Summary for Vendor Coordinators
Cal Coast Water Damage operates infrastructure that exceeds standard carrier vendor security requirements. We are CCPA-compliant, publish a vulnerability disclosure policy, maintain cryptographically verifiable business identity, and do not sell or share customer data with third-party brokers. The questions below mirror common carrier vendor questionnaires.
Data Handling
Compliant
Q: Do you sell or share customer personal information with third parties?
A: No. Cal Coast does not sell customer information. We share only with the customer's insurance carrier (with authorization), required subcontractors (plumbers, electricians), and standard service providers (Google Analytics, Formspree, Anthropic) under data processing agreements. See our privacy policy.
Compliant
Q: Are you CCPA-compliant?
A: Yes. California residents can request data access, deletion, and opt-out of sale (we don't sell). 45-day response window per CCPA. Process documented in privacy policy section 4.
Compliant
Q: How long do you retain customer records?
A: 7 years minimum per California contractor recordkeeping requirements. Insurance claim documentation may be retained longer per carrier requirements. Customers can request earlier deletion subject to legal hold periods.
Technical Security
Compliant
Q: Is the website served over HTTPS with valid certificates?
A: Yes. HTTPS forced via HSTS preload (max-age 2 years). TLS 1.2+ only. SSL Labs A+ target configuration.
Compliant
Q: Are HTTP security headers configured?
A: Yes. Comprehensive Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy, Cross-Origin policies, NEL reporting. Verifiable at securityheaders.com.
Compliant
Q: Do you have a vulnerability disclosure policy?
A: Yes. RFC 9116 security.txt published at /.well-known/security.txt. Bug bounty program with safe harbor at bug-bounty.html.
Compliant
Q: Do you have cryptographically verifiable business identity?
A: Yes. Decentralized Identifier (W3C DID) published at /.well-known/did.json. Allows cryptographic verification of any signed claim documentation we provide.
Compliant
Q: Are customer-facing forms protected against bots?
A: Yes. Honeypot fields on all customer forms, rate limiting on Formspree submissions, CSRF protection via Formspree.
Photo and Evidence Authenticity
Compliant (Implementation by Q3 2026)
Q: How do you prove the authenticity of job photos submitted for claims?
A: Cal Coast is implementing C2PA Content Credentials (Adobe's anti-deepfake standard) on all job photos. Insurance carriers can verify any Cal Coast photo at contentcredentials.org/verify. Anti-fraud declaration at /api/c2pa-photo-credentials.json.
Operational Controls
Compliant
Q: Do you maintain an incident response plan?
A: Yes. Documented in our security handoff document. Includes: detection, notification, containment, eradication, recovery, lessons-learned. 72-hour breach notification commitment for CCPA-covered incidents.
Compliant
Q: What employee security training is in place?
A: All Cal Coast personnel receive training on customer data handling, phishing identification, and proper use of company-issued devices. Field technicians use company-issued devices only; no personal device usage for customer data.
Compliant
Q: Email anti-spoofing controls?
A: SPF, DKIM, and DMARC records configured for gowithcalcoast.com. Verifiable at mxtoolbox.com. Prevents Business Email Compromise impersonation of Cal Coast staff.
AI and Automation Disclosure
Compliant
Q: Do you use AI in customer interactions? How is data handled?
A: Yes, AI chatbot powered by Anthropic Claude on Mold Help SD. Chatbot proxies through Cal Coast-controlled Vercel function (your customer's data doesn't go directly to AI vendor). Anthropic processes the conversation per their privacy terms. Knowledge base is public (CC-BY-4.0) so AI responses are auditable.
Compliant
Q: Do you offer agent-callable APIs?
A: Yes. MCP server (Model Context Protocol) at /api/mcp, OpenAPI specification at /openapi.yaml. Allows automated claim intake from carrier systems without manual data entry.
Need a Completed Vendor Security Questionnaire?
If your carrier uses a specific vendor security form, email it to us. We complete and return within 5 business days.
Email josiah@gowithcalcoast.comVerification Resources for Carrier Review
- /.well-known/did.json - Cryptographic identity
- /.well-known/vendor-profile.json - Machine-readable vendor profile
- /.well-known/security.txt - Vulnerability disclosure
- /data/cal-coast-credentials.json - Verifiable Credentials (W3C VC)
- /api/trust-score.json - Aggregated trust score
- /api/methodology.json - How our metrics are calculated
- iicrc.org/firm-locator - Independent IICRC certification verification