CUPELON

Security & Compliance

Built from the ground up for CUI environments, DoD contractors, and federal agencies. Every architectural decision prioritizes data sovereignty and regulatory compliance.

Zero Outbound Traffic

Cupelon is designed so that no data ever leaves your network boundary. The only outbound connections are to your email platform's API (Microsoft Graph or Google Workspace) within your own cloud subscription.

  • No telemetry without permission: No analytics, usage tracking, or diagnostic data sent anywhere without your express consent
  • No phone-home: License validation happens entirely offline
  • No external feeds: Threat intelligence is generated from your own users' behavior
  • Air-gap capable: Fully functional in networks with no general internet access

Automatic Compliance Marking Filter

Cupelon runs entirely on your infrastructure — no email data reaches Cupelon unless you explicitly opt into Threat Network sharing. If you do opt in, an automatic compliance marking filter scans every message before any anonymized data leaves your network. Messages containing CUI markings, classification banners, ITAR designations, handling caveats, or paragraph-level markings are automatically blocked from sharing.

Cannot Be Disabled

The compliance filter is hard-coded into the data pipeline. There is no configuration toggle, no admin override, and no way to bypass it. Even if enhanced sharing is fully enabled, controlled content never enters the sharing pipeline.

What Gets Caught

  • CUI: CUI//SP-CTI, CUI//PRVCY, Controlled Unclassified Information banners
  • Classification: SECRET, TOP SECRET, UNCLASSIFIED//FOUO
  • Handling: NOFORN, REL TO, ORCON, Law Enforcement Sensitive
  • Export: ITAR controlled, Export Controlled, EAR
  • Paragraph markings: (U), (S), (TS), (CUI), (U//FOUO) line prefixes

Scans subject lines, classification-specific headers (X-Protective-Marking, Sensitivity), message bodies, and attachment filenames. False positives from standard email confidentiality footers are automatically excluded.

FIPS-Approved Cryptography

Cupelon uses FIPS-approved cryptographic algorithms throughout. When deployed on Ubuntu Pro with FIPS mode enabled, Cupelon operates as a FIPS-compliant node — the validated OS kernel and cryptographic modules provide the certified foundation, and Cupelon uses only approved algorithms on top of that stack.

  • Ubuntu Pro + FIPS: Deploy on Ubuntu Pro with FIPS mode for a fully compliant stack with validated kernel and cryptographic modules
  • Certificate authentication: Supports X.509 certificate-based API authentication — client secrets can be disabled entirely
  • FIPS-approved algorithms: All cryptographic operations (signing, hashing, authentication) use algorithms on the FIPS-approved list
  • PII protection: User identifiers are always stored as cryptographic hashes, never in plaintext

Air-Gap & Offline Deployment

For classified environments, SCIFs, and networks without general internet access. Cupelon operates fully offline after initial deployment.

Offline License Validation

Licenses are cryptographically signed and validated entirely locally — no license server, no phone-home, no internet connection required.

Offline Updates

Transfer updates via USB or secure file transfer and apply them locally. No internet connection needed for updates.

Offline Revocation

Revocation lists are delivered as part of application updates — no CRL or OCSP endpoints required.

No External Dependencies

The dashboard and all UI assets are served locally. No CDN calls, no external fonts, no JavaScript libraries loaded from the internet.

Role-Based Access Control

Integrates with your existing identity provider for enterprise role-based access control, or use API key authentication for simpler deployments.

RolePermissions
AdminFull access: configuration, alerting, allowlists, templates, user management
AnalystRead/write: domains, threat indicators, events, audit logs
Read-OnlyView-only: dashboards, reports, audit logs

Comprehensive Audit Logging

Every system action is logged to a queryable audit trail. Retention is configurable with automatic purge to meet your data governance requirements.

What Gets Logged

  • Banner operations
  • Threat indicator events
  • Webhook & event processing
  • Admin configuration changes
  • API calls & errors
  • Training panel activity
  • Authentication events
  • Compliance filter blocks
  • Auto-sweep decisions

Audit logs are searchable by actor, action, resource type, and date range. Use them as evidence for CMMC assessments, FedRAMP continuous monitoring, and incident investigations.

PII Protection

Cupelon never stores user email addresses in plaintext. All user identifiers are cryptographic hashes, making it impossible to reconstruct individual user identities from the database.

  • Hashed identifiers: User and mailbox identifiers are always stored as one-way cryptographic hashes
  • No message storage: Email bodies are processed in memory and never persisted — only threat indicators are retained
  • Configurable retention: Automatic data purge on your schedule for events, audit logs, and training records

Compliance Framework Alignment

Cupelon's architecture supports the following compliance frameworks. Features like audit logging, RBAC, certificate auth, and data retention provide the technical controls these frameworks require.

CMMC

Cybersecurity Maturity Model Certification for DoD contractors. Inline training supports AT.L2-3.2.1 phishing awareness requirements.

NIST 800-171

Protecting CUI in non-federal systems. Acknowledgment logs can help demonstrate 03.02.01 literacy training.

FedRAMP

Architecture-ready for FedRAMP. Inline training supports AT-2 and AT-2(3) at Low and Moderate baselines.

FISMA

Federal Information Security Management Act. Training logs support AT-2 awareness training documentation.

CJIS

Criminal Justice Information Services security policy. Training acknowledgments support Policy Area 5.2 documentation.

IRS 1075

Safeguarding Federal Tax Information. Training records support Section 6.2 awareness documentation.

DISA STIG

Security Technical Implementation Guide compliance support.

Built For

DoD Contractors

CMMC compliance support for the Defense Industrial Base. Self-hosted with FIPS-approved algorithms and certificate authentication.

Federal Agencies

FedRAMP-aligned architecture with comprehensive audit logging for FISMA compliance.

State & Local Government

CJIS-ready deployment for law enforcement and criminal justice organizations.

Critical Infrastructure

Air-gap capable for energy, water, and transportation sectors where internet access is restricted.

Questions About Compliance?

Contact us for architecture documentation, compliance mapping worksheets, or air-gap installation packages.

View PricingContact Us