CSA STAR Level 1 — CAIQ Self-Assessment
The Cloud Security Alliance (CSA) STAR program is the recognized framework for documenting a cloud service's security posture. Level 1 is a free self-assessment built on the Consensus Assessments Initiative Questionnaire (CAIQ) — the industry-standard set of cloud-security control questions. This page is OWL's CAIQ-aligned Level 1 self-assessment: an honest account of how we address each control domain. It is not a STAR certification or third-party attestation, and we are not (yet) listed on the public CSA STAR registry.
1. What CSA STAR and the CAIQ are
CSA STAR (Security, Trust, Assurance and Risk) is the Cloud Security Alliance's transparency and assurance program. The CAIQ is a questionnaire derived from the CSA Cloud Controls Matrix (CCM) — a cloud-specific control framework that maps to ISO 27001, SOC 2, NIST and other standards. Answering it lets a customer evaluate a cloud provider's security against a common baseline without a bespoke questionnaire.
A defining property of OWL shapes nearly every answer below: OWL is end-to-end encrypted and zero-knowledge. File and message contents are encrypted on your device with keys we never hold in usable form, so even a full compromise of our servers — or a malicious operator — cannot read your content. Several CAIQ control areas that are hard for a typical SaaS (data segregation, insider access, breach blast-radius) are answered structurally by that design rather than by policy alone.
2. Control-domain self-assessment
The table maps the main CAIQ / Cloud Controls Matrix domains to OWL's posture. Each row is honest: finished controls are stated plainly, and practices still maturing are marked in progress.
| CAIQ / CCM domain | OWL's posture |
|---|---|
| Application & Interface Security (AIS) | Secure-by-design architecture reviewed against the OWASP Top 10; parameterized database access throughout; secure defaults (TLS enforced, no anonymous access) and a baseline of HTTP security response headers (HSTS, nosniff, frame/referrer/permissions policies, CSP report-only). |
| Audit Assurance & Compliance (AAC) | This compliance program is published and kept honest as our status changes. We hold no third-party SOC 2 / ISO 27001 attestation yet — all current pages are self-assessment. A STAR Level 2 (audited) entry is on the roadmap, gated on completing SOC 2 or ISO 27001. |
| Business Continuity & Operational Resilience (BCR) | Hosted on AWS (Lightsail) in the US; data at rest is encrypted and backed up. Formal, documented backup-restore testing and a written BCDR/RTO-RPO plan are a practice in progress — we do not claim a tested DR runbook we have not exercised. |
| Cryptography & Key Management (CEK) | AES-256 content encryption with HMAC-SHA-256 integrity tags; authenticated AES-256-GCM key wrapping and escrow; P-256 ECIES per-recipient key wrapping; bcrypt password hashing (password never leaves your device); pinned-root TLS. Keys protecting your content are derived from your credentials client-side — we cannot decrypt your content. Full detail: cryptography. |
| Datacenter & Infrastructure Security (DCS) | Physical and environmental security of the underlying infrastructure is inherited from AWS, which holds the relevant datacenter certifications (ISO 27001, SOC 2, etc.). We operate the application layer on top of it; we do not run our own datacenter. |
| Identity & Access Management (IAM) | Per-resource and per-folder keys plus share-link permissions, checked from ancestors on every create/read/edit/move/delete; bcrypt-hashed credentials; rate limiting and failed-login lockout; hashed session/verification/reset tokens with constant-time comparison. Because content is zero-knowledge encrypted, access control also holds against us — an operator with database access still cannot read file or message plaintext. |
| Supply Chain, SDLC & Change Control (STA / CCC) | A CycloneDX SBOM drives dependency/vulnerability tracking; updates are Ed25519-signed with SHA-256 download-integrity verification (a tampered update is refused before it touches disk). Aligned with the NIST SSDF (SP 800-218). Detail: secure development. |
| Threat & Vulnerability Management (TVM) | A published coordinated vulnerability disclosure policy and security advisories feed, plus a security.txt. SBOM-driven dependency review. An independent third-party penetration test has not yet been performed — when it is, we will reference it. |
| Logging & Monitoring (LOG) | An administrative audit log of privileged actions, plus request and failed-login logs for abuse detection. High-volume logs are archived for retention. Centralized SIEM/alerting is a practice in progress. |
| Datacenter / Privacy & Data Protection (DSP) | What OWL processes and what it cannot see is documented in the privacy policy (GDPR/CCPA). The web client uses no advertising or analytics trackers and makes no third-party network calls by default; third-party contact happens only on user-initiated cloud import or payment. Named third parties: sub-processors. No card data touches our servers — payment entry is on the processor's hosted page (PCI SAQ A). |
| Human Resources (HRS) | NDEVR is a small team. Formal documented HR security controls — background checks, security-awareness training records, onboarding/offboarding checklists — are a practice in progress rather than audited controls, and we state that plainly rather than overclaim. |
3. Scope & honesty
This is a Level 1 self-assessment of OWL's design and implemented controls at a point in time — a vendor self-attestation, not an independent audit. We have not submitted a listing to the public CSA STAR registry; submission to the CSA STAR registry is planned once the self-assessment is finalized. We intend to pursue STAR Level 2 (third-party) if and when we complete SOC 2 or ISO 27001.
The full CAIQ workbook (every control question, not just the domain summaries above) is available on request to customers evaluating OWL — email security@ndevr.org. If you identify a gap, our coordinated vulnerability disclosure program is the place to report it; such reports are especially valued.