SOC 2 Type II. Honest progress.
We are in active preparation for a SOC 2 Type II attestation against the Security Trust Services Criteria. The plan is below — done, doing, and to-do, dated by month. Target attestation: Q4 2026.
For the underlying security architecture, see /security. For the customer-trust summary, see /trust.
Phase 2 (Availability + Confidentiality TSC) follows attestation. ISO 27001 is