DOCUMENT SEC · SECURITY POSTURE

Security
Posture
Briefing.

EFFECTIVE May 12, 2026 · UNCLASSIFIED · DISTRIBUTABLE TO PROCUREMENT, COUNSEL, AND OVERSIGHT

SECTION I · BLUF

FraudTrax is built for sworn US law enforcement and is operated by a service-disabled veteran-owned small business (SDVOSB pursuit; see Section IX). It runs on Cloudflare's US-only edge with defense-in-depth across every layer: edge filtering, origin gating, identity (LE-domain allowlist + TOTP MFA), tier-based authorization, encrypted-at-rest storage, and per-action audit logging.

What this document is. A single-page briefing for federal and state procurement officers, agency MSA counterparties, and oversight reviewers. Every claim below is verifiable in the live platform and the source code is reviewable by qualified counterparties under MSA.

What it is not. A formal SOC 2 or ISO 27001 report (those are on the compliance roadmap, Section VIII). A NIST SP 800-171 self-assessment (DoD-CMMC track, deferred until DoD CUI is realistic). A CJIS attestation (see Section VI for the honest position).

SECTION II · CONTROL MATRIX AT A GLANCE

Posture, summarized.

Control area	Status	Detail
Data residency	In place	US-only. Cloudflare US data centers, US-bound R2 jurisdiction, US-based Anthropic API endpoints. No data leaves US borders in normal operation.
Encryption in transit	In place	TLS 1.3 enforced; HSTS preload submitted & verified; no plaintext fallbacks.
Encryption at rest	In place	AES-256 (Cloudflare R2 default for all object storage); D1 database encrypted at rest.
Identity & MFA	In place	Password + TOTP MFA enforced for officer accounts (shipped 2026-05-10). Optional 30-day trusted-device cookie. LE-domain allowlist for auto-approval. Admin elevation requires re-auth.
Audit logging	In place	Structured per-request event log in D1; immutable handoff log for Carfax for Police lookups; rate-limit ledger; admin-action trail. Officer-confirmed indicators tracked separately from AI-output.
Supply chain (Section 889)	In place	No Huawei, ZTE, Hytera, Hikvision, Dahua components. All subprocessors US-based (Cloudflare, Anthropic, Resend, GitHub). Annual re-inquiry committed. See Section VII.
Tier-based authorization	In place	Officer / Agency / Enterprise tiers enforced at the worker layer. Cross-tier reads blocked; cross-officer reads blocked except via explicit agency dashboard role.
Rate limiting	In place	Per-IP and per-account limits on every AI-calling endpoint. Tier-aware daily caps for cost protection.
Backup & DR	In place	D1 point-in-time recovery (rolling 30-day window); R2 object versioning; cross-region replication available on Enterprise tier.
AI-output disclosure (Daubert/Frye)	In place	Every court-ready packet discloses the AI model that produced the underlying analysis. Officer signature is the gating bar for admissibility; AI is decision-support only.
PII redaction	In place	Context-anchored PII redaction on AI inputs and outputs (DL/SSN/DOB scrubbed; VINs and plates preserved because they are the subject of fraud analysis).
Vulnerability disclosure	In place	RFC 9116 security.txt; security@fraudtrax.net; 24-hour acknowledgment SLA.
SOC 2 Type II	Roadmap	Compliance program in active progress; audit firm engagement targeted Q3 2026.
FedRAMP Tailored	Roadmap	SDVOSB sponsorship path under evaluation. Required only for federal contracts handling Moderate-impact data.
NIST SP 800-171 (CMMC)	Not in scope	Not relevant until FraudTrax handles DoD Controlled Unclassified Information (CUI). Architecture is compatible; certification deferred.
CJIS (formal attestation)	Outside perimeter	FraudTrax does NOT run inside the CJIS security perimeter by design. See Section VI for compensating controls and the architectural rationale.

How to read this table. "In place" means the control is live in the deployed code, verifiable by an authorized counterparty under MSA. "Roadmap" means design is committed but external audit/certification is in progress. "Outside perimeter" / "Not in scope" means deliberate architectural decision, not a gap (see relevant section for rationale).

