Skip to main content
Colosseum·Intelligence
Trust spine

The defences, the audit trail, and the email that finds a human within an hour.

What follows is the security posture of cmintel.ai and the COLOSSEUM operator stack behind it. Each section is one paragraph in plain English. If anything is missing or unclear, the disclosure mailbox below answers within one business hour during UK working time.

1. Encryption

All traffic to cmintel.ai is TLS 1.3, with HSTS preload enabled. At rest, customer data in Supabase is AES-256-encrypted at the disk level by AWS RDS; objects in Cloudflare R2 are encrypted with AES-256 GCM; D1 storage is encrypted at the Cloudflare edge. Form submissions are validated client-side with cryptographic checksums where it adds value (large uploads); short payloads use straight TLS without additional layering, because adding layering would obscure the simple truth that TLS 1.3 is sufficient at the byte sizes we handle.

2. Access control

Every human account that can reach customer data uses multi-factor authentication. We follow least-privilege: an operator's account holds the minimum scopes needed for the work that operator does, no more. Access is reviewed quarterly. Every access change is recorded in an audit log retained for 24 months. There is no shared admin account; we do not have one and would not create one.

3. Vulnerability management

Open-source dependencies are watched by Dependabot with automatic security-patch PRs. Source code is scanned by Snyk on every push to main. We run a quarterly internal penetration test against the trust-spine routes and the operator dashboard, and an annual third-party penetration test against the production API surface. Findings of severity P1 or P2 are publicly disclosed in /api/status within 14 days of remediation.

4. Incident response

Our commitment is 24-hour notification to affected customers and 72-hour notification to the regulator (UK ICO, EDPB lead supervisory authority pending). The incident-response runbook is the single place we coordinate from during an incident, and incident write-ups are public at /api/status with severity, cause, and remediation. We name the cause; we do not weasel-word it.

5. Security monitoring

Cloudflare bot management runs at the edge; rate-limits are applied per IP and per email; structured application logs ship to a hardened Sentry instance with PII scrubbed before the request leaves the browser. We do not log request bodies for the contact or DSAR endpoints — only metadata. We do log every change to the audit-log schema, recursively.

6. Vendor security

Every third party that processes data on our behalf is listed at /trust, with a link to the signed Data Processing Addendum, the country of operation, the data categories, and the date of last review. We review vendors quarterly. We do not use a vendor without a signed DPA. If you find a vendor on our site that is not on /trust, that is a bug — please email trust@cmintel.ai.

7. Disclosure

Mail security@cmintel.ai for any vulnerability, near-miss, or anomaly. We respond within one business hour during UK working time (Monday–Friday, 09:00–18:00 BST). The mailbox is monitored by a human, not a triage robot. The PGP key to encrypt your disclosure is at /.well-known/pgp-key.txt; the signed security.txt is at /.well-known/security.txt.

PGP fingerprint will be published here once the security@ key is generated (Steve-task S2.2 — pending). Until then, please use TLS to mail us; we can answer encrypted with the public key once it is up.

Last updated 2026-05-04