CUPELON

Security & Compliance

Built from the ground up for CUI environments, DoD contractors, and federal agencies. Every architectural decision prioritizes data sovereignty and regulatory compliance.

Zero Outbound Traffic

Cupelon is designed so that no data ever leaves your network boundary. The only outbound connections are to your email platform's API (Microsoft Graph or Google Workspace) within your own cloud subscription.

  • No telemetry: Zero analytics, usage tracking, or diagnostic data sent anywhere
  • No phone-home: License validation happens entirely offline
  • No external feeds: Threat intelligence is generated from your own users' behavior
  • Air-gap capable: Fully functional in networks with no general internet access

FIPS-Approved Cryptography

Cupelon uses FIPS-approved cryptographic algorithms throughout. When deployed on Ubuntu Pro with FIPS mode enabled, Cupelon operates as a FIPS-compliant node — the validated OS kernel and cryptographic modules provide the certified foundation, and Cupelon uses only approved algorithms on top of that stack.

  • Ubuntu Pro + FIPS: Deploy on Ubuntu Pro with FIPS mode for a fully compliant stack with validated kernel and cryptographic modules
  • Certificate authentication: Supports X.509 certificate-based API authentication — client secrets can be disabled entirely
  • FIPS-approved algorithms: All cryptographic operations (signing, hashing, authentication) use algorithms on the FIPS-approved list
  • PII protection: User identifiers are always stored as cryptographic hashes, never in plaintext

Air-Gap & Offline Deployment

For classified environments, SCIFs, and networks without general internet access. Cupelon operates fully offline after initial deployment.

Offline License Validation

Licenses are cryptographically signed and validated entirely locally — no license server, no phone-home, no internet connection required.

Offline Updates

Transfer updates via USB or secure file transfer and apply them locally. No internet connection needed for updates.

Offline Revocation

Revocation lists are delivered as part of application updates — no CRL or OCSP endpoints required.

No External Dependencies

The dashboard and all UI assets are served locally. No CDN calls, no external fonts, no JavaScript libraries loaded from the internet.

Role-Based Access Control

Integrates with your existing identity provider for enterprise role-based access control, or use API key authentication for simpler deployments.

RolePermissions
AdminFull access: configuration, alerting, allowlists, templates, user management
AnalystRead/write: domains, threat indicators, events, audit logs
Read-OnlyView-only: dashboards, reports, audit logs

Comprehensive Audit Logging

Every system action is logged to a queryable audit trail. Retention is configurable with automatic purge to meet your data governance requirements.

What Gets Logged

  • Banner operations
  • Threat indicator events
  • Webhook & event processing
  • Admin configuration changes
  • API calls & errors
  • Training panel activity
  • Authentication events

Audit logs are searchable by actor, action, resource type, and date range. Use them as evidence for CMMC assessments, FedRAMP continuous monitoring, and incident investigations.

PII Protection

Cupelon never stores user email addresses in plaintext. All user identifiers are cryptographic hashes, making it impossible to reconstruct individual user identities from the database.

  • Hashed identifiers: User and mailbox identifiers are always stored as one-way cryptographic hashes
  • No message storage: Email bodies are processed in memory and never persisted — only threat indicators are retained
  • Configurable retention: Automatic data purge on your schedule for events, audit logs, and training records

Compliance Framework Alignment

Cupelon's architecture supports the following compliance frameworks. Features like audit logging, RBAC, certificate auth, and data retention provide the technical controls these frameworks require.

CMMC Level 2/3

Cybersecurity Maturity Model Certification for DoD contractors

NIST 800-171

Protecting Controlled Unclassified Information (CUI) in non-federal systems

FedRAMP High

Architecture-ready for Federal Risk and Authorization Management Program

FISMA

Federal Information Security Management Act compliance support

CJIS

Criminal Justice Information Services security policy

IRS 1075

Safeguarding Federal Tax Information requirements

DISA STIG

Security Technical Implementation Guide compliance support

Built For

DoD Contractors

CMMC Level 2/3 compliance for the Defense Industrial Base. Self-hosted with FIPS-approved algorithms and certificate authentication.

Federal Agencies

FedRAMP-aligned architecture with comprehensive audit logging for FISMA compliance.

State & Local Government

CJIS-ready deployment for law enforcement and criminal justice organizations.

Critical Infrastructure

Air-gap capable for energy, water, and transportation sectors where internet access is restricted.

Questions About Compliance?

Contact us for architecture documentation, compliance mapping worksheets, or air-gap installation packages.

View PricingContact Support