SECTION III · DEFENSE-IN-DEPTH ARCHITECTURE

Six independent layers.
No single point of compromise.

FraudTrax assumes any single layer can fail. Compromise of any one layer does not expose officer data because every layer below it enforces its own independent control.

LAYER 1 · EDGE (Cloudflare global) HSTS preload · TLS 1.3 only · cipher policy enforced WAF rules for credential-stuffing & injection patterns Bot management; verified-bot allowlist for known crawlers Per-IP rate limiting at the edge LAYER 2 · ORIGIN GATING (Workers routing layer) ALLOWED_ORIGINS allowlist enforced on every API call CORS strict; pre-flight required; no wildcard origins Per-domain referer + audience checks for cross-surface calls LAYER 3 · IDENTITY (auth worker) Magic-link with verified work-email delivery (Resend) LE-domain auto-approval allowlist (per-state expansion) Password + TOTP MFA required for all officer accounts Trusted-device cookie (30 days, HttpOnly Secure SameSite=Lax) Admin elevation requires re-auth (not just session age) LAYER 4 · AUTHORIZATION (per-handler tier check) Tier-based ACLs at every API handler entry point Officer-scoped reads default; cross-officer requires agency role Admin queue actions checked against hard-coded admin allowlist LAYER 5 · STORAGE (D1 + R2 + KV) AES-256 at rest (Cloudflare-managed keys) R2 versioning + lifecycle rules PII redaction at input AND output of AI calls (defense-in-depth) No civilian PII collected by default; tester agreement bars officers from pasting civilian PII in free-text LAYER 6 · AUDIT (immutable trail) Structured event log: actor, action, timestamp, target, outcome Carfax for Police handoff log: VIN, source feature, officer, time Rate-limit ledger preserves attempted-abuse evidence 7-year retention for any record tied to a federal contract

The diagram is read top-down: an attacker who breaches Layer 1 (edge) still has to defeat Layers 2 through 6 independently before reaching officer data. The Layer 5 "PII redaction at input AND output" is the canonical defense-in-depth pattern: even if Layers 1 through 4 fail simultaneously, the AI itself never sees civilian PII.

SECTION IV · DATA HANDLING

What we keep,
where, for how long.

4.a: What we collect

Officer account data: work email, agency, IP/user-agent at sign-in, verification decision (auto-approved vs admin-approved)
Investigation data: uploaded plate & VIN images, officer-confirmed indicators, structured analysis metadata, optional case notes
Confirmed-fraud submissions: only what the officer explicitly publishes to the National Hotlist (visibility configurable: private / agency / all-verified-LE)
Audit trail: per-action timestamps, actor, target, outcome

4.b: What we do NOT collect

Civilian PII (DL numbers, SSNs, DOBs, full civilian names): barred by officer terms of use and additionally redacted at the AI boundary
CJI (Criminal Justice Information): see Section VI
Advertising / cross-site tracking data
Bulk biometrics or face-template embeddings

4.c: Where data lives

D1 (relational): Cloudflare-managed SQLite at the edge, US data centers, encrypted at rest
R2 (object storage): images, video, PDFs (Cloudflare US R2 jurisdiction, AES-256 default encryption)
KV (cache): short-lived session tokens, rate-limit counters; no long-term data
Vectorize (RAG index): embeddings of approved reference data only; no civilian PII
Anthropic API (ephemeral inference): plate images + prompts sent for analysis under Anthropic's commercial terms; no training on commercial API traffic; no persistent storage by Anthropic

4.d: Retention

Officer account & investigation records: duration of active subscription + 60 days post-termination
Confirmed-fraud reports (published to National Hotlist): indefinite while accurate; takedown on officer or admin request
Audit trail tied to federal contract performance: 7 years (per FAR contract closeout requirements)
Operational logs: 90 days (Cloudflare default)
Error reports (ephemeral): 30 days (KV TTL auto-expire)

4.e: Deletion

Officer can request account & data deletion at any time. Confirmation issued within 30 days. Some records subject to retention obligations (federal contract performance evidence, statutory recordkeeping) are preserved per applicable law; the officer is notified which records cannot be deleted and why.

