SOC 2
Self-policed readiness, not an attestation
SOC 2 Type 1 readiness in progress (self-policed; not yet externally audited). Controls are live and operating today; an external auditor has not yet been engaged. The readiness assessment and control matrix are available on request.
Executive summary
We are pursuing SOC 2 Type 1 readiness on a self-policed basis. No external auditor has been engaged yet; no report has been issued. Type II is a downstream goal once Type 1 readiness is externally attested.
Readiness controls are live today: change management, encryption, access control, audit logging, incident response. The gap to a SOC 2 report is external auditor engagement and observation time. Our internal control matrix is available on request to evaluating Enterprise prospects.
Our commitments
Five rules for the audit posture
The audit is the point
We are not pursuing SOC 2 because customers ask for the badge — we are doing it because customers want a third party to have looked at us. The badge is a side effect of the work.
Type II, not Type I
Type I is a point-in-time controls description. Type II is operating effectiveness over months. We chose Type II because Type I tells you almost nothing about whether the controls are actually running.
Readiness is open to evaluation
The internal control matrix is available on request to evaluating Enterprise prospects.
Subprocessors are listed and vetted
Each subprocessor has its own SOC 2 / ISO 27001 attestation we have reviewed. The list is published; new subprocessors get 30 days notice with a right to object.
Findings, when they happen, are owned
Audit findings are not catastrophes — they are the audit doing its job. We track findings publicly to affected customers and resolve them on a documented schedule.
Implementation — Trust Service Criteria
What the audit covers
The full picture
What is built, what is being built, and what we chose not to build
Live today
Encryption controls
LiveAES-256-GCM at rest, TLS 1.3 in transit, field-level encryption for high-risk secrets.
Granular access control
Live37 organization-level permissions and custom roles. MFA enrollment is required before any user can seal, and a step-up TOTP check runs at sealing time on a 10-minute sudo window — satisfying SOC 2 CC6.1 (logical access controls) for the highest-trust operation in the system. Every gate outcome is recorded in the hash-chained audit log.
Hash-chained audit log
LiveTamper-evident event log; verifiable by an independent NIF you can run yourself.
Change management with required review + green CI
LiveEvery production deploy ties to a git SHA; rollback is a redeploy of a known-good SHA.
Documented incident response
LiveSeverity 1-4 classification with response targets; postmortem culture for sev 1-2 incidents.
Building now
SOC 2 Type 1 readiness
Building nowInternal readiness work in progress (self-policed); external auditor engagement is a downstream step.
Public per-component status page
Building nowSeparate signals for API, sealing, verification, AI, webhook delivery; real-time incident posting with engineer commentary.
Roadmap
ISO 27001 certification
RoadmapFollowing SOC 2. Most controls map directly; the gap is documentation rigor, not implementation.
HIPAA Business Associate Agreement
RoadmapMost technical controls are already in place; the BAA is the contractual layer on top of the existing posture.
SOC 2 Privacy criterion
RoadmapAdding the Privacy TSC in a subsequent observation period as customer demand emerges.
FedRAMP authorization
RoadmapDriven by US government customer demand; significant infrastructure work to satisfy the controls catalog.
Considered & rejected
SOC 2 Type I as a finished destination
Considered & rejectedType I is "you wrote down your controls." Type II is "the controls actually ran for several months." We treat Type I as a stop on the way, not the end.
Why we rejected it: Type I has the same SOC 2 logo on the cover and asks much less of the auditee. We are not interested in the same logo at lower cost — we want the report customers can actually rely on.
"Trust us" attestation pages with no audit
Considered & rejectedSelf-written control descriptions are not evidence. They are advertising.
Why we rejected it: customers ask for SOC 2 because they want a third party to have looked at us. A page where we describe our own controls answers a different question — one customers did not ask.
Buying a fast-track SOC 2 from a "compliance-as-a-service" vendor
Considered & rejectedThe work is the audit. Outsourcing the audit prep to a tooling vendor does not change that.
Why we rejected it: tooling that helps collect evidence is fine. A "we will get you certified in 60 days" vendor that promises a shortcut is selling the appearance of compliance, not the thing itself.
Hiding past audit findings from customers
Considered & rejectedFindings are how the audit improves the system. Hiding them is how the system stops improving.
Why we rejected it: customers learn more from how a vendor responds to a finding than from a clean report. We surface findings that affect customer-visible posture and document the remediation.
Compliance mappings
Controls already mapped
Logical Access — Authentication
Session MFA; hashed session tokens; field-level credential encryption
Logical Access — Network Segmentation
HTTPS-only origin behind Cloudflare; trusted-proxy IP extraction
Data Transmission and Disposal
TLS 1.3 in transit; AES-256-GCM at rest; cryptographic erasure on delete
Anomaly Detection
Hash-chained audit log; new-device events; geo signals
Change Management
Per-PR review + green CI; reproducible deploys per git SHA
Availability — SLA commitments
99.9% uptime SLA on Enterprise; per-component status page (in progress)
Availability — Recovery
Documented RTO/RPO; backup procedures in place
Processing Integrity — Inputs
Per-version hash + signature confirms input integrity
For compliance teams
Questions you do not need to call to ask
What is your SOC 2 status today?
What's your subprocessor policy?
Can we run our own audit against your controls?
What happens if a finding is identified during the audit?
Talk to our security team
Talk to our security team for the readiness summary, control matrix, and timeline.