentscairl.app

Development, staging, and production environments are fully isolated with separate databases, storage buckets, credentials, and access controls. No development data touches production systems.

3.3 Shared Responsibility

Underlying infrastructure providers (AWS, Vercel) operate under a shared responsibility model. CAIRL secures application-layer systems and access controls, while providers secure the underlying cloud infrastructure.

4. Encryption

LayerStandardDetail
Data at restAES-256All stored data including documents, biometric references, and database records
Data in transitTLS 1.3All connections between client, server, and third-party services
Key managementDedicated KMSStrict access controls, automatic rotation

5. Access Controls

5.1 Internal Access

ControlImplementation
Access modelRole-based access control (RBAC)
PrivilegeLeast privilege — minimum access required for task
AuthenticationMulti-factor authentication required for all staff with data access
LoggingAll access to user data is logged
AuditSubject to periodic review
Data access scopeNeed-to-know only — support, technical resolution, fraud investigation, legal compliance

5.2 User Access

ControlImplementation
Password storageSecure hash (never plain text)
Primary authenticationPasskey-first (WebAuthn) with password fallback
Session managementScoped, time-limited, revocable
Consent enforcementPlatform-level — connected services cannot bypass user consent

6. Application Security

ControlImplementation
OAuthPKCE with S256 enforcement on all flows
CSRFProtection on all state-changing operations
Rate limitingAll sensitive and user-data endpoints
Token modelShort-lived, scoped tokens for integration endpoints
Bot protectionCloudflare Turnstile on verification and login flows
Identifier isolationPairwise HMAC-SHA256 — no raw user IDs exposed to connected services

7. Incident Response

CAIRL maintains internal incident response procedures covering:

  • Detection — Monitoring and alerting on anomalous access patterns
  • Containment — Isolation of affected systems and credentials
  • Remediation — Root cause analysis and patching
  • Post-incident review — Documentation and process improvement

Incident response procedures are tested periodically as part of internal security practices.

Breach Notification

ObligationDetail
User notificationAs required by applicable law, without unreasonable delay
Controller notification (DPA)Within 72 hours of becoming aware of the breach
Regulatory notificationAs required by applicable federal and state law
ContentNature of breach, data types affected, approximate scope, mitigation steps

8. Compliance Posture

FrameworkStatusDetail
SOC 2 Type IIIn preparationActively preparing for first formal audit engagement
GDPRActiveData controller / processor hybrid model. Consent (biometric) and legitimate interest (service delivery) as legal bases. SCCs in place for international transfers.
CCPAActiveNo sale of personal data. Authorized agent support. Non-discrimination.
BIPA (Illinois)ActiveExplicit consent, published retention/destruction schedule, deletion on request, private right of action acknowledged
Texas CUBIActiveBiometric consent and deletion practices in place
WashingtonActiveBiometric identifier practices in place
COPPAActiveGuardian-managed participation for minors through circles with verifiable parental consent
HIPAANot applicableCAIRL is not a covered entity or business associate unless explicitly contracted under a BAA

CAIRL does not claim certification until audits are complete and the auditor's report is received.

9. Payments

AttributeDetail
Payment processorStripe
Card storageCAIRL does not store full card numbers
Financial roleNot a financial intermediary, payment processor, or custodian of funds
WalletPrepaid service balance only — not a deposit account or stored value instrument

10. Data Retention

Data TypeRetentionUser Control
Raw identity documentsUntil user deletes or account closure + 30 daysUser-deletable subject to applicable legal, security, and fraud prevention requirements
Biometric session dataDuration of verification session onlyEphemeral
Biometric reference (embedding)Until deletion request or account closure + 30 daysUser-deletable subject to applicable legal, security, and fraud prevention requirements
Verification recordsUp to 7 years (regulatory/audit/fraud)Cannot be deleted due to legal retention
Usage logs90 daysAutomatic expiry
Account informationUntil account deletionUser-deletable
Proxy email metadata90 daysAutomatic expiry

11. Third-Party Subprocessors

SubprocessorPurposeRoleLocation
AWSInfrastructure, Rekognition, Textract, Lambda, S3Data processor / subprocessorUnited States
StripePayments and billingData processorUnited States
VercelHosting and content deliveryData processorUnited States (global edge)
PlaidBank account verificationData processorUnited States
MailgunEmail delivery and proxy relayData processorUnited States
CloudflareBot protection (Turnstile)Data processorUnited States (global edge)
UpstashRate limiting and cachingData processorUnited States
TwilioPhone verification (OTP delivery)Data processorUnited States
SupabasePrimary database (PostgreSQL)Data processorUnited States

All subprocessors operate under contractual and security obligations consistent with CAIRL's Privacy Policy and Data Processing Agreement. CAIRL remains responsible for the performance of its subprocessors. Material subprocessor changes are communicated with 30 days' notice.

12. Available Documentation

DocumentLocation
Privacy Policycairl.app/legal/privacy
Terms of Servicecairl.app/legal/terms
Security Overviewcairl.app/security
Cookie Policycairl.app/legal/cookies
Refund Policycairl.app/legal/refund
Acceptable Use Policycairl.app/legal/acceptable-use
Data Processing Agreementcairl.app/legal/dpa
Trust Centercairl.app/trust

13. Contact

PurposeContact
Enterprise security inquiriessecurity@cairl.app
Legal and DPA inquirieslegal@cairl.app
Privacy and data rightsprivacy@cairl.app
Generalinfo@cairl.app

Address: reAPPlicate Incorporated, 3200 NW 62nd Avenue #22, Margate, FL 33063