FAR & DFARS compliance.
Augur is built for federal contractors, which means the platform has to clear the same compliance bars its customers do. This page maps Augur’s controls to the FAR and DFARS clauses that come up most often in customer security reviews.
Honest framing. Augur is a commercial software product, not a federal information system. We do not currently hold a FedRAMP authorization. The controls listed below are implemented to align with the cited clauses; they do not by themselves constitute compliance certification. For controlled unclassified information (CUI) handling, see the NIST 800-171 section below.
Commercial software status
Augur is “commercial computer software” under FAR 2.101 and a “commercial item” under FAR 12.000. Use, duplication, and disclosure by the Government are subject to the standard restrictions in FAR 12.212 and DFARS 227.7202. Government end-users acquire only the rights customarily provided to the public, as documented in our Terms of Service.
FAR 52.204-21 — Basic safeguarding of contractor information systems
This clause sets fifteen basic safeguarding requirements for any information system that processes, stores, or transmits Federal Contract Information (FCI). Augur’s mapping:
| Control | Augur |
|---|---|
| (b)(1)(i) Limit access to authorized users | Server-side authentication on every endpoint; admin-managed accounts; no anonymous access. |
| (b)(1)(ii) Limit access to types of transactions/functions authorized | Role-based access (operator vs admin) enforced server-side. |
| (b)(1)(iii) Verify and control connections to external systems | External requests limited to a single allowlisted upstream (api.sam.gov) via server-side proxy. |
| (b)(1)(iv) Control information posted on publicly accessible systems | No customer data on marketing pages; signed-in surface is gated and never indexed. |
| (b)(1)(v)–(vi) Identify and authenticate users | Per-user accounts; PBKDF2-SHA-256 password hashing; session cookies bound to a single user. |
| (b)(1)(vii) Sanitize or destroy info media before reuse | D1 storage managed by Cloudflare; physical media handling covered by Cloudflare’s SOC 2 controls. |
| (b)(1)(viii) Limit physical access | All hosting in Cloudflare data centers; physical access controls inherit from Cloudflare. |
| (b)(1)(ix) Escort visitors and monitor visitor activity | Augur production infrastructure has no walk-up access path; same Cloudflare inheritance. |
| (b)(1)(x) Maintain audit logs of physical access | Cloudflare inheritance. |
| (b)(1)(xi) Control and manage physical access devices | Cloudflare inheritance. |
| (b)(1)(xii) Monitor, control, and protect organizational communications | TLS 1.2+ in transit; strict CSP, HSTS, no third-party JS on signed-in surfaces. |
| (b)(1)(xiii) Implement subnetworks for publicly accessible system components | Cloudflare Workers separates public marketing and authenticated surfaces by routing; no shared backplane. |
| (b)(1)(xiv) Identify, report, and correct information and information system flaws | Coordinated disclosure policy on the Security page; documented internal patching cadence. |
| (b)(1)(xv) Provide protection from malicious code | Strict CSP eliminates inline-script attack surface; no untrusted user upload paths. |
NIST SP 800-171 — Protecting CUI in non-federal systems
Augur is designed to align with the controls required by NIST SP 800-171 Rev. 2 for any customer choosing to process Controlled Unclassified Information (CUI) inside their deployment. Customers with active CUI obligations should request our control-mapping spreadsheet (under NDA) which traces each of the 110 800-171 controls to Augur’s implementation evidence.
High-level posture:
- Access Control (3.1): least-privilege role model, server-side enforcement, session expiry.
- Audit and Accountability (3.3): immutable activity log with actor, action, target, timestamp, IP, UA.
- Identification and Authentication (3.5): unique per-user accounts, PBKDF2 password hashing, force-change on first login.
- Incident Response (3.6): documented runbooks, 72-hour breach notification commitment.
- System and Communications Protection (3.13): TLS 1.2+, strict CSP, HttpOnly+Secure+SameSite=Strict session cookies, server-side CSRF double-submit.
DFARS 252.204-7012 — Safeguarding covered defense information
Customers processing covered defense information (CDI) inside their Augur deployment may rely on NIST 800-171 implementation evidence above. The 72-hour cyber-incident reporting commitment in our DPA meets the DFARS 252.204-7012(c)(1)(ii) reporting timeline.
FedRAMP
Augur does not currently hold a FedRAMP authorization. A FedRAMP Moderate authorization is on the 2026 roadmap. Customers with active FedRAMP requirements should request our gap-analysis package.
Section 508 / accessibility
Augur’s production surfaces target WCAG 2.1 Level AA. Known gaps and remediation timelines are tracked in our internal accessibility backlog and shared with customers on request.
Export control
Augur is published from the United States. The platform is classified as EAR99 under U.S. export controls. We do not knowingly provide access to users in jurisdictions subject to comprehensive U.S. embargoes (currently Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine).
Contact
Compliance questions: compliance@augurai.app
Security questions: security@augurai.app