VVirtualDojo Trust Center
● FedRAMP 20x, Certification Class C

VirtualDojo AI CRM Trust Center

Authorization data, security posture, and continuous-monitoring evidence for the VirtualDojo AI CRM cloud service offering, published for federal agencies and FedRAMP under the Consolidated Rules for 2026.

Initial Implementation Phase, pursuing certification Program path · no agency sponsor required Impact level: Moderate
FedRAMP ID
FR2615441197
Service model
SaaS
Deployment
Public Cloud
Next Certification Report
2026-10-02

Compliance & certifications

status is reported honestly, pursuing, not yet certified
FedRAMP 20x Certification (Class C)
In Progress
Program path; Consolidated Rules for 2026
SOC 2 (Security / Common Criteria)
In Progress
Type II, Security scope; independent CPA examination

VirtualDojo's FedRAMP 20x Key Security Indicators are derived from the NIST SP 800-53 Rev 5 Moderate baseline. This reflects the scope of our in-progress FedRAMP Certification and is not itself a separate certification.

VirtualDojo AI CRM is built on controls aligned to the FedRAMP Moderate baseline (NIST SP 800-53 Rev 5), which substantially overlaps with NIST SP 800-171 and CMMC Level 2. Contractors using it to process Controlled Unclassified Information may inherit applicable controls into their own System Security Plan and CMMC assessment scope. VirtualDojo AI CRM is not itself CMMC-certified, CMMC certification is issued to the assessed contractor entity, not to underlying cloud providers, and does not represent contractor compliance with DFARS 252.204-7012 or CMMC on a customer's behalf.

Cloud service offering

Public information
Offering
VirtualDojo AI CRM
Provider
VirtualDojo, Inc.
UEI
JZCAH18DEDC8
CAGE
142E1
Category
Customer Relationship Management
Website
https://virtualdojo.com

VirtualDojo AI CRM is a cloud-based customer relationship management platform with AI-powered proposal generation, contact management, pipeline forecasting, and document automation. The platform is designed for government contractors and federal agencies managing procurement workflows, storing Controlled Unclassified Information (CUI) including government contract data, customer PII, proposal documents, and financial/pricing data.

Security contact
Devin Henderson · security@virtualdojo.com
Sales contact
Cyrus Calloway · cyrus@virtualdojo.com
Assessor
Anthony Timbers LLC · FedRAMP-recognized 3PAO (#203181)

Services & security categories

Services in the FedRAMP assessment scope
ServiceConfidentialityIntegrityAvailabilityIn scope
Contact & Account Management
CRM contact records, account hierarchies, activity tracking
ModerateModerateModerateYes
AI Proposal Generation
AI-powered proposal drafting using Google Vertex AI
ModerateModerateLowYes
Pipeline & Forecasting
Sales pipeline management, revenue forecasting, analytics
ModerateModerateLowYes
Document Management
Proposal documents, quotes, attachments stored in GCS
ModerateModerateModerateYes
Tenant Administration
Multi-tenant provisioning, user management, RBAC
ModerateHighModerateYes

Security & availability

continuous monitoring

Continuous control monitoring

Automated KSI validation runs nightly in-boundary.

Service availability

99.986%rolling 4-day, measured
30 days agoToday

Hover for details

Measured by Google Cloud uptime checks (5-minute interval) on app.virtualdojo.com. This is a rolling 30-day window, accruing since 2026-07-04; each bar is one day (hover a bar for its figure). Machine-readable in public_info.json.

Privacy & data

data protection & residency
Privacy Policy
Privacy Policy
Impact level
Moderate (CUI)

Data residency

All customer data stays in the United States, inside the Google Cloud Assured Workloads FedRAMP Moderate boundary.*

us-central1
Iowa · Primary region
us (multi-region)
United States · Storage and batch AI
us-east4
Virginia · Disaster recovery

* All customer data is stored and processed only in the United States, on Google Cloud under Assured Workloads (policy DATA_BOUNDARY_FOR_FEDRAMP_MODERATE, which Google enforces so resources cannot be created outside the FedRAMP Moderate US region set; the policy denies non-US and global locations). Compute and most AI inference run in us-central1 (Iowa); the CUI-classifier batch jobs run on Vertex AI in the US multi-region; durable object storage uses the US multi-region; and disaster-recovery backups replicate to us-east4 (Virginia). All of these are US locations inside the same FedRAMP Moderate Assured Workloads enclave, so data never leaves the US authorization boundary. Every copy is encrypted with customer-managed keys (CMEK) that VirtualDojo controls.

Subprocessors

third parties in the data path
SubprocessorPurposeData handledLocation
Google Cloud PlatformApplication hosting, storage, database, AI/ML (Vertex AI)In-boundary CUI (contract data, PII, documents)US us-central1 (Assured Workloads)
MicrosoftIdentity (Entra ID), endpoint management (Intune), productivity (M365)Administrator identities and device postureUS M365 GCC / Azure
SendGrid (Twilio)Transactional email deliverySystem notifications only no CUIUS
StripeSubscription payment processingBilling metadata only (plan, tenant ID) no CUI/PIIUS
GitHubSource code management and CI/CDSource code no customer dataUS

