{
  "fedramp_id": "FR2615441197",
  "cso_name": "VirtualDojo AI CRM",
  "service_model": "SaaS",
  "deployment_model": "Public Cloud",
  "impact_level": "Moderate",
  "business_category": "Customer Relationship Management",
  "certification_status": "Initial Implementation Phase, pursuing FedRAMP 20x Certification (Class C)",
  "certification_path": "Program (no agency sponsor)",
  "agency_use_case": "Direct Use",
  "agency_use_case_detail": "VirtualDojo AI CRM targets two federal markets and is intended for direct\nuse by federal agencies (MKT-IIP-AGU Direct Use).\n\nFederal agencies: the platform is designed for direct agency adoption to\nmanage customer-relationship, procurement, and contract workflows and the\nControlled Unclassified Information (CUI) involved integrated into a federal\ninformation system under 44 U.S.C. 3506 and receiving an agency Authorization\nto Operate once FedRAMP Certification is achieved.\n\nFederal contractors: contractors performing on federal contract vehicles\n(e.g., GSA Schedules, NASA SEWP VI, Army ITES) must, under DFARS 252.204-7012\nand CMMC, host the CUI generated in contract performance in a cloud service\nmeeting the FedRAMP Moderate baseline. VirtualDojo AI CRM is built to satisfy\nthat requirement, maintaining federal CUI generated on behalf of those\nagencies through their contractors.\n\nStatus: VirtualDojo is pursuing FedRAMP 20x Certification (Class C, Program\npath) at the Moderate impact level and is in the Initial Implementation\nPhase. It has not completed a FedRAMP assessment and holds no agency ATO yet;\nthis listing will be updated as agency adoption is confirmed.",
  "provider": {
    "name": "VirtualDojo, Inc.",
    "uei": "JZCAH18DEDC8",
    "cage_code": "142E1",
    "website": "https://virtualdojo.com"
  },
  "description": "VirtualDojo AI CRM is a cloud-based customer relationship management\nplatform with AI-powered proposal generation, contact management,\npipeline forecasting, and document automation. The platform is designed\nfor government contractors and federal agencies managing procurement\nworkflows, storing Controlled Unclassified Information (CUI) including\ngovernment contract data, customer PII, proposal documents, and\nfinancial/pricing data.",
  "services": [
    {
      "name": "Contact & Account Management",
      "description": "CRM contact records, account hierarchies, activity tracking",
      "security_objectives": {
        "confidentiality": "Moderate",
        "integrity": "Moderate",
        "availability": "Moderate"
      },
      "in_fedramp_scope": true
    },
    {
      "name": "AI Proposal Generation",
      "description": "AI-powered proposal drafting using Google Vertex AI",
      "security_objectives": {
        "confidentiality": "Moderate",
        "integrity": "Moderate",
        "availability": "Low"
      },
      "in_fedramp_scope": true
    },
    {
      "name": "Pipeline & Forecasting",
      "description": "Sales pipeline management, revenue forecasting, analytics",
      "security_objectives": {
        "confidentiality": "Moderate",
        "integrity": "Moderate",
        "availability": "Low"
      },
      "in_fedramp_scope": true
    },
    {
      "name": "Document Management",
      "description": "Proposal documents, quotes, attachments stored in GCS",
      "security_objectives": {
        "confidentiality": "Moderate",
        "integrity": "Moderate",
        "availability": "Moderate"
      },
      "in_fedramp_scope": true
    },
    {
      "name": "Tenant Administration",
      "description": "Multi-tenant provisioning, user management, RBAC",
      "security_objectives": {
        "confidentiality": "Moderate",
        "integrity": "High",
        "availability": "Moderate"
      },
      "in_fedramp_scope": true
    }
  ],
  "contacts": {
    "security": {
      "name": "Devin Henderson",
      "role": "ISSO / CEO",
      "email": "devin@virtualdojo.com"
    },
    "sales": {
      "name": "Cyrus Calloway",
      "role": "VP of Sales",
      "email": "cyrus@virtualdojo.com"
    },
    "assessor": {
      "name": "Anthony Timbers LLC",
      "role": "FedRAMP-recognized 3PAO",
      "assessor_id": "203181"
    }
  },
  "leveraged_authorizations": [
    {
      "provider": "Google Cloud Platform",
      "service": "GCP Assured Workloads, including Vertex AI in-boundary (us-central1 for interactive inference; us multi-region via US REP endpoint for CUI-classifier batch jobs; org policy denies global)",
      "fedramp_id": "FR1805580474",
      "impact_level": "Moderate",
      "authorization_type": "JAB P-ATO"
