Security & Trust
Draft — pending legal review
This security disclosure is a working draft authored from Concura's known data flows and infrastructure choices as of 2026-05-14. It has not yet been reviewed by counsel or by a third-party security auditor. Treat it as a basis for a finalized statement, not a binding attestation. Last drafted: 2026-05-14.
Concura serves Department of Defense Industrial Base (DIB) contractors who are themselves being assessed against the Cybersecurity Maturity Model Certification (CMMC) Level 2. Our security posture is built to match the audience we serve. This page summarizes the technical and operational practices behind that.
Data classification
Concura distinguishes three classes of data, each handled on different infrastructure:
| Class | Examples | Hosted in |
|---|---|---|
| Public marketing content | The 320 objective pages, the Knowledge Base, the prospectus, the products page | Linode (commercial cloud) |
| Authenticated subscriber state | Bookmarker / completion-tracker entries, allowlist of authenticated emails | Linode (commercial cloud), access-controlled |
| Customer-authored SSP content (Interview tier only) | voice transcripts, authored narratives, company profile, uploaded logo | Microsoft Azure Government — GCC High |
The boundary between the marketing surface and the surface that holds customer-authored SSP content is enforced at the authentication and routing layer. Authored content never transits the public marketing infrastructure.
Hosting environments
Microsoft Azure Government (GCC High) — for Interview-tier customer content
Microsoft Azure Government's GCC High environment is FedRAMP High Authorized as a platform and certified for U.S. Department of Defense Impact Level 5 data. It is the cloud environment commonly used by DIB contractors to process Controlled Unclassified Information (CUI).
When you author content in Concura Interview, that content is stored in our GCC High tenant. Concura does not store Interview-tier customer SSP narratives, voice transcripts, or company profiles outside of GCC High.
To be clear: Concura's possession of customer data in GCC High does not make Concura itself FedRAMP-authorized. Concura is a customer of Microsoft's authorized platform. The authorization belongs to Microsoft's environment; Concura inherits the security properties of that environment for the data we store there.
Linode (Akamai Technologies) — for the public marketing site
The public Concura.AI marketing site, the lead-capture endpoint, and the authenticated dashboard's read-only reference content run on Linode infrastructure in the United States. This is a separate environment from the GCC High tenant.
We chose this split deliberately: marketing-grade infrastructure for marketing-grade data, FedRAMP-grade infrastructure for the data that needs it.
Authentication
- Public site. No sign-in required. No tracking cookies. No marketing analytics.
- Authenticated dashboard. Access is gated by Microsoft Entra business-to-business (B2B) guest authentication. You sign in with your existing work email; Microsoft sends a one-time passcode; you enter it; you're in. No new password to remember, no Microsoft account required on your side. A short-lived session cookie keeps you signed in for the duration of your session.
- Interview authoring environment. Same Entra B2B sign-in, with additional authorization checks confirming an active Interview subscription before SSP content is loaded.
Encryption
- In transit. All connections to Concura.AI use HTTPS with TLS 1.2 or higher. The TLS certificate is issued by Let's Encrypt (ISRG Root) and renewed automatically.
- At rest. Customer-authored SSP content in GCC High is encrypted at rest under Microsoft's managed keys. Concura does not maintain plaintext copies outside the authorized environment.
Subprocessors
Concura uses the following service providers to deliver the Service. Each has signed appropriate data-processing terms with us.
| Subprocessor | Role | Data accessed |
|---|---|---|
| Microsoft Corporation (Azure Government — GCC High) | Hosts Interview-tier customer SSP content | Interview-tier customer content |
| Microsoft Corporation (Entra B2B) | Sign-in authentication | Email address, sign-in events |
| Anthropic, PBC | AI cleanup and refine of Interview-authored narratives | Submitted SSP narrative text only |
| Stripe, Inc. | Payment processing | Name, email, billing address, card details |
| Akamai Technologies (Linode) | Marketing site and lead-form endpoint hosting | Server-log data, lead-form submissions in transit |
| Zoho Corporation Pvt. Ltd. | Email delivery for *@concura.ai mailboxes |
Inbound and outbound email content |
| Let's Encrypt (ISRG) | TLS certificate issuance | Domain ownership only |
We will give Interview customers at least 30 days' notice before adding a new subprocessor that processes Interview content.
Operational controls
- Access to production systems is limited to named Concura personnel; sign-ins are logged.
- Least-privilege access is the default. We do not grant production-data access to anyone whose job doesn't require it.
- Backups. Customer-authored SSP content in GCC High is backed up under Microsoft's managed backup policies. Public-site content is reproducible from the public Git repository and is not separately backed up.
- Server logs (nginx access logs) are retained 90 days and rotated. They contain IP, URL, response code, timestamp. They do not contain request bodies.
- Lead-form submissions are written to an append-only audit log on the host. Access is restricted to the service user.
Compliance posture
Concura is not currently SOC 2, ISO 27001, FedRAMP, or CMMC certified as a service. We are a small, senior-assessor-built tooling provider; we do not hold formal third-party security audits. We make this explicit so customers can evaluate whether our posture meets their risk tolerance.
What we do have:
- A senior CMMC assessor's design judgment applied to the architecture itself.
- A deliberate infrastructure split: customer SSP content lives only in Microsoft Azure GCC High, the same FedRAMP High Authorized platform used to handle DoD Impact Level 5 data.
- No marketing analytics, no advertising trackers, no cross-context tracking.
- Verifiable infrastructure choices that hold up to scrutiny from a C3PAO reviewing your subprocessor list.
Vulnerability disclosure
If you believe you've found a security vulnerability in Concura, please report it to security@concura.ai.
We commit to:
- Acknowledging your report within 2 business days.
- Providing an initial assessment within 10 business days.
- Keeping you informed of remediation progress.
- Not pursuing legal action against good-faith researchers who follow responsible-disclosure practices: no exfiltration of user data, no public disclosure before remediation, and reasonable cooperation with our timeline.
We don't currently offer paid bug bounties, but we credit reporters in our release notes (with permission).
Incident response
In the event of a confirmed security incident affecting customer data:
- We will notify affected customers as soon as we have reliable information about scope and impact, and in any case within 72 hours of confirming the incident.
- We will provide ongoing updates as remediation progresses.
- We will conduct a post-incident review and publish a sanitized summary to this page.
Customer responsibilities
Some aspects of secure use of Concura are necessarily yours to manage:
- Account credentials. Don't share your sign-in email with anyone outside your organization. Use a strong password on your underlying email account (Microsoft 365 / Google Workspace / etc.).
- Authored content. What you write into your SSP is your content. Concura provides storage, structure, and AI assistance, but the substance — and whether it accurately reflects your security program — is on you.
- Inheritance and architecture choices. Concura provides starting recommendations; you decide what's accurate for your environment and your assessor.
Contact
Consultant Works, LLC (the company that produces Concura.AI)
St. Petersburg, Florida, USA
Security disclosures: security@concura.ai
Privacy questions: privacy@concura.ai
General inquiries: sales@concura.ai
Senior assessor consult bookings: assessor@concura.ai