Compliance posture · 2026
Compliance
Nightbox LLC operates under a privacy-by-design, security-by-default posture. Below is our current compliance status across federal, state, and industry frameworks relevant to a US biotech engaging federal R&D channels.
Federal tech security frameworks
| Framework | Scope | Status |
|---|---|---|
| CISA BOD 18-01 | Email authentication (DMARC strict) | ● Met (p=reject, adkim=s, aspf=s, pct=100) |
| RFC 8460 TLS-RPT | TLS reporting | ● Met (rua=mailto:artem@nightboxllc.com) |
| RFC 8461 MTA-STS | Mail transfer security | ● Met (enforce mode) |
| RFC 9116 security.txt | Coordinated vulnerability disclosure | ● Met (/.well-known/security.txt) |
| HSTS preload | Transport security | ● Met (max-age=63072000; includeSubDomains; preload) |
| NIST SP 800-171 | CUI safeguarding (110 controls) | ● Self-assessment in progress |
| CMMC 2.0 Level 1 | DoD basic cyber hygiene (15 controls) | ● Self-attestation drafted |
| NIST SP 800-218 SSDF | Secure Software Development Framework (EO 14028) | ● Practices documented; CISA attestation pending if applicable |
| FISMA | Federal information security | N/A — no federal data hosted to date |
| FedRAMP | Cloud service authorization | N/A — no federal cloud service offered |
Zero Trust Architecture (OMB M-22-09)
In accordance with OMB Memorandum M-22-09 (Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, January 2022), Nightbox operates a Zero Trust Architecture (ZTA) aligned with the CISA Zero Trust Maturity Model v2.0 across the five pillars:
| Pillar | Implementation | Maturity |
|---|---|---|
| Identity | Phishing-resistant MFA on Google Workspace (passkey + TOTP); device-bound sessions; no password reuse | Advanced |
| Devices | Endpoint inventory; full-disk encryption (FileVault / BitLocker); OS patch SLA < 14 days; OS-level firewall on | Advanced |
| Networks | No flat network. All inter-service traffic encrypted (TLS 1.3). Vercel Edge isolation per request. No long-lived persistent VPN. | Advanced |
| Applications and workloads | Edge runtime sandboxing (V8 isolates); per-request authorization; brand-cloak and output sanitization on the chat agent; injection scanner on user input | Advanced |
| Data | Data classification policy (see /policies §5); encryption at rest (Google Workspace, Mercury) and in transit (TLS 1.3); least-privilege access; no PHI without BAA; CUI handled per NIST SP 800-171 if scoped | Advanced |
Cross-cutting capabilities: continuous diagnostics and mitigation via Postmaster Tools and Vercel observability; security automation through declarative configuration (vercel.json security headers); centralized logging via Vercel and Mercury platform logs.
Federal company identifiers
| Identifier | Value |
|---|---|
| Legal name | Nightbox LLC |
| EIN (Employer ID) | 39-4373044 |
| State of incorporation | California |
| Primary NAICS | 541714 — Research and Development in Biotechnology (except Nanobiotechnology) |
| Secondary NAICS | 541715, 325414, 541711 |
| Business size | Small business (1 FTE; under all SBA size standards for above NAICS) |
| SAM.gov UEI | Registration in progress (Q2 2026) |
| CAGE Code | Pending SAM.gov registration completion |
| D-U-N-S | Available on request |
| eRA Commons (NIH) | Registration in progress for NCI SBIR Sept 5 2026 deadline |
Privacy and data protection
- CCPA (California Consumer Privacy Act) — compliant; we do not sell personal information
- GDPR — data subject rights honored on request to legal@nightboxllc.com
- HIPAA — Not a Covered Entity. We do not handle Protected Health Information. If we ever do, a Business Associate Agreement (BAA) will govern
- 21 CFR Part 11 (FDA electronic records) — Not currently in scope. Will be implemented when electronic records support FDA submissions
- Privacy Policy: /privacy
Export control
Current research outputs are fundamental research within the meaning of 15 CFR §734.8 and are not currently subject to the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR). We will reassess at each technology transfer event and apply for required licenses if scope changes. Inquiries: legal@nightboxllc.com.
Research integrity
- Good Laboratory Practice (GLP) — applied to in vivo work commencing Q2 2026
- Good Clinical Practice (ICH GCP) — applied at first clinical engagement
- Good Manufacturing Practice (cGMP) — applied at clinical-grade manufacturing
- NIH NOT-OD-25-XXX (research integrity) — adopted
- Reporting and conflict-of-interest disclosure — see /policies
Policies (public)
- Privacy Policy
- Terms of Service
- Security and Coordinated Disclosure
- Operational Policies (Records Retention, Acceptable Use, Code of Conduct, Conflict of Interest)
Audit and questionnaire support
For vendor security questionnaires (SIG Lite, CAIQ, NIST 800-171 SSP, CMMC self-assessment, etc.), please email security@nightboxllc.com. Standard response time is five business days.
Compliance program ownership: Founder & CEO until first compliance-dedicated hire.