SECTION V · IDENTITY & ACCESS

Who can sign in,
and how.

5.a: Authentication

Password + TOTP MFA enforced for every officer account (shipped 2026-05-10). Optional 30-day trusted-device cookie reduces TOTP friction during a single officer's normal use; cookie is revocable, scoped to a single device fingerprint, and re-issues on suspicious-activity signals.

5.b: Authorization

Tier-based ACLs at every API handler. Free / Officer / Agency / Enterprise tiers gate which features are reachable and how many AI-calling operations are allowed per day. Cross-officer data access is blocked by default; agency dashboards require an explicit agency-admin role on the agency account.

5.c: LE verification

Officers self-onboard with their work email. If the email's domain is on the LE-domain allowlist (federal .gov / .mil + verified state and local LE domains), the account is auto-approved. All other domains go through an admin review queue where the officer's identity is verified before access is granted.

5.d: Account recovery

Recovery codes (printable, 10-code set) issued at enrollment. Self-serve recovery requires a recovery code + email-link confirmation. Account-lockout recovery requires either a recovery code OR notarized admin-reset request (the same FSD-equivalent pattern used in federal entity-administrator recovery).

5.e: Session hygiene

HttpOnly Secure SameSite=Lax cookies. Scoped to .fraudtrax.net. Inactivity timeout enforced server-side. Logout invalidates the session token immediately.

SECTION VI · CJIS POSTURE (HONEST)

Outside the perimeter,
by design.

FraudTrax does NOT run inside the CJIS security perimeter. This is a deliberate architectural choice, not a gap. The rationale is twofold:

Scope. FraudTrax's analysis vertical (plate fraud, dealer fraud, auto theft scene documentation) does not require Criminal Justice Information (CJI) to function. Officers paste plates, dealer names, and case context; they do not paste NCIC hits or CHRI into the platform.
Cost-to-officer. Building a CJIS-compliant SaaS prices the per-officer fee out of daily field-use range. The architecture pairs cleanly with agency RMS systems that DO sit inside CJIS; FraudTrax handles the specialty-analysis layer at $19.99/officer/month, the RMS handles CJI.

What this means in practice for your agency:

Officers must not paste NCIC results, CHRI, or other CJI into FraudTrax free-text fields. This is reinforced in the Tester Agreement and the in-app analyzer prompts.
FraudTrax IS appropriate for: pre-NCIC plate analysis, dealer audits, auto theft scene documentation (as a separate evidentiary record), confirmed-fraud reporting on already-resolved cases.
FraudTrax is NOT appropriate for: storing NCIC hits, storing CHRI, sharing case data that includes CJI between agencies through the platform.

Compensating controls that approximate CJIS practices:

Defense-in-depth across 6 independent layers (Section III): exceeds CJIS Policy 5.10 (System and Communications Protection) baseline
Per-officer TOTP MFA (Section V): aligned with CJIS Policy 5.6.2.2 (Advanced Authentication)
Audit logging with 7-year retention for federal-contract records (Section IV.d): aligned with CJIS Policy 5.4.7 (Audit Logging)
US-only data residency (Section IV.c): meets CJIS jurisdictional requirement for CJI even though we don't store CJI
Encryption at rest & in transit (Section II): meets CJIS Policy 5.10.1.2 (Encryption)

For agencies that require their state CSA (CJIS Systems Agency) to formally evaluate any contractor-operated software, FraudTrax can provide the architecture documentation, source code review under MSA, and supports a state CSA Memorandum of Understanding. Contact procurement@fraudtrax.net.

SECTION VII · SUPPLY CHAIN (SECTION 889)

Subprocessors and
covered-equipment posture.

FraudTrax complies with FAR 52.204-25 (Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment) and Section 889 of the John S. McCain NDAA FY19.

Affirmation. FraudTrax does NOT use any equipment, system, or service produced or provided by Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, Dahua Technology Company, or any subsidiary or affiliate of these entities. A reasonable supply-chain inquiry has been conducted; documentation is on file with Omega Point Solutions LLC and re-conducted annually.

