Compliance

Compliance & Security Standards

Last Updated: April 12, 2026

For federal contractors: MAS Pilot is designed for use by GSA Schedule holders in managing their own contract compliance. This page summarizes our security posture and the standards we target.

Data Residency

All data processed and stored by MAS Pilot resides within the United States. We do not transfer contractor data outside the United States. Our infrastructure is hosted on US-based cloud services.

NIST SP 800-171

MAS Pilot is designed with reference to the security controls outlined in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Key controls we implement include:

Access Control (3.1) — Role-based access, least privilege, session management, and MFA for administrative access
Audit and Accountability (3.3) — Comprehensive audit logging of all user and system actions
Configuration Management (3.4) — Baseline configurations and change management for all systems
Identification and Authentication (3.5) — Unique user accounts, strong password requirements, and MFA
Incident Response (3.6) — Documented incident response procedures and breach notification processes
System and Communications Protection (3.13) — Encryption in transit (TLS 1.3) and at rest (AES-256)

MAS Pilot does not process, store, or transmit Controlled Unclassified Information (CUI) on behalf of the government. Our platform processes contractor-originated data only.

FAR 52.204-21 — Basic Safeguarding

MAS Pilot implements the basic safeguarding requirements for contractor information systems as required by FAR 52.204-21. These include limiting system access to authorized users, using encryption for transmitting covered contractor information, and protecting information consistent with FAR requirements.

Section 508 / WCAG 2.1

We are committed to Section 508 compliance and WCAG 2.1 Level AA conformance. See our Accessibility Statement for current status and known limitations.

FedRAMP

MAS Pilot is not itself FedRAMP authorized. However, our platform is built on cloud infrastructure that holds FedRAMP authorization. If your program office has specific FedRAMP requirements, please contact us — authorization applicability varies by agency and sensitivity level.

Encryption

In transit: All communications between your browser and MAS Pilot are encrypted using TLS 1.3. We do not support TLS 1.0 or 1.1.
At rest: All stored data is encrypted at rest using AES-256.
Transactional data: Pricing and sales data submitted for TDR validation is processed in-memory only and is never written to persistent storage.

Vulnerability Disclosure

We operate a responsible disclosure policy. If you discover a security vulnerability in MAS Pilot, please report it to [email protected] with the subject line "Security Disclosure" before public disclosure. We commit to responding within 2 business days and resolving confirmed vulnerabilities within 30 days.

Penetration Testing

MAS Pilot undergoes periodic security testing. Documentation is available to enterprise customers and government agencies under NDA upon written request.

Business Continuity

MAS Pilot maintains a documented business continuity and disaster recovery plan targeting a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets appropriate for a business-critical SaaS platform.

Contact

For security and compliance inquiries: [email protected]
Subject: Security / Compliance Inquiry