DeployReady Trust Center | Capstone Horizon LLC

Compliance Documents

All of our governing documents are published here and versioned. The current set is v1.0.0, effective April 22, 2026. The FAR 52.204-21 Self-Attestation is v1.1.0.

Document reissue in progress. Our legal address of record has been updated to our Tucson headquarters (5110 W Jeffrey Rd, Tucson AZ 85757). The FAR 52.204-21 Self-Attestation has been re-issued with the updated address as v1.1.0. The remaining compliance PDFs will be re-issued as v1.2.0 with the updated footer address during the week of April 22, 2026. Substantive content is unchanged.

Document	Download
DeployReady Trust Center (this page, PDF version)	Trust-Center.pdf
FAR 52.204-21 Self-Attestation	FAR-52.204-21-Self-Attestation.pdf
Terms of Service	Terms-of-Service.pdf
Privacy Policy	Privacy-Policy.pdf
Data Handling Policy	Data-Handling-Policy.pdf
Incident Response Plan	Incident-Response-Plan.pdf
Subprocessor List	Subprocessor-List.pdf
Data Processing Agreement (Template)	DPA-Template.pdf
Acceptable Use Policy	Acceptable-Use-Policy.pdf
AI Safety and Anti-Fabrication	AI-Safety-and-Anti-Fabrication.pdf
Compliance Package Overview	Compliance-Package-Overview.pdf

What DeployReady Is

DeployReady is a SaaS platform built by Capstone Horizon LLC that helps small businesses and government contractors analyze federal solicitations and generate compliant proposal drafts. Customers upload publicly available solicitations (from SAM.gov or similar sources), maintain a company profile, and receive AI-assisted proposal outputs grounded in their actual capabilities.

Our security philosophy: FCI-adjacent by design. DeployReady is not a federal information system and is not designed to process Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or any other restricted government data. We built the product this way on purpose. Our Terms of Service prohibit uploading restricted data, and our product posture reinforces that boundary. We voluntarily implement the 15 baseline security controls from FAR 52.204-21 because they represent a sound commercial baseline, not because we are required to.

Architecture at a Glance

Hosting

DeployReady runs on Railway, which hosts the application on AWS infrastructure in the us-east-1 region (Northern Virginia). All customer data remains in the United States.

Database

Railway Postgres with AES-256 encryption at rest (Railway default). Daily automated snapshots with 7-day retention. All database traffic is encrypted in transit.

Tenant Isolation

Every data read and write in the application binds to the requesting tenant's ID derived from the server-side session. This app-layer enforcement runs on every query. Additionally, Postgres Row-Level Security (RLS) policies are applied at database startup on 19 tenant-scoped tables, including solicitations, proposals, company profiles, file vault, credentials, and audit logs. This gives us defense-in-depth: even a misconfigured query cannot return another tenant's records.

Authentication

Users authenticate with email and password. Passwords are hashed using scrypt (N=16384, 64-byte derived key, random per-user salt) and compared using constant-time comparison. Brute-force protection limits login attempts to 5 per IP+email combination per 15-minute window. Sessions are server-side and persisted to the database, with an in-memory L1 cache per request. Multi-factor authentication for administrative accounts is on the roadmap for Q3 2026.

TLS

All ingress routes through Railway's HTTPS termination (TLS 1.2 minimum). The application itself rejects any non-HTTPS request in production and sends HSTS headers on every response. There is no unencrypted HTTP path to the application.

FAR 52.204-21 Compliance Summary

We voluntarily implement all 15 basic safeguarding controls from FAR 52.204-21. Our current status:

Category	Count	Notes
Fully implemented (DONE, incl. DONE INHERITED)	6	Access control, authentication, boundary protection, subnetwork isolation
Partially implemented (PARTIAL)	6	Active remediation with Q2 2026 to Q1 2027 targets. Largest remaining gap is real-time file-upload malware scanning.
Inherited from Railway / AWS (N/A)	3	Physical security controls, no Capstone-owned infrastructure

The full self-attestation with evidence pointers for each of the 15 controls is available in our FAR 52.204-21 Self-Attestation. A one-page scorecard suitable for sharing with procurement and legal counsel is also available on request.

Data You Control

As a DeployReady customer, you own everything you bring in and everything the product generates for you:

Your company profile (capabilities, past performance, personnel, certifications)
Solicitations you upload or import
Generated proposal drafts
Files stored in the vault

Capstone Horizon does not claim ownership of your content. You can request deletion of your data at any time, and we will process it within 30 days. See our Data Handling Policy for retention schedules and deletion procedures.

Scope Boundaries: What We Do Not Process

DeployReady is not designed or authorized to hold the following data categories:

Federal Contract Information (FCI) as defined at FAR 4.1901
Controlled Unclassified Information (CUI) as defined at 32 CFR 2002.4
Classified National Security Information at any classification level
ITAR-controlled technical data or EAR-controlled export-controlled data
Protected Health Information (PHI) under HIPAA
Any information you are contractually obligated to protect under DFARS 252.204-7012 or equivalent

These are defined as Prohibited Data in our Terms of Service. Uploading Prohibited Data violates our Terms and may result in immediate suspension of your account. DeployReady is appropriate for analyzing publicly available solicitations (such as those from SAM.gov) and generating proposal drafts from your company's own, non-restricted capability data.

AI Safety and Anti-Fabrication

Government proposals carry legal risk. A proposal that invents personnel, past performance, or certifications can expose a contractor to False Claims Act liability. DeployReady's proposal engine is built around a firm no-fabrication rule set that:

Treats your company profile as the sole authoritative source of facts
Prohibits invented personnel, past performance, clearances, language fluency, and quantitative claims
Restricts compliance matrix vocabulary to three defined labels
Defaults to "will recruit" framing when a capability gap is detected

Full rule set, rationale, and technical implementation in our AI Safety and Anti-Fabrication document.

Subprocessors

DeployReady uses a small set of third-party vendors to deliver the service. We only engage subprocessors in the United States.

Subprocessor	Role
Railway	Application hosting and database (AWS us-east-1)
Stripe	Payment processing
OpenAI	LLM inference
Anthropic	LLM inference
xAI (Grok)	LLM inference
Resend	Transactional email (login, notifications, receipts)

We will give 30 days' advance notice before adding any new subprocessor that touches customer data. Full list: Subprocessor List.

Roadmap

We build in public about our security posture. Here is what is coming and when:

Item	Target
MFA for administrative accounts	Q3 2026
xlsx library migration (close known advisory)	Q3 2026
Drizzle ORM major version bump	Q2 2026
File upload malware scanning	Q4 2026
SAST scanning in CI (CodeQL)	Q4 2026
SOC 2 Type I readiness	Q4 2026
External penetration test	6 to 12 months post-launch
Incident response tabletop exercise	Q1 2027
FedRAMP (Path A)	When a federal agency becomes a direct customer

Incident Response

We maintain a written Incident Response Plan that defines severity classifications, response roles, customer notification timelines (72 hours for security incidents involving personal data), evidence preservation procedures, and post-incident review. Full plan: Incident Response Plan.

Contact

Security & Vulnerability Reports

security@capstonehorizon.com

Privacy Requests & Data Deletion

privacy@capstonehorizon.com

Legal Address

Capstone Horizon LLC
5110 W Jeffrey Rd
Tucson, AZ 85757