Active subprocessors (all US-based, non-covered):

Cloudflare, Inc.: Workers (compute), D1 (database), R2 (object storage), KV, Pages, AI Gateway, Vectorize, Workers AI. US data centers; Section 889 compliance attested publicly.
Anthropic, PBC: Claude API backend powering the DAN-O analysis engine. US-based; commercial terms; no training on commercial API traffic.
Resend, Inc.: Transactional email (magic-link, account notifications). US-based.
GitHub, Inc. (Microsoft subsidiary): Source code hosting and CI/CD. US-based.
Stripe, Inc.: Subscription billing (paid tiers only). US-based; we never see full card numbers.
NHTSA vPIC & FMCSA SAFER: Federal-government public lookups; no PII transmitted.
Google Cloud Platform: Optional Google Places API (the new dealer-verification cascade) and Maps OCR fallback in the VIN extraction tier. US data centers; Section 889 compliance attested publicly.

30-day notice obligation. Any subprocessor addition or change is communicated to MSA counterparties at least 30 days before activation.

SECTION VIII · COMPLIANCE ROADMAP

Audits and certifications
in flight.

SOC 2 Type II: gap assessment 2026 Q3; audit-period start 2026 Q4; first report 2027 Q2
SDVOSB certification: VetCert.va.gov application planned under Omega Point Solutions LLC once the entity is active and registered; priority processing expected at 100% combat-service-connected disabled vet status; target submission and approval 2026 Q3
FedRAMP Tailored: sponsorship path evaluation 2026 Q4; required only for federal contracts handling Moderate-impact data
NIST SP 800-171 / CMMC Level 2: deferred; track when DoD CUI work is realistic
State CJIS MOUs: bilateral evaluation with state CSAs initiated on agency request
Independent penetration test: annual; first scheduled 2026 Q4
HIPAA Business Associate Agreement: not applicable; FraudTrax does not handle protected health information

SECTION IX · ORGANIZATION & OWNERSHIP

Veteran-owned.
Officer-built.

FraudTrax is operated by Omega Point Solutions LLC, a single-member Illinois limited liability company. The same entity owns the product IP and pursues federal contracting directly, structured for a clean SDVOSB posture: sole disabled-veteran ownership and unconditional control.

The platform is built by an active sworn law-enforcement officer who is a service-connected disabled veteran. Ownership and control documentation for SDVOSB verification is available on request to qualified counterparties.

Operating from Salem, Illinois. Registered agent of record on file with the Illinois Secretary of State. Beneficial ownership disclosed under the Corporate Transparency Act when applicable filing windows are active.

SECTION X · INCIDENT RESPONSE

If something goes wrong.

Reporting: security@fraudtrax.net · RFC 9116 disclosure at /.well-known/security.txt
Acknowledgment SLA: 24 hours from receipt of credible vulnerability or incident report
Notification SLA to affected customers: 72 hours after a security incident is confirmed (aligned with state breach-notification statutes)
Coordinated disclosure: 90 days from initial report unless agreed otherwise with the reporter; CVE assignment when applicable
Officer protection: if an incident potentially exposes officer-identifying data, affected officers are individually notified by direct email within 72 hours
Backup contact: founder direct line on request through procurement@fraudtrax.net

SECTION XI · DOCUMENT CONTROL

Document

FraudTrax Security Posture Briefing

Version

v1.0

Effective

2026-05-12

Next review

2026-08-12 (quarterly)

Owner

Omega Point Solutions LLC

Source-of-truth code

github.com/hatchet11/fraudtrax (private; access on MSA)

Distribution

UNCLASSIFIED; distributable to procurement, agency counsel, and oversight reviewers without further authorization

Vetting FraudTrax
for your agency?

Send a procurement package request to procurement@fraudtrax.net. The agency packet includes W-9, MSA template, CJIS state-CSA-MOU template, data-residency one-pager, this security posture briefing, and a pre-filled security questionnaire covering all 12 control areas in Section II.

Request procurement package → About the founder

SecurityPostureBriefing.