Penetration Testing and Security Assessment – Customer FAQs

Can I perform penetration testing on Citrus-Lime's systems?

Independent customer penetration testing directly against our production environment is not permitted.

However, we fully support your penetration testing and security compliance requirements through comprehensive testing we perform on your behalf.

Why can't I run my own penetration tests?

Citrus-Lime operates a multi-tenant platform where multiple customers share common infrastructure.
Independent penetration testing could:

Impact other customers - Testing activities may affect availability or performance for other businesses
Trigger security controls - Aggressive scanning may cause false alarms or service disruptions

This policy protects all customers while ensuring rigorous security testing is performed.

How does Citrus-Lime support my penetration testing requirements?

We take full responsibility for security testing of the platform. Our approach exceeds standard PCI DSS requirements:

Continuous Penetration Testing

Frequency: Ongoing assessment by vetted security researchers (exceeds the PCI DSS annual requirement)
Scope: All externally-facing systems, APIs, and payment processing infrastructure
Coverage: Real-time vulnerability discovery as new threats emerge

Quarterly Vulnerability Scanning

Frequency: Every quarter and after significant changes
Compliance: Meets PCI DSS external scanning requirements
Standard: Re-scanning until clean results achieved

Continuous Monitoring

Frequency: Monthly scheduled scans plus emerging threat detection
Purpose: Early identification of new vulnerabilities between quarterly scans

What evidence can I receive?

We provide comprehensive security testing evidence to support your compliance and audit needs:

Available Reports:

Penetration Test Reports

Executive summary of findings and risk ratings
Testing scope, methodology, and remediation status

Vulnerability Scan Reports

Quarterly ASV scan results
Clean scan attestations
Remediation timelines for any findings

Attestation Letters

Formal statements signed by Citrus-Lime management
Confirmation of security testing compliance
Suitable for audit or assessor review

Remediation Evidence

Vulnerability closure documentation
Re-scan results confirming resolution

How do I request security testing evidence?

Submit a request through any of our support channels.

Please include:

Your name and company name
Type of evidence needed (penetration test, vulnerability scan, attestation letter)
Purpose (e.g., annual PCI assessment, customer audit)
Any specific format or compliance requirements
Preferred delivery method

Will reports be redacted?

Some technical details may be redacted to protect all customers:

Specific IP addresses or infrastructure details
Detailed exploitation techniques that could be misused
Information that could compromise security of the multi-tenant platform

What if I have unique testing requirements?

We understand some customers have specific regulatory or compliance obligations. If you need testing beyond our standard evidence:

1. Submit a formal request* with detailed justification

2. Our security team will review feasibility and risk

3. Coordinated testing may be possible under supervision with:

Formal approval from Citrus-Lime security leadership
Scheduled timing to minimize impact
Monitoring by our operations team
Separate commercial agreement if required

*Please note: Not all requests can be accommodated. We prioritize the security and availability of all customers.

How often do you update your security testing?