The 40 questions your procurement officer always asks.

Type I audit completed; Type II in progress. We expect the Type II report (12-month observation period) to be available Q3 2026. We can share the Type I report under NDA today.

FedRAMP Moderate is on our roadmap. Current target: FedRAMP Ready by Q2 2026, In-Process by end of 2026. We are not FedRAMP authorized today. For PHAs requiring FedRAMP authorization at procurement, we are not yet a fit.

Not currently. We will pursue StateRAMP authorization for the states where reference customers require it. Timeline depends on customer demand; typical authorization is ~9 months from initial application.

Yes. Our platform is built to support FISMA Moderate controls. We do not currently hold a HUD ATO (Authority to Operate) but our control implementation is documented and we can submit for a HUD-specific authorization if a sponsoring PHA or HUD field office requests it.

Customer data can be hosted in Azure Government (GCC) for PHAs whose Microsoft 365 tenant is GCC-resident. Default deployment is commercial Azure with strict data-residency commitments (CONUS). GCC-High not currently supported.

Yes — $5M cyber liability + $5M E&O + $2M tech professional indemnity. Certificates of insurance available on request. We can name the agency as additional insured on request.

We are HIPAA-aligned by architecture (encryption at rest + in transit, audit logging, BAA available). PHAs handling PHI from elderly/disabled assistance programs may execute a BAA with us. We do not currently hold formal HIPAA certification.

Not in scope. We don't process credit card payments or handle cardholder data. Tenant payments to PHAs flow through the PHA's existing merchant processor; we do not interpose.

Default: Azure West US 3 + East US 2 (active-active). For GCC-resident customers: Azure US Gov Virginia + Arizona. All data encrypted at rest (AES-256) and in transit (TLS 1.3). No data leaves the contracted region.

Customer Success engineers have read-only access strictly for debugging support tickets, with audit log entries written for every read. No write access. No bulk export. No data scientist or marketing access. Engineering has zero access to production customer data.

No. Our categorization, audit, and anomaly engines are deterministic — pattern-based, not learned. Any future LLM features will be opt-in per customer with explicit data-handling terms. Default: your data trains no model.

AES-256-GCM encryption per-tenant. Tenant-scoped HMAC for searchable lookups. Field-level encryption for SSN/DOB. PII never appears in logs or error messages.

Full data export available in standard formats (CSV, FDS XML, HUD-50058 XML). Export delivered within 30 days of cancellation request. After 90-day grace period, data is purged from production. Backups retained per regulatory minimum (7 years for HUD records) in encrypted cold storage; deleted at end of retention period.

Yes. Encrypted at rest with separate KMS keys. Stored in geo-redundant Azure Blob Storage. Point-in-time recovery to any moment in the last 35 days. Older backups stored in compliance archive for 7 years (HUD retention requirement).

Every user action: login, view, create, modify, export, delete. Logs retained 7 years to align with HUD record retention. Logs are append-only with content-hash chaining (tamper-evident). Available via API for PHA's own SIEM ingestion.

OIDC via Azure AD shipping Q1 2026. SAML (Okta, ADFS, Ping) Q2 2026. Today: email + password + TOTP MFA. Most large-PHA customers wait for SSO before broad rollout.

MFA mandatory for all accounts. TOTP (Authenticator apps) and SMS supported. Hardware keys (YubiKey, FIDO2) on roadmap Q2 2026. We don't permit MFA bypass for any role, including ours.

Pre-defined roles: Executive Director, Finance Director, Compliance Officer, Inspector, Read-Only Auditor, IT Admin. Custom roles configurable by IT Admin. Permissions evaluated server-side on every request.

Yes — Argon2id with per-user salts. No password is ever stored in plaintext anywhere in our system or logs.

Sessions expire after 8 hours of inactivity (configurable to as low as 30 min). HttpOnly + Secure cookies. CSRF tokens on all state-changing operations. Sessions invalidated server-side on logout, password change, or role change.

Not currently. We are pursuing GSA MAS (Multiple Award Schedule) IT-70 listing. Expected 9–12 months from application. For PHAs needing a GSA vehicle today, we can subcontract through an existing GSA holder (we have arrangements with two; reference list on request).

We are applying for Sourcewell IT cooperative contract Q1 2026. For PHAs whose procurement policy allows cooperative purchases, this becomes the easiest contract vehicle once awarded.

Yes, actively. We've responded to 4 PHA RFPs in 2025. Typical response includes our standard security packet, sample MSA, pricing, references, and methodology documentation. We do not require an RFP to engage — we'll happily start with a pilot.

12-month initial term, month-to-month after. 30-day termination for convenience after month 12. Mid-term termination available for material breach with 30 days written notice + cure period. No early-termination penalties. Sample MSA available on request.

Net 30. Annual prepayment discount (3%) available. We invoice monthly by default; quarterly or annual cycles available. We accept ACH, wire, GSA SmartPay, and check.

$2M general liability, $5M umbrella. Certificate of insurance available upon contract execution; additional insured endorsements available on request.

Our staff are W-2 employees of Ledger Copilot, paid above relevant prevailing wage rates. We do not perform on-site work at PHA facilities (all work is remote or in our offices). For on-site implementation if requested, we'd use a prevailing-wage-compliant subcontractor.

We do not currently meet Section 3 hiring requirements as a small software vendor. For larger procurements where Section 3 matters, we work with a prime contractor who carries the Section 3 commitment. We can introduce you to two such partners.

We target 99.9% monthly uptime, measured by an external monitor at 1-minute intervals, with service-credit terms defined in the MSA. Measured availability is reported to customers; ask for our current uptime history.

Email + ticketing 24/7. Live chat 7am–8pm Eastern, business days. Phone support included in Enterprise + Large-PHA tiers. P1 (production down) response within 1 hour, 24/7.

Yes for Mid-Market and above tiers. Named CSM, monthly check-ins, named escalation path. SMB tier shares a pool of CSMs but still has named primary contact.

Critical: within 24 hours of disclosure. High: within 7 days. Medium: within 30 days. We subscribe to all relevant CVE feeds for our dependency stack and patch automatically via continuous deployment.

RPO (max data loss): 15 minutes (point-in-time recovery). RTO (max downtime): 4 hours for full region failover. Cross-region active-active deployment; failover is automatic.

All support staff are US-based, W-2 employees. No offshore support. We do not outsource to third parties — every support interaction is with a Ledger Copilot employee.

Yes, included at no charge. Read-only auditor accounts for your CPA + HUD field analyst. Audit-specific reports (audit trail, fingerprint verification, change history) generated on demand.

SOC 1 Type II planned to coincide with our Type II SOC 2 (Q3 2026). For PHAs whose annual audit requires this, we can provide bridge letters from our SOC 1 Type I and our financial-controls documentation in the interim.

Yes. Every audit + financial report carries a re-runnable SHA-256 fingerprint of the input data. Re-running the same report later with the same inputs produces the same output and matches the fingerprint. PHA-Web does not offer a comparable re-runnable fingerprint.

Yes. Our deterministic algorithms (categorizer, reconciliation, audit, FDS generator) are documented with rule citations to HUD regulations. CPA-friendly methodology docs available without NDA. Algorithm source code reviewable under NDA.

During side-by-side run, variances above 1% pause cutover until root-caused. Common causes: timing differences (cutoff dates), category mapping (chart-of-accounts evolution), historic data quality (PHA-Web errors that LC inherited from import). All resolved before LC becomes authoritative.