    },
    {
      "provider": "Microsoft",
      "service": "Microsoft 365 GCC",
      "fedramp_id": "MSO365MT",
      "impact_level": "Moderate",
      "authorization_type": "Agency ATO"
    },
    {
      "provider": "Microsoft",
      "service": "Azure Commercial Cloud (EMS for GCC)",
      "fedramp_id": "F1209051525",
      "impact_level": "High",
      "authorization_type": "JAB P-ATO"
    }
  ],
  "certifications": [
    {
      "name": "FedRAMP 20x Certification (Class C)",
      "status": "In Progress",
      "detail": "Program path; Consolidated Rules for 2026"
    },
    {
      "name": "SOC 2 (Security / Common Criteria)",
      "status": "In Progress",
      "detail": "Type II, Security scope; independent CPA examination"
    }
  ],
  "subprocessors": [
    {
      "name": "Google Cloud Platform",
      "purpose": "Application hosting, storage, database, AI/ML (Vertex AI)",
      "data_handled": "In-boundary CUI (contract data, PII, documents)",
      "location": "US us-central1 (Assured Workloads)"
    },
    {
      "name": "Microsoft",
      "purpose": "Identity (Entra ID), endpoint management (Intune), productivity (M365)",
      "data_handled": "Administrator identities and device posture",
      "location": "US M365 GCC / Azure"
    },
    {
      "name": "SendGrid (Twilio)",
      "purpose": "Transactional email delivery",
      "data_handled": "System notifications only no CUI",
      "location": "US"
    },
    {
      "name": "Stripe",
      "purpose": "Subscription payment processing",
      "data_handled": "Billing metadata only (plan, tenant ID) no CUI/PII",
      "location": "US"
    },
    {
      "name": "GitHub",
      "purpose": "Source code management and CI/CD",
      "data_handled": "Source code no customer data",
      "location": "US"
    }
  ],
  "documents": [
    {
      "title": "Secure Configuration Guide",
      "access": "public",
      "delivery": "portal",
      "url": "https://trust.virtualdojo.com/secure-configuration-guide",
      "summary": "How to securely configure and operate the service",
      "metadata": {
        "file": "VDJ-Secure-Configuration-Guide.md",
        "related_practices": [
          "SCG",
          "KSI-PIY"
        ],
        "word_count": 4373,
        "version": "1.0",
        "last_updated": "2026-07-04"
      }
    },
    {
      "title": "Data Retention Schedule",
      "access": "agency",
      "delivery": "portal",
      "summary": "Retention periods by data type",
      "metadata": {
        "file": "VDJ-Data-Retention-Schedule.md",
        "related_practices": [
          "KSI-RPL",
          "SI-12"
        ],
        "word_count": 1880,
        "version": "1.0",
        "last_updated": "2026-07-04"
      }
    },
    {
      "title": "Contingency & Disaster Recovery Procedures",
      "access": "agency",
      "delivery": "portal",
      "summary": "Backup, recovery, and contingency testing",
      "metadata": {
        "file": "VDJ-Contingency-Testing-Procedures.md",
        "related_practices": [
          "KSI-RPL",
          "CP-2",
          "CP-4",
          "CP-9",
          "CP-10"
        ],
        "word_count": 12743,
        "version": "1.0",
        "last_updated": "2026-07-04"
      }
    },
    {
      "title": "Operational Security Procedures",
      "access": "agency",
      "delivery": "portal",
      "summary": "Detection, response, and operational controls",
      "metadata": {
        "file": "VDJ-Operational-Security-Procedures.md",
        "related_practices": [
          "KSI-INR",
          "KSI-MLA",
          "IR-4",
          "SI-4"
        ],
        "word_count": 13239,
        "version": "1.0",
        "last_updated": "2026-07-04"
      }
    },
    {
      "title": "Personnel Security Procedures",
      "access": "agency",
      "delivery": "portal",
      "summary": "Screening, onboarding, and access management",
      "metadata": {
        "file": "VDJ-Personnel-Security-Procedures.md",
        "related_practices": [
          "KSI-PIY",
          "PS-2",
          "PS-3",
          "PS-8"
        ],
        "word_count": 9993,
        "version": "1.0",
        "last_updated": "2026-03-11"
      }
    },
    {
      "title": "Supply Chain Risk Management Plan",
      "access": "agency",
      "delivery": "portal",
      "summary": "Third-party and supply-chain risk controls",
      "metadata": {
        "file": "VDJ-Supply-Chain-Risk-Management-Plan.md",
        "related_practices": [
          "KSI-TPR",
          "SR-1",
          "SR-5",
          "SR-6"
        ],
        "word_count": 12731,
        "version": "1.0",
        "last_updated": "2026-03-11"
      }
    },
    {
      "title": "Incident Response Procedures",
      "access": "agency",
      "delivery": "direct",
      "summary": "Incident detection, response, and reporting (dissemination controls preclude portal delivery; supplied directly to agencies)",
      "metadata": {
        "file": "VDJ-Risk-Response-Procedures.md",
        "related_practices": [
          "KSI-INR",
          "VDR",
          "IR-4",
          "IR-6",
          "RA-5(11)"
        ],
        "word_count": 10753,
        "version": "1.0",
        "last_updated": "2026-03-11"
      }
    },
    {
      "title": "Privacy Impact Assessment",
      "access": "agency",
      "delivery": "direct",
      "summary": "Privacy analysis of data handling (dissemination controls preclude portal delivery; supplied directly to agencies)",
      "metadata": {
        "file": "VDJ-Privacy-Impact-Assessment.md",
        "related_practices": [
          "KSI-PIY",
          "PT-1",
          "RA-8"
        ],
        "word_count": 7592,
        "version": "1.0",
        "last_updated": "2026-07-04"
      }
    },
    {
      "title": "Risk & Vulnerability Management Procedures",
      "access": "agency",
      "delivery": "direct",
      "summary": "Vulnerability detection, evaluation, and remediation SLAs (dissemination controls preclude portal delivery)",
      "metadata": {
        "file": "VDJ-Risk-Vulnerability-Management-Procedures.md",
        "related_practices": [
          "VDR",
          "VER",
          "RA-5",
          "SI-2"
        ],
        "word_count": 17815,
        "version": "1.0",
        "last_updated": "2026-03-11"
      }
    },
    {
      "title": "Continuous Monitoring SOP",
      "access": "agency",
      "delivery": "direct",
      "summary": "Ongoing security-monitoring program (CUI marking review in progress; supplied directly to agencies meanwhile)",
      "metadata": {
        "file": "VDJ-Continuous-Monitoring-SOP.md",
        "related_practices": [
          "CCM",
          "CA-7"
        ],
        "word_count": 7513,
        "version": "1.0",
        "last_updated": "2026-07-04"
      }
    },
    {
      "title": "FedRAMP Certification Package (CPO \u00b7 SDR \u00b7 OCR)",
      "access": "agency",
      "delivery": "portal",
      "summary": "Full authorization package (human-readable + machine-readable JSON at /reports)"
    }
  ],
  "documentation_overview": "Public documents are readable by everyone below. Documents marked 'agency' are FedRAMP Certification Data: portal-delivered items are retrievable as signed, CUI-marked PDFs through the authenticated trust center (/documents); direct-delivery items carry dissemination controls that preclude portal delivery and are supplied to agencies through a direct controlled channel on request. Every document's metadata (file, version, word count, last update, related FedRAMP practices) is published machine-readably here per CDS-CSO-IRP.",
  "faq": [
    {
      "q": "Where is my data stored?",
      "a": "All customer data is stored and processed within the United States in Google Cloud under Assured Workloads (DATA_BOUNDARY_FOR_FEDRAMP_MODERATE). The primary region is us-central1 and disaster-recovery backups are replicated to us-east4; both are inside the same FedRAMP Moderate Assured Workloads enclave, so data never leaves the US boundary. All copies are encrypted with customer-managed keys (CMEK)."
    },
    {
      "q": "How is data encrypted?",
      "a": "Data is encrypted at rest with customer-managed encryption keys (CMEK) in Google Cloud KMS, and in transit with TLS 1.2+. Cryptography uses FIPS 140-validated modules."
    },
    {
      "q": "What compliance frameworks do you follow?",
      "a": "VirtualDojo is pursuing FedRAMP 20x Certification (Class C) and a SOC 2 (Security) examination. The service is built on Google Cloud and Microsoft services that hold FedRAMP authorizations. Current status is shown on this page."
    },
    {
      "q": "Is VirtualDojo FedRAMP High or Moderate?",
      "a": "FedRAMP Moderate equivalently, FedRAMP 20x Certification Class C, which is the applicable baseline for the Controlled Unclassified Information this service handles. VirtualDojo runs on Google Cloud under the Assured Workloads FedRAMP Moderate data-boundary regime, inheriting Google Cloud's FedRAMP Moderate authorization. Google Cloud also offers a FedRAMP High regime; VirtualDojo uses the Moderate boundary, so we describe our environment as Moderate rather than High."
    },
    {
      "q": "Who are your subprocessors?",
      "a": "Google Cloud, Microsoft, SendGrid, Stripe, and GitHub. Each subprocessor, its purpose, the data it handles, and its location are listed in the Subprocessors section above."
    },
    {
      "q": "How do you control access?",
      "a": "Access requires multi-factor authentication and Conditional Access via Microsoft Entra ID, enforces role-based access control and least privilege, and is continuously monitored by the automated KSI validator."
    },
    {
      "q": "How do you handle security incidents?",
      "a": "VirtualDojo maintains documented incident-response procedures with continuous monitoring and defined notification timelines. Suspected incidents can be reported to security@virtualdojo.com."
    },
    {
      "q": "How is availability monitored?",
      "a": "Service availability is measured by a Google Cloud uptime check on app.virtualdojo.com, and 46 Key Security Indicators are validated nightly in-boundary. A rolling availability percentage publishes on this page as monitoring history accrues."
    },
    {
      "q": "What data does the service handle?",
      "a": "The service handles Controlled Unclassified Information (CUI) including government contract data, customer PII, proposal documents, and pricing data, at the FedRAMP Moderate impact level."
    },
    {
      "q": "How can a federal agency access the full certification package?",
      "a": "The Certification Package (Certification Package Overview, Security Decision Record, and Ongoing Certification Reports) is available through authenticated self-service access at trust.virtualdojo.com/request-access federal (.gov/.mil) requesters are granted access automatically; other requests are reviewed under NDA. After signing in, human-readable report pages and the machine-readable JSON are both available under /reports."
    }
  ],
  "data_residency": "* All customer data is stored and processed only in the United States, on Google\nCloud under Assured Workloads (policy DATA_BOUNDARY_FOR_FEDRAMP_MODERATE, which\nGoogle enforces so resources cannot be created outside the FedRAMP Moderate US\nregion set; the policy denies non-US and global locations). Compute and most AI\ninference run in us-central1 (Iowa); the CUI-classifier batch jobs run on Vertex\nAI in the US multi-region; durable object storage uses the US multi-region; and\ndisaster-recovery backups replicate to us-east4 (Virginia). All of these are US\nlocations inside the same FedRAMP Moderate Assured Workloads enclave, so data\nnever leaves the US authorization boundary. Every copy is encrypted with\ncustomer-managed keys (CMEK) that VirtualDojo controls.",
  "data_residency_regions": [
    {
      "name": "us-central1",
      "location": "Iowa",
      "role": "Primary region",
      "contents": "Cloud Run compute, most Vertex AI inference, the AlloyDB primary, Memorystore Redis, Secret Manager, and the primary application services. All encrypted with customer-managed keys (CMEK)."
    },
    {
      "name": "us (multi-region)",
      "location": "United States",
      "role": "Storage and batch AI",
      "contents": "Durable object storage (Cloud Storage US multi-region) and the CUI-classifier batch jobs on Vertex AI via the US REP endpoint. The location org policy allows us and denies global. CMEK encrypted."
    },
    {
      "name": "us-east4",
      "location": "Virginia",
      "role": "Disaster recovery",
      "contents": "AlloyDB cross-region CMEK backups (every 4 hours, 35-day retention) and Cloud Storage file replication. Recovery objectives RTO 12h / RPO 4h."
    }
  ],
  "service_availability": {
    "monitoring": "Google Cloud uptime checks (5-minute interval) on app.virtualdojo.com",
    "monitoring_since": "2026-07-04",
    "measured": {
      "rolling_percent": 99.986,
      "window_days": 4,
      "daily_history": [
        {
          "date": "2026-07-06",
          "availability_percent": 100
        },
        {
          "date": "2026-07-07",
          "availability_percent": 99.942
        },
        {
          "date": "2026-07-08",
          "availability_percent": 100
        },
        {
          "date": "2026-07-09",
          "availability_percent": 100
        }
      ]
    }
  },
  "links": {
    "product_website": "https://virtualdojo.com",
    "marketplace": null,
    "secure_configuration_guide": "https://trust.virtualdojo.com/secure-configuration-guide",
    "privacy_policy": "https://www.virtualdojo.com/privacy-policy",
    "trust_center": "https://trust.virtualdojo.com",
    "logo": "https://trust.virtualdojo.com/static/logo.png"
  },
  "next_certification_report_date": "2026-10-02",
  "pending_fields": [
    "marketplace_url (expected, populated after listing)"
  ]
}