VirtualDojo AI CRM Trust Center
Authorization data, security posture, and continuous-monitoring evidence for the VirtualDojo AI CRM cloud service offering, published for federal agencies and FedRAMP under the Consolidated Rules for 2026.
Compliance & certifications
status is reported honestly, pursuing, not yet certifiedVirtualDojo's FedRAMP 20x Key Security Indicators are derived from the NIST SP 800-53 Rev 5 Moderate baseline. This reflects the scope of our in-progress FedRAMP Certification and is not itself a separate certification.
VirtualDojo AI CRM is built on controls aligned to the FedRAMP Moderate baseline (NIST SP 800-53 Rev 5), which substantially overlaps with NIST SP 800-171 and CMMC Level 2. Contractors using it to process Controlled Unclassified Information may inherit applicable controls into their own System Security Plan and CMMC assessment scope. VirtualDojo AI CRM is not itself CMMC-certified, CMMC certification is issued to the assessed contractor entity, not to underlying cloud providers, and does not represent contractor compliance with DFARS 252.204-7012 or CMMC on a customer's behalf.
Cloud service offering
Public information- Offering
- VirtualDojo AI CRM
- Provider
- VirtualDojo, Inc.
- UEI
- JZCAH18DEDC8
- CAGE
- 142E1
- Category
- Customer Relationship Management
- Website
- https://virtualdojo.com
VirtualDojo AI CRM is a cloud-based customer relationship management platform with AI-powered proposal generation, contact management, pipeline forecasting, and document automation. The platform is designed for government contractors and federal agencies managing procurement workflows, storing Controlled Unclassified Information (CUI) including government contract data, customer PII, proposal documents, and financial/pricing data.
- Security contact
- Devin Henderson · security@virtualdojo.com
- Sales contact
- Cyrus Calloway · cyrus@virtualdojo.com
- Assessor
- Anthony Timbers LLC · FedRAMP-recognized 3PAO (#203181)
Services & security categories
Services in the FedRAMP assessment scope| Service | Confidentiality | Integrity | Availability | In scope |
|---|---|---|---|---|
Contact & Account Management CRM contact records, account hierarchies, activity tracking | Moderate | Moderate | Moderate | Yes |
AI Proposal Generation AI-powered proposal drafting using Google Vertex AI | Moderate | Moderate | Low | Yes |
Pipeline & Forecasting Sales pipeline management, revenue forecasting, analytics | Moderate | Moderate | Low | Yes |
Document Management Proposal documents, quotes, attachments stored in GCS | Moderate | Moderate | Moderate | Yes |
Tenant Administration Multi-tenant provisioning, user management, RBAC | Moderate | High | Moderate | Yes |
Security & availability
continuous monitoringContinuous control monitoring
Automated KSI validation runs nightly in-boundary.
Service availability
Hover for details
Measured by Google Cloud uptime checks (5-minute interval) on app.virtualdojo.com. This is a rolling 30-day window, accruing since 2026-07-04; each bar is one day (hover a bar for its figure). Machine-readable in public_info.json.
Privacy & data
data protection & residency- Privacy Policy
- Privacy Policy
- Impact level
- Moderate (CUI)
Data residency
All customer data stays in the United States, inside the Google Cloud Assured Workloads FedRAMP Moderate boundary.*
* All customer data is stored and processed only in the United States, on Google Cloud under Assured Workloads (policy DATA_BOUNDARY_FOR_FEDRAMP_MODERATE, which Google enforces so resources cannot be created outside the FedRAMP Moderate US region set; the policy denies non-US and global locations). Compute and most AI inference run in us-central1 (Iowa); the CUI-classifier batch jobs run on Vertex AI in the US multi-region; durable object storage uses the US multi-region; and disaster-recovery backups replicate to us-east4 (Virginia). All of these are US locations inside the same FedRAMP Moderate Assured Workloads enclave, so data never leaves the US authorization boundary. Every copy is encrypted with customer-managed keys (CMEK) that VirtualDojo controls.
Subprocessors
third parties in the data path| Subprocessor | Purpose | Data handled | Location |
|---|---|---|---|
| Google Cloud Platform | Application hosting, storage, database, AI/ML (Vertex AI) | In-boundary CUI (contract data, PII, documents) | US us-central1 (Assured Workloads) |
| Microsoft | Identity (Entra ID), endpoint management (Intune), productivity (M365) | Administrator identities and device posture | US M365 GCC / Azure |
| SendGrid (Twilio) | Transactional email delivery | System notifications only no CUI | US |
| Stripe | Subscription payment processing | Billing metadata only (plan, tenant ID) no CUI/PII | US |
| GitHub | Source code management and CI/CD | Source code no customer data | US |
Documentation
Public documents; detailed procedures available to agencies| Document | Summary | Access |
|---|---|---|
| Secure Configuration Guide | How to securely configure and operate the service | View → |
| Data Retention Schedule | Retention periods by data type | Agencies |
| Contingency & Disaster Recovery Procedures | Backup, recovery, and contingency testing | Agencies |
| Operational Security Procedures | Detection, response, and operational controls | Agencies |
| Personnel Security Procedures | Screening, onboarding, and access management | Agencies |
| Supply Chain Risk Management Plan | Third-party and supply-chain risk controls | Agencies |
| Incident Response Procedures | Incident detection, response, and reporting (dissemination controls preclude portal delivery; supplied directly to agencies) | Agencies |
| Privacy Impact Assessment | Privacy analysis of data handling (dissemination controls preclude portal delivery; supplied directly to agencies) | Agencies |
| Risk & Vulnerability Management Procedures | Vulnerability detection, evaluation, and remediation SLAs (dissemination controls preclude portal delivery) | Agencies |
| Continuous Monitoring SOP | Ongoing security-monitoring program (CUI marking review in progress; supplied directly to agencies meanwhile) | Agencies |
| FedRAMP Certification Package (CPO · SDR · OCR) | Full authorization package (human-readable + machine-readable JSON at /reports) | Agencies |
Frequently asked questions
security due diligenceContinuous progress toward certification
Updated quarterlyLeveraged authorizations
underlying FedRAMP-authorized providers| Provider & service | FedRAMP ID | Impact | Type |
|---|---|---|---|
| Google Cloud Platform · GCP Assured Workloads, including Vertex AI in-boundary (us-central1 for interactive inference; us multi-region via US REP endpoint for CUI-classifier batch jobs; org policy denies global) | FR1805580474 | Moderate | JAB P-ATO |
| Microsoft · Microsoft 365 GCC | MSO365MT | Moderate | Agency ATO |
| Microsoft · Azure Commercial Cloud (EMS for GCC) | F1209051525 | High | JAB P-ATO |
Access to certification data
For agencies, FedRAMP & customersPublic information above is open to everyone. The full FedRAMP Certification Package, Certification Package Overview, Security Decision Record, and Ongoing Certification Reports, plus the validation run reports are available through authenticated, self-service access.
Federal agency and FedRAMP personnel with a .gov or .mil email are provisioned automatically, request access, accept the emailed invitation, and sign in with your work email. Customers and prospective customers are reviewed by our security team (a non-disclosure or customer agreement must be on file). Every document is available as a human-readable page and as machine-readable JSON; all access is logged and an access inventory is maintained.
Request access Already provisioned? Sign in →