SOC 2

Self-policed readiness, not an attestation

SOC 2 Type 1 readiness in progress (self-policed; not yet externally audited). Controls are live and operating today; an external auditor has not yet been engaged. The readiness assessment and control matrix are available on request.

Executive summary

We are pursuing SOC 2 Type 1 readiness on a self-policed basis. No external auditor has been engaged yet; no report has been issued. Type II is a downstream goal once Type 1 readiness is externally attested.

Readiness controls are live today: change management, encryption, access control, audit logging, incident response. The gap to a SOC 2 report is external auditor engagement and observation time. Our internal control matrix is available on request to evaluating Enterprise prospects.

Our commitments

Five rules for the audit posture

01

The audit is the point

We are not pursuing SOC 2 because customers ask for the badge — we are doing it because customers want a third party to have looked at us. The badge is a side effect of the work.

02

Type II, not Type I

Type I is a point-in-time controls description. Type II is operating effectiveness over months. We chose Type II because Type I tells you almost nothing about whether the controls are actually running.

03

Readiness is open to evaluation

The internal control matrix is available on request to evaluating Enterprise prospects.

04

Subprocessors are listed and vetted

Each subprocessor has its own SOC 2 / ISO 27001 attestation we have reviewed. The list is published; new subprocessors get 30 days notice with a right to object.

05

Findings, when they happen, are owned

Audit findings are not catastrophes — they are the audit doing its job. We track findings publicly to affected customers and resolve them on a documented schedule.

Implementation — Trust Service Criteria

What the audit covers

Security (CC) In scope Common Criteria — required for every SOC 2 report
Availability (A) In scope Uptime, recovery, capacity planning
Processing Integrity (PI) In scope Sealing, hashing, signature integrity
Confidentiality (C) In scope Customer data segregation; encrypted at rest and in transit
Privacy (P) Out of scope (Type II v1) Privacy criterion to be added in subsequent observation period
External auditor Not yet engaged We have not yet engaged an external SOC 2 auditor

The full picture

What is built, what is being built, and what we chose not to build

Live today

Encryption controls

Live

AES-256-GCM at rest, TLS 1.3 in transit, field-level encryption for high-risk secrets.

Granular access control

Live

37 organization-level permissions and custom roles. MFA enrollment is required before any user can seal, and a step-up TOTP check runs at sealing time on a 10-minute sudo window — satisfying SOC 2 CC6.1 (logical access controls) for the highest-trust operation in the system. Every gate outcome is recorded in the hash-chained audit log.

Hash-chained audit log

Live

Tamper-evident event log; verifiable by an independent NIF you can run yourself.

Change management with required review + green CI

Live

Every production deploy ties to a git SHA; rollback is a redeploy of a known-good SHA.

Documented incident response

Live

Severity 1-4 classification with response targets; postmortem culture for sev 1-2 incidents.

Building now

SOC 2 Type 1 readiness

Building now

Internal readiness work in progress (self-policed); external auditor engagement is a downstream step.

Public per-component status page

Building now

Separate signals for API, sealing, verification, AI, webhook delivery; real-time incident posting with engineer commentary.

Roadmap

ISO 27001 certification

Roadmap

Following SOC 2. Most controls map directly; the gap is documentation rigor, not implementation.

HIPAA Business Associate Agreement

Roadmap

Most technical controls are already in place; the BAA is the contractual layer on top of the existing posture.

SOC 2 Privacy criterion

Roadmap

Adding the Privacy TSC in a subsequent observation period as customer demand emerges.

FedRAMP authorization

Roadmap

Driven by US government customer demand; significant infrastructure work to satisfy the controls catalog.

Considered & rejected

SOC 2 Type I as a finished destination

Considered & rejected

Type I is "you wrote down your controls." Type II is "the controls actually ran for several months." We treat Type I as a stop on the way, not the end.

Why we rejected it: Type I has the same SOC 2 logo on the cover and asks much less of the auditee. We are not interested in the same logo at lower cost — we want the report customers can actually rely on.

"Trust us" attestation pages with no audit

Considered & rejected

Self-written control descriptions are not evidence. They are advertising.

Why we rejected it: customers ask for SOC 2 because they want a third party to have looked at us. A page where we describe our own controls answers a different question — one customers did not ask.

Buying a fast-track SOC 2 from a "compliance-as-a-service" vendor

Considered & rejected

The work is the audit. Outsourcing the audit prep to a tooling vendor does not change that.

Why we rejected it: tooling that helps collect evidence is fine. A "we will get you certified in 60 days" vendor that promises a shortcut is selling the appearance of compliance, not the thing itself.

Hiding past audit findings from customers

Considered & rejected

Findings are how the audit improves the system. Hiding them is how the system stops improving.

Why we rejected it: customers learn more from how a vendor responds to a finding than from a clean report. We surface findings that affect customer-visible posture and document the remediation.

Compliance mappings

Controls already mapped

SOC 2 CC6.1

Logical Access — Authentication

Session MFA; hashed session tokens; field-level credential encryption

SOC 2 CC6.6

Logical Access — Network Segmentation

HTTPS-only origin behind Cloudflare; trusted-proxy IP extraction

SOC 2 CC6.7

Data Transmission and Disposal

TLS 1.3 in transit; AES-256-GCM at rest; cryptographic erasure on delete

SOC 2 CC7.2

Anomaly Detection

Hash-chained audit log; new-device events; geo signals

SOC 2 CC8.1

Change Management

Per-PR review + green CI; reproducible deploys per git SHA

SOC 2 A1.1

Availability — SLA commitments

99.9% uptime SLA on Enterprise; per-component status page (in progress)

SOC 2 A1.2

Availability — Recovery

Documented RTO/RPO; backup procedures in place

SOC 2 PI1.1

Processing Integrity — Inputs

Per-version hash + signature confirms input integrity

For compliance teams

Questions you do not need to call to ask

What is your SOC 2 status today?
SOC 2 Type 1 readiness is in progress on a self-policed basis. No external auditor has been engaged; no report has been issued. The internal control matrix is available on request to evaluating Enterprise prospects.
What's your subprocessor policy?
Published list updated when it changes. Each subprocessor has its own SOC 2 / ISO 27001 attestation we have reviewed. Enterprise customers receive 30 days notice of new subprocessors with a right to object.
Can we run our own audit against your controls?
Customer-initiated penetration tests against your own data and account are supported under our pen-test policy. Full third-party audit access for individual customers is generally not — that is what the SOC 2 report is for.
What happens if a finding is identified during the audit?
Findings are tracked in the same project board as our internal security work. Severity-based remediation timeline; affected customer-visible posture surfaces in the public status page or via direct email.

Talk to our security team

Talk to our security team for the readiness summary, control matrix, and timeline.