CSA STAR Certification

Last updated: April 2026

The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program is the industry-standard framework for cloud security assurance. This page describes FeatureSignals' alignment with the CSA STAR program and Cloud Controls Matrix (CCM).

CSA STAR Level: Self-Assessment (Level 1)

FeatureSignals has completed a CSA STAR Level 1 self-assessment. Level 2 (third-party audit) and Level 3 (continuous monitoring) are on the product roadmap. This page documents our alignment with the CSA Cloud Controls Matrix v4.

STAR Program Levels

The CSA STAR program has four levels of assurance. FeatureSignals is progressing through each:

Level	Name	Description	FeatureSignals Status
1	Self-Assessment	Organization completes CAIQ and submits to CSA STAR registry	Completed
2	Third-Party Audit	Independent auditor validates controls against CCM and ISO 27001 or SOC 2	Planned — post SOC 2 Type II
2+	Continuous (Silver)	Continuous monitoring with automated evidence collection	Planned
3	Continuous (Gold)	Full continuous monitoring with real-time control validation	Future

Cloud Controls Matrix (CCM v4) Alignment

The CSA Cloud Controls Matrix v4 defines 17 control domains with 197 controls. Below is FeatureSignals' alignment with the key domains:

A — Application & Interface Security (AIS)

Control ID	Control	Implementation
AIS-01	Application security	OWASP Top 10 mitigations, input validation, parameterized SQL
AIS-02	API security	JWT + API key auth, rate limiting, request body limits (1MB)
AIS-03	Data integrity	SHA-256 audit trail chain hashing, TLS 1.3 for data in transit

IAM — Identity & Access Management

Control ID	Control	Implementation
IAM-01	Identity management	UUID-based user IDs, SSO (SAML/OIDC), SCIM provisioning
IAM-02	Credential management	bcrypt password hashing (cost 12), API key SHA-256 hashing
IAM-04	Privileged access	RBAC (4 roles), least privilege, quarterly access reviews
IAM-05	Segregation of duties	Developer cannot approve own PRs, separate deployment role
IAM-07	Access revocation	Immediate member removal, API key rotation, session invalidation

DSI — Data Security & Information Lifecycle

Control ID	Control	Implementation
DSI-01	Data classification	PII, PHI, secrets, credentials — classified and encrypted
DSI-02	Data inventory	Complete data mapping for GDPR/CCPA compliance
DSI-03	Data encryption at rest	AES-256 for database, backups, and archives
DSI-05	Data retention	Defined retention periods, automated purging after expiry
DSI-07	Secure disposal	GDPR-compliant erasure, permanent purge, backup cycling

IVS — Infrastructure & Virtualization Security

Control ID	Control	Implementation
IVS-01	Network security	WAF, DDoS mitigation, firewall rules, TLS 1.3 enforcement
IVS-03	Workload security	Containerized deployment, read-only filesystem, vulnerability scanning
IVS-04	Clock synchronization	NTP-synchronized, all timestamps in UTC RFC 3339
IVS-07	Network segmentation	Internal services not exposed to internet, management network isolation

SEF — Security Incident Management, E-Discovery, & Cloud Forensics

Control ID	Control	Implementation
SEF-01	Incident response	Defined severity levels (P0–P4), 5-phase lifecycle, on-call rotation
SEF-02	Incident reporting	Customer notification within SLA, regulatory reporting (GDPR: 72h)
SEF-04	Forensic data	Audit trail with chain of custody, SHA-256 integrity hashing
SEF-05	Audit logging	All mutating operations logged with actor/IP/timestamp

Consensus Assessments Initiative Questionnaire (CAIQ)

The CAIQ is the standardized assessment questionnaire used in CSA STAR Level 1 self-assessment. FeatureSignals has completed the CAIQ v4, covering:

197 control specifications across all 17 CCM domains
Control ownership, implementation status, and evidence references
Gap analysis with remediation plans for any partial implementations

The completed CAIQ is available to Enterprise customers under NDA. Contact compliance@featuresignals.com to request a copy.