CAIQ control comparison

How the industry answers CAIQ. And where the structural gap remains.

The Cloud Security Alliance CAIQ v4 is the standardized vendor security questionnaire — about 260 yes/no questions across 17 control domains — that enterprise customers send to SaaS vendors before signing. AWS, Microsoft, Google, Oracle, Salesforce, IBM, Esri, and hundreds of others publish their answers on the CSA STAR Registry. You can read any of them.

Below are three controls where the typical answer the industry gives is honest within the questionnaire's framing — and where the structural property the customer actually wants is something the questionnaire isn't shaped to capture. Click any verification link to read the vendor's real published answer and check the pattern yourself.

Methodology, briefly

The "typical answer" columns below are synthesized from public CAIQ submissions across major cloud providers and SaaS vendors. We have intentionally not named any specific vendor's answer as "wrong" — every answer those companies publish is honest within the yes/no framing of CAIQ. The structural gap is in the questionnaire's shape, not in the vendors' diligence. That is also why this gap is a market opportunity rather than a competitor's mistake — every CAIQ-fielding vendor on earth has it.

CAIQ IAM-12.1Logging integrity

“Are processes, procedures, and technical measures to ensure the logging infrastructure is "read-only" for all with write access (including privileged access roles) defined, implemented, and evaluated?”

Typical industry answer

Vendors typically answer "Yes" and cite a combination of: (1) audit logs written to a separate storage system (often S3 with Object Lock, GCS Bucket Lock, or Azure Immutable Blob), (2) IAM policies restricting which roles can write/delete, (3) periodic access reviews, (4) credential rotation. The answer satisfies the questionnaire because the controls listed are real and operational.

The gap that "Yes" doesn't close

A "Yes" answer here means the protection is policy-administered, not structurally enforced. Object Lock retention can be modified by an account owner with appropriate IAM permissions. The "privileged access roles" caveat in the question is doing critical work — these are exactly the roles that, by design, have administrative control over the logging system. The customer cannot independently verify whether a privileged role rewrote a log entry between two of their reads.

What changes with Unincorporated

The chain is cryptographically append-only by construction. Modifying any past entry mathematically breaks every entry chained after it; the break is detectable in a single verification pass. No privileged role — including the operator that runs Unincorporated — can silently rewrite history. The customer's compliance team verifies the integrity in their own browser via WASM. Protection is mathematical, not policy-administered.

Verify the pattern yourself

CAIQ DSP-14.1Sub-processor disclosure

“Are processes, procedures, and technical measures defined, implemented, and evaluated to disclose details to the data owner of any personal or sensitive data access by sub-processors before processing initiation?”

Typical industry answer

Vendors typically answer "Yes" and cite a Trust Center page listing current sub-processors, a DPA clause requiring 30 days' notice before adding a new sub-processor, and an email or RSS notification when the list changes. The disclosure is at the contract layer — list-shaped, quarterly-updated, attestation-backed. Customers receive notice that a new sub-processor will be onboarded, not notice of each individual access by a sub-processor.

The gap that "Yes" doesn't close

The clause requires disclosure of "any personal or sensitive data access by sub-processors" — read literally, that is a per-event obligation, not a list-shaped one. Vendors satisfy the letter of the control with a Trust Center page because nobody has shipped infrastructure that would let them satisfy the spirit. The data owner sees who *might* access their data, not who *did*. For high-risk relationships (healthcare, financial, regulated AI) the gap between "approved sub-processor" and "actually accessed your record" is exactly where breach root-cause investigations land.

What changes with Unincorporated

Sub-processor onboarding stays the same — list-shaped, contract-layer, 30-day notice. Per-access transparency is added: every actor — including each sub-processor — appears as a labeled actor in the customer's chain at the moment of access. "Which sub-processor touched my data, when, on whose behalf, and why" becomes an on-demand cryptographic record the customer reads in their own browser, scoped to their own data only.

Verify the pattern yourself

CAIQ LOG-09.1Tamper-evidence

“Does the information system protect audit records from unauthorized access, modification, and deletion?”

Typical industry answer

Vendors typically answer "Yes" and cite the same control stack as IAM-12.1 — Object Lock or equivalent immutable storage, IAM-restricted access, multi-party deletion approval, regular access reviews. Some add SIEM-side alerting for anomalous access patterns. The protection is policy-based, operator-administered, and graded internally.

The gap that "Yes" doesn't close

The question asks whether the system protects records — it does not ask who validates that protection. In practice, "Yes" means "the operator has implemented controls the operator validates." The customer trusts the operator's IAM policy, the operator's deletion-approval workflow, the operator's SIEM rules. None of those are independently verifiable by the customer or by a regulator on demand.

What changes with Unincorporated

The chain is tamper-evident by construction. Any modification or deletion breaks the cryptographic linkage between entries and is detected on the next verification pass. The customer doesn't have to trust our IAM policy or our deletion-approval workflow — they verify the integrity themselves, on their own machine, against the chain head our deployment publishes. Protection is mathematical and customer-verifiable, not policy-administered and operator-graded.

Verify the pattern yourself

The same shape recurs in SIG (Shared Assessments' Standardized Information Gathering, ~1,800 questions), ISO 27001 Annex A, and most Fortune 500 custom vendor security questionnaires. Three controls today; the same cryptographic answer scales to the rest.

Get early access See the regulator side →See the privacy-policy side →