# Vendor Security Questionnaire — Pre-Filled Responses **Building Code Academy** | IT Security Assessment **Document Version:** 1.0 | **Date:** February 2026 **Classification:** Public --- *This document provides pre-filled answers to common IT security vendor assessment questions. For questions not covered here, contact security@buildingcodeacademy.org.* --- ## 1. Company Information **Q: What is your company's legal name?** A: Building Code Academy **Q: What is your primary product/service?** A: SaaS-based online learning platform for ICC building code certification exam preparation and continuing education (CEU) courses. **Q: How long has your company been in operation?** A: Building Code Academy was founded in 2024. **Q: Where is your company headquartered?** A: United States --- ## 2. Data Security **Q: Where is customer data stored?** A: All customer data is stored in AWS US-East-1 (Virginia, USA) via Supabase. No data is stored outside the United States. **Q: Is data encrypted at rest?** A: Yes. AES-256 encryption at the database level via AWS/Supabase. **Q: Is data encrypted in transit?** A: Yes. TLS 1.2+ enforced on all connections. HSTS enabled. **Q: Do you store credit card or payment information?** A: No. All payment processing is handled by Stripe (PCI DSS Level 1 certified). We only store Stripe customer and subscription IDs. **Q: How is data isolated between customers/tenants?** A: PostgreSQL Row-Level Security (RLS) policies enforce strict data isolation. Each organization's data is partitioned by organization ID at the database level. **Q: What is your data retention policy?** A: Active account data retained during account lifetime. Data deleted within 30 days of deletion request. Payment records retained per Stripe policies (7 years for tax/legal). Error logs retained 90 days. **Q: Can you provide a Data Processing Agreement (DPA)?** A: Yes. Contact privacy@buildingcodeacademy.org. --- ## 3. Authentication & Access Control **Q: What authentication methods do you support?** A: Email/password, SAML 2.0 SSO (Azure AD, Okta, Google Workspace, OneLogin), and MFA (TOTP). **Q: Do you support Single Sign-On (SSO)?** A: Yes. SAML 2.0 SSO with JIT user provisioning. Organizations can enforce SSO-only login. **Q: Do you support Multi-Factor Authentication (MFA)?** A: Yes. TOTP-based MFA via Supabase Auth. **Q: How are user roles managed?** A: Role-based access control with three levels: Owner, Admin, and Member. Roles are enforced at both the API and database level. **Q: How are admin credentials protected?** A: Database service role keys are stored as environment variables, never exposed to client-side code. Admin operations require authenticated sessions with appropriate role verification. --- ## 4. Infrastructure & Architecture **Q: Where is your application hosted?** A: Vercel (US-based) for application hosting with Supabase (AWS US-East-1) for database and authentication. **Q: Do you use cloud infrastructure?** A: Yes. All infrastructure runs on SOC 2 Type II certified cloud providers (Vercel, AWS/Supabase). **Q: Is your infrastructure SOC 2 certified?** A: All infrastructure providers (Vercel, Supabase/AWS, Stripe, Upstash, Resend, Sentry) maintain SOC 2 Type II certification. BCA's own SOC 2 Type I audit is planned for Q3 2026. **Q: Do you have a disaster recovery plan?** A: Yes. Automated daily database backups with point-in-time recovery. Application hosted on Vercel with automatic failover. **Q: What is your uptime SLA?** A: 99.9% availability target. --- ## 5. Application Security **Q: How do you protect against SQL injection?** A: All database queries use parameterized queries via the Supabase client library. No raw SQL is constructed from user input. **Q: How do you protect against XSS?** A: React's automatic output escaping, Content Security Policy headers, and input validation via Zod schemas. **Q: How do you protect against CSRF?** A: Double-submit token pattern with HMAC validation and constant-time comparison. Tokens rotate every hour with 24-hour expiry. **Q: Do you perform regular security testing?** A: Yes. Regular dependency auditing, code review processes, and automated testing. **Q: How do you manage third-party dependencies?** A: Regular npm audit scans, dependency update monitoring, and version pinning for critical packages. --- ## 6. Compliance **Q: Are you SOC 2 certified?** A: SOC 2 readiness phase. All infrastructure providers are SOC 2 Type II certified. BCA's own audit planned for Q3 2026. **Q: Are you HIPAA compliant?** A: HIPAA is not applicable — BCA does not process protected health information (PHI). **Q: Are you Section 508 / WCAG compliant?** A: Yes. BCA targets WCAG 2.1 Level AA conformance. See our ADA/508 compliance statement. **Q: Are you GDPR compliant?** A: BCA is GDPR-aware. We currently serve US-based customers. No EU personal data is processed. **Q: Are you FedRAMP authorized?** A: Not currently. FedRAMP authorization is on our compliance roadmap (targeted Q4 2027). **Q: Can you provide a VPAT?** A: Yes. VPAT based on WCAG 2.1 Edition available upon request. --- ## 7. Incident Response **Q: Do you have an incident response plan?** A: Yes. Detection → Triage (1 hour) → Containment → Customer notification (72 hours) → Remediation → Post-mortem. **Q: How will we be notified of a security incident?** A: Affected customers are notified via email within 72 hours of confirmed incident. Critical incidents may include phone notification. **Q: Have you experienced any data breaches?** A: No. Building Code Academy has not experienced any data breaches. --- ## 8. Business Continuity **Q: What is your backup strategy?** A: Automated daily database backups with point-in-time recovery via Supabase/AWS. Application code maintained in version control with automated deployment. **Q: What is your Recovery Time Objective (RTO)?** A: Less than 4 hours for full service restoration. **Q: What is your Recovery Point Objective (RPO)?** A: Less than 24 hours (daily automated backups). Point-in-time recovery available for shorter intervals. --- ## 9. Personnel Security **Q: Do employees undergo background checks?** A: Yes, for employees with access to production systems. **Q: Do employees receive security training?** A: Yes. Security awareness training is provided to all team members. **Q: How is access to production systems controlled?** A: Principle of least privilege. Production database access limited to essential personnel. All access via encrypted channels. --- ## 10. Contact Information | Purpose | Contact | |---------|---------| | Security inquiries | security@buildingcodeacademy.org | | Procurement | procurement@buildingcodeacademy.org | | Enterprise sales | enterprise@buildingcodeacademy.org | | Privacy & DPA | privacy@buildingcodeacademy.org | | Accessibility | accessibility@buildingcodeacademy.org | | General support | support@buildingcodeacademy.org | --- *For additional questions not covered in this questionnaire, please contact security@buildingcodeacademy.org. We typically respond within 2 business days.*