JIL Sovereign
JIL Sovereign Technologies, Inc.
A Delaware Corporation · jilsovereign.com

Vendor Security Questionnaire

Format: Shared Assessments SIG Lite (130 questions across 18 domains)
Revision: May 3, 2026
Scope: Public revision suitable for sharing without non-disclosure agreement. The internal full SIG (~900 questions) is released to qualified prospects under NDA.
Owner: Office of the Chief Information Security Officer (cross-signed by General Counsel)

Answers below are the Company's affirmative attestations as of the revision date. Where evidence is described as "available on request," the supporting document is released under non-disclosure agreement; the inventory is at /vendor-due-diligence.

Domain A - Risk Assessment and Treatment

Q#QuestionAnswerDetail
A.1Does the vendor maintain an Information Security Management System (ISMS)?YesISO 27001-aligned. Summary at Information Security Policy.
A.2Is the ISMS reviewed at least annually?YesAnnual ISMS management review by the CISO; record retained.
A.3Is a HIPAA Security Rule risk analysis performed?YesAnnual; executive summary at HIPAA Risk Assessment Summary.

Domain B - Security Policy

Q#QuestionAnswerDetail
B.1Are security policies documented and approved by management?YesTwenty-four policy documents; reviewed at least annually.
B.2Are policies communicated to all personnel?YesPersonnel acknowledge on hire and on each material update.

Domain C - Organizational Security

Q#QuestionAnswerDetail
C.1Is there a designated CISO with executive authority?YesReports to the CEO; presents to the Board quarterly.
C.2Is segregation of duties enforced for sensitive operations?YesPR review (two-eye); production change requires Engineering + Operations sign-off.

Domain D - Asset and Information Management

Q#QuestionAnswerDetail
D.1Does the vendor maintain an asset inventory?YesCMDB; per-service ownership matrix.
D.2Is data classified by sensitivity?YesFour-tier classification; PHI is "Restricted."
D.3Is a PHI data flow diagram maintained?YesPHI Data Flow Diagram.

Domain E - Human Resources Security

Q#QuestionAnswerDetail
E.1Are background checks performed?YesCommensurate with role sensitivity at hire.
E.2Is security and HIPAA training mandatory?YesWithin 7 days of hire; annually thereafter; role-based modules.
E.3Are confidentiality agreements signed?YesStandard at hire; updated on material role change.

Domain F - Physical and Environmental

Q#QuestionAnswerDetail
F.1Are data centers physically secured?InheritedAWS data centers; SOC 2 + ISO 27001 + FedRAMP High audited.
F.2Is there an office security policy?N/ARemote-first; no physical office in scope.

Domain G - Operations and Communications

Q#QuestionAnswerDetail
G.1Is change control formal and documented?YesGitHub PR + CI gate + two-eye review; no manual production changes.
G.2Are infrastructure secrets managed via a vault?YesAWS Secrets Manager + KMS; CI/CD secrets injected at deploy.
G.3Are container images signed?YesSigned on build; signature verified on deploy.

Domain H - Access Control

Q#QuestionAnswerDetail
H.1Is multi-factor authentication enforced for privileged access?YesWebAuthn (FIDO2 hardware key) primary; TOTP backup. No password-only access.
H.2Is privileged access just-in-time?YesTime-boxed elevation, full audit log.
H.3Are accounts reviewed periodically?YesQuarterly access review; automated stale-account expiry.

Domain I - Application Security

Q#QuestionAnswerDetail
I.1Is SAST performed in CI?YesSnyk on every PR.
I.2Are software dependencies scanned?YesSnyk + Dependabot; SBOM per release.
I.3Is a secure SDLC documented?YesInternal SDLC document released under NDA.

Domain J - Cybersecurity Incident Management

Q#QuestionAnswerDetail
J.1Is there a documented Incident Response Plan?YesIncident Response Plan Summary.
J.2What is the customer notification SLA for PHI breach?60 minStatutory floor is 60 days under 45 C.F.R. § 164.410.
J.3Are tabletop exercises performed?YesQuarterly.

Domain K - Operational Resilience

Q#QuestionAnswerDetail
K.1What is the RTO?4 hoursMulti-region failover; BCP Summary.
K.2What is the RPO?1 hourCross-region replication.
K.3Are restore-from-backup tests performed?YesSemi-annual.

Domain L - Compliance

Q#QuestionAnswerDetail
L.1HIPAAActiveBAA-ready; BAA Template.
L.2SOC 2 Type IIIn flightObservation period engaged; report Q3 2027.
L.3HITRUST CSF i1In flightEngagement letter signed; cert target Q4 2026.
L.4HITRUST CSF r2PlannedStart Q1 2027; cert target Q3 2027.
L.5FedRAMPPlannedFederal-track sponsorship pending.
L.6NIST CSF 2.0MappedSelf-attested; mapping available on request.
L.7External penetration testScheduledAnnual; executive summary released to customers within 60 days.

Domain M - End-User Device Security

Q#QuestionAnswerDetail
M.1Are operator endpoints managed?YesMDM-enrolled; full-disk encryption mandatory.
M.2Is endpoint detection and response deployed?YesEDR on all production-access endpoints.

Domain N - Network Security

Q#QuestionAnswerDetail
N.1Is the production environment network-isolated?YesVPC + private subnets; no internet egress for inference.
N.2Is a WAF in place?YesAWS WAF on public surfaces.
N.3Is mutual TLS used internally?YesService-to-service mTLS.

Domain O - Privacy

Q#QuestionAnswerDetail
O.1Is PHI tokenized at the boundary?YesFF3-1 / FPE-AES; analytical pipeline operates on tokenized data only.
O.2Are GDPR or CCPA in scope?NoNot in production scope today.

Domain P - Threat and Vulnerability Management

Q#QuestionAnswerDetail
P.1Are threat intel feeds consumed?YesAWS GuardDuty + custom anomaly detectors.
P.2Patching SLA?TieredCritical 7 days; High 30 days; Medium 90 days; Low quarterly.

Domain Q - Server Security

Q#QuestionAnswerDetail
Q.1Are container images hardened?YesDistroless base; CIS benchmarks applied.
Q.2Vulnerability scanning of images?YesAWS Inspector weekly.

Domain R - Cloud Hosting

Q#QuestionAnswerDetail
R.1Cloud providers in production?AWSSole production cloud; BAA executed.
R.2Inheritance of FedRAMP audits available?YesFor GovCloud workloads. Available for federal-track engagements.