Documentation

Public documents; detailed procedures available to agencies
DocumentSummaryAccess
Secure Configuration GuideHow to securely configure and operate the serviceView →
Data Retention ScheduleRetention periods by data typeAgencies
Contingency & Disaster Recovery ProceduresBackup, recovery, and contingency testingAgencies
Operational Security ProceduresDetection, response, and operational controlsAgencies
Personnel Security ProceduresScreening, onboarding, and access managementAgencies
Supply Chain Risk Management PlanThird-party and supply-chain risk controlsAgencies
Incident Response ProceduresIncident detection, response, and reporting (dissemination controls preclude portal delivery; supplied directly to agencies)Agencies
Privacy Impact AssessmentPrivacy analysis of data handling (dissemination controls preclude portal delivery; supplied directly to agencies)Agencies
Risk & Vulnerability Management ProceduresVulnerability detection, evaluation, and remediation SLAs (dissemination controls preclude portal delivery)Agencies
Continuous Monitoring SOPOngoing security-monitoring program (CUI marking review in progress; supplied directly to agencies meanwhile)Agencies
FedRAMP Certification Package (CPO · SDR · OCR)Full authorization package (human-readable + machine-readable JSON at /reports)Agencies

Frequently asked questions

security due diligence
Where is my data stored?
All customer data is stored and processed within the United States in Google Cloud under Assured Workloads (DATA_BOUNDARY_FOR_FEDRAMP_MODERATE). The primary region is us-central1 and disaster-recovery backups are replicated to us-east4; both are inside the same FedRAMP Moderate Assured Workloads enclave, so data never leaves the US boundary. All copies are encrypted with customer-managed keys (CMEK).
How is data encrypted?
Data is encrypted at rest with customer-managed encryption keys (CMEK) in Google Cloud KMS, and in transit with TLS 1.2+. Cryptography uses FIPS 140-validated modules.
What compliance frameworks do you follow?
VirtualDojo is pursuing FedRAMP 20x Certification (Class C) and a SOC 2 (Security) examination. The service is built on Google Cloud and Microsoft services that hold FedRAMP authorizations. Current status is shown on this page.
Is VirtualDojo FedRAMP High or Moderate?
FedRAMP Moderate equivalently, FedRAMP 20x Certification Class C, which is the applicable baseline for the Controlled Unclassified Information this service handles. VirtualDojo runs on Google Cloud under the Assured Workloads FedRAMP Moderate data-boundary regime, inheriting Google Cloud's FedRAMP Moderate authorization. Google Cloud also offers a FedRAMP High regime; VirtualDojo uses the Moderate boundary, so we describe our environment as Moderate rather than High.
Who are your subprocessors?
Google Cloud, Microsoft, SendGrid, Stripe, and GitHub. Each subprocessor, its purpose, the data it handles, and its location are listed in the Subprocessors section above.
How do you control access?
Access requires multi-factor authentication and Conditional Access via Microsoft Entra ID, enforces role-based access control and least privilege, and is continuously monitored by the automated KSI validator.
How do you handle security incidents?
VirtualDojo maintains documented incident-response procedures with continuous monitoring and defined notification timelines. Suspected incidents can be reported to security@virtualdojo.com.
How is availability monitored?
Service availability is measured by a Google Cloud uptime check on app.virtualdojo.com, and 46 Key Security Indicators are validated nightly in-boundary. A rolling availability percentage publishes on this page as monitoring history accrues.
What data does the service handle?
The service handles Controlled Unclassified Information (CUI) including government contract data, customer PII, proposal documents, and pricing data, at the FedRAMP Moderate impact level.
How can a federal agency access the full certification package?
The Certification Package (Certification Package Overview, Security Decision Record, and Ongoing Certification Reports) is available through authenticated self-service access at trust.virtualdojo.com/request-access federal (.gov/.mil) requesters are granted access automatically; other requests are reviewed under NDA. After signing in, human-readable report pages and the machine-readable JSON are both available under /reports.

Continuous progress toward certification

Updated quarterly
Marketplace listing, Initial Implementation Phase
Public trust center live; offering listed as in-progress
2026
Automated KSI validation in production
46 Key Security Indicators, ≥2 automated methods each (Class C); running nightly in-boundary with continuous evidence
Live
Independent assessment (3PAO)
Fresh independent assessment by Anthony Timbers LLC, current step
In progress
FedRAMP Certification application
Certification Package (CPO · SDR · OCR) submitted to FedRAMP
Planned

Leveraged authorizations

underlying FedRAMP-authorized providers
Provider & serviceFedRAMP IDImpactType
Google Cloud Platform · GCP Assured Workloads, including Vertex AI in-boundary (us-central1 for interactive inference; us multi-region via US REP endpoint for CUI-classifier batch jobs; org policy denies global)FR1805580474ModerateJAB P-ATO
Microsoft · Microsoft 365 GCCMSO365MTModerateAgency ATO
Microsoft · Azure Commercial Cloud (EMS for GCC)F1209051525HighJAB P-ATO

Access to certification data

For agencies, FedRAMP & customers

Public information above is open to everyone. The full FedRAMP Certification Package, Certification Package Overview, Security Decision Record, and Ongoing Certification Reports, plus the validation run reports are available through authenticated, self-service access.

Federal agency and FedRAMP personnel with a .gov or .mil email are provisioned automatically, request access, accept the emailed invitation, and sign in with your work email. Customers and prospective customers are reviewed by our security team (a non-disclosure or customer agreement must be on file). Every document is available as a human-readable page and as machine-readable JSON; all access is logged and an access inventory is maintained.

Request access   Already provisioned? Sign in →