Garde1 does not require, ask for, or accept CUI.

Why this matters

Under 32 CFR §170.4, an External Service Provider (ESP) that processes, stores, or transmits CUI is in the Organization Seeking Certification (OSC)'s assessment scope as a CUI Asset — and that ESP's control environment must meet the same NIST 800-171 bar as the OSC's own CUI boundary. Garde1 is not a CUI Asset today. We are a Security Protection Asset (SPA) — we hold Security Protection Data (SPD) on the customer's behalf, but not CUI. Keeping that line sharp is the difference between an ESP an assessor will accept and one they won't. (For comparison, a Cloud Service Provider (CSP) that handles CUI is held to a separate, higher bar — FedRAMP Moderate authorization or equivalent.)

What you should not upload

Anything that meets the federal CUI definition is out-of-scope for upload to the commercial product. In practice this includes:

• DoD-marked CUI — anything stamped “CUI” or with a legacy “FOUO” / “SBU” marking by a federal source.
• CDI / CTI / NNPI / ITAR-controlled technical data from a federal contract.
• Privileged contract attachments identified as CUI in your DD Form 254, your Statement of Work, or your CUI registry entries.
• Free-text excerpts from any of the above pasted into questionnaire answers, evidence narratives, or the in-app assistant.

What you can upload: redacted policy templates, SSP drafts (without embedded CUI excerpts), connector configuration outputs (which Garde1 already sanitizes), training records, photographs of physical security controls, and the like.

Guardrails inside the product

Garde1 surfaces a CUI-warning on every free-text field and file upload affordance where CUI could plausibly land (evidence uploads, questionnaire narratives, in-app chat). The guardrails are advisory — a determined uploader can still paste CUI, which is why this written policy exists in parallel.

If CUI is uploaded by accident

Use the form below with the affected workspace ID and a brief description. Our process:

1. We acknowledge within one business day and assign an incident ID.
2. We work with you to identify and permanently delete the affected records — including any backups in our 35-day Aurora PITR window once the legal hold expires.
3. We log the incident in the audit trail (with the CUI content itself redacted from the log entry).
4. We provide a written confirmation of deletion for your records.

The path to a CUI-capable environment

For customers whose contracts require CUI processing inside the service provider, Garde1's roadmap is the same migration described on the main security page:

• Phase 2 — AWS GovCloud (US) tenancy as the boundary for CUI-capable customers, with U.S.-only operator access and ITAR-controlled support.
• Phase 3 — FedRAMP 20x authorization as the streamlined federal authorization path.

Until the GovCloud tenancy is generally available, the commercial product remains the only Garde1 deployment, and the no-CUI policy on this page applies to it without exception.

Customer SSP language

Most assessors expect to see a statement to the effect:

Garde1 is treated as a Security Protection Asset within this OSC's
CMMC assessment scope under 32 CFR §170.19. CUI is not processed,
stored, or transmitted by Garde1 in this engagement, in accordance
with the Garde1-published no-CUI policy at garde1.com/security/no-cui.
As an SPD-only, non-CSP ESP, Garde1 is not required under §170.19 to
obtain its own CMMC certification; the published Customer
Responsibility Matrix at garde1.com/compliance documents the
security responsibilities split. The OSC controls customer-side
input gates and does not upload CUI into the platform.

Report accidental CUI upload

If CUI was uploaded by accident, send the affected workspace ID and a brief description below. We acknowledge within one business day and provide written confirmation of deletion.