5/15/2026milestone
Sprint 97 closed — marketing/app subdomain split + ASV scan remediation
Three production milestones for Raize Technologies, all completed during the 2026-05-15 release:
**Cutover.** raizehq.dev now serves a server-rendered Next.js 14 marketing site (Lighthouse 0.95+, LCP <1s); the app moved to app.raizehq.dev on the existing Vite SPA. 8 marketing routes (landing, pricing, privacy, DPA, changelog, trust center, auditor portal, vendor assessment) are first-class crawlable URLs with per-page OG cards.
**ASV scan remediation.** Internal PCI-DSS-aligned external vulnerability scan against the public surface — 0 critical findings, 1 high (since closed), 3 medium (2 closed, 1 dashboard-only operator action). create-admin-user endpoint hardened with per-IP + per-email rate limits, email verification required, CSP unsafe-eval dropped, SSO domain enumeration rate-limited, 76 Supabase Advisor warnings closed (search_path pinned + anon EXECUTE revoked from 51 RPCs).
**Continuous Monitoring KPI.** 50 automated control checks now run daily @ 07:00 UTC; drift events surface as a one-line rose pill on the Continuous Monitoring page the moment any check errors. Average time-to-detect for a control failure is now under 24 hours (from "next quarterly audit").
183 migrations live on prod + staging. 6 frameworks. ~75 tables with RLS on every one. 22 cron jobs. 18 edge functions. MFA enforced on every authenticated user, regardless of role.
5/13/2026milestone
BCP/DR Plan adopted + PCI DSS SAQ-D self-assessment complete
Two compliance milestones for Raize Technologies, both completed on 2026-05-13.
**Business Continuity & Disaster Recovery Plan v1.0 — adopted.** Covers the raizehq.dev SaaS platform end-to-end: tiered recovery objectives (RTO 1h Tier 1 / 4h Tier 2 / 24h Tier 3, RPO 5 min via Supabase PITR), full dependency map, single-points-of-failure register, three named recovery runbooks (Postgres restore, frontend rebuild to Cloudflare Pages, Stripe webhook replay), and a quarterly tabletop + annual live-restore exercise cadence. Owner: CTO. Next review: 2027-05-13.
**PCI DSS v4.0.1 SAQ-D self-assessment — completed across all 50 applicable requirements.** Headline result:
- 20 requirements **implemented** (40%)
- 18 requirements **not applicable** (36%) — the Cardholder Data Environment is fully outsourced to Stripe (PCI DSS Level 1 service provider) via hosted Checkout; no PAN, CVV, expiry, or magnetic-stripe data ever enters Raize-controlled systems
- 10 requirements **partially implemented** (20%) — gaps logged as tracked tasks with named owners and due dates (8.3.6 password policy, 8.4.1 admin MFA enforcement, 10.5.1 1-year log retention, 12.6.1 annual security awareness, others)
- 2 requirements **not implemented** (4%) — external ASV vulnerability scans (TASK-PCI-11.3.1 due 2026-09-30) and external penetration test (TASK-PCI-11.4.1 due 2026-12-31)
**Scope honesty:** Raize Tech's strictly applicable PCI form is SAQ-A. SAQ-D was completed as a defence-in-depth exercise to give prospective customers visibility into our security posture across the full PCI control set, not just the SAQ-A subset.
Full control-by-control results are visible to operators inside the platform under PCI DSS → Controls. Auditors can request the assessment packet via security@raizehq.dev.
5/13/2026milestone
Q2 2026 consultant compliance audit complete (4 frameworks)
External consultant-led implementation and assessment engagement closed 2026-05-13, covering ISO 27001:2022, SOC 2, UK/EU GDPR, and PCI DSS v4.0.1.
Headline scorecard:
- SOC 2: 82% (36/44, 6 partial, 2 N/A)
- GDPR: 76% (34/45, 5 partial, 6 N/A)
- ISO 27001: 71% (66/93, 15 partial, 12 N/A)
- PCI DSS: 40% (20/50, 10 partial, 18 N/A) - scope dominated by Not Applicable due to outsourced CDE (Stripe-hosted Checkout, no PAN in Raize systems)
Seven open risks logged with named owners and target dates. Two are HIGH (no ASV scans, no pen-test) with budgeted remediation by Q4 2026. Zero critical findings.
HIPAA and NIST 800-53 explicitly out of scope - Raize Tech does not process Protected Health Information and has no US federal contracts. Both frameworks remain available to customers via the platform.
Full 14-page report available to prospects under NDA: legal@raizehq.dev.
raizehq.dev