Awaab EvidenceOS security questionnaire

Procurement-readable questionnaire readiness for UK social-landlord pilot review.

Current source artifact: docs/security-questionnaire-readiness.md.

Security questionnaire readiness matrix

This is not a completed buyer questionnaire, not a signed DPA, not Cyber Essentials certified, not a penetration-test report, and not production security evidence. It is a conservative readiness matrix for pilot procurement review.

Buyer decision summary

Suitable for controlled pilot security review, not production security approval. Each row names the evidence available today, the owner to confirm it, and the blocker that must close before production. Buyer policy should decide whether the current evidence is enough for a bounded design-partner or pilot review.

Current answers and missing production evidence
Question area Current answer Evidence today Owner to confirm Required before production
Access control and tenant isolation Prototype access uses role-bound operator keys, organisation allowlisting, and single-use proof links. It does not evidence production SSO, MFA, SCIM, password policy, or persistent user directory. Admin tenant-isolation report, identity-provider tenant-mapping readiness, role-capability evidence, and proof-link replay protections. security owner Production SSO, MFA, SCIM/deprovisioning, session policy, and formal audit.
Data processing and Article 28 Processor posture is documented for pilot review, but legal terms are unsigned. DPA/DPIA technical annex and data-processing/cookies posture page. customer legal owner Customer-approved Article 28 terms, DPIA support pack, and privacy notice.
Cyber Essentials and cloud security Awaab EvidenceOS is not Cyber Essentials certified. Security baseline and NCSC Cloud Security Principles launch gate. security owner Cyber Essentials or buyer-approved equivalent and cloud control mapping.
Incident response and breach support Draft intake and incident-response workflows exist; no live monitored contact. Security contact intake draft and incident-response draft. operations owner Live security contact, tested escalation, controller notification support, tabletop.
Backup, restore, and business continuity SQLite prototype restore probe exists; no approved production DR posture. Backup/restore draft and executable prototype restore probe. operations owner Customer-approved RPO/RTO, encrypted backups, restore evidence, DR owner.
Vulnerability and dependency management Dependency-audit scaffold exists; no production CI security gate or pen test. Dependency checks, procurement dependency template, and security baseline. security owner CI scanning, vulnerability-management owner, disclosure programme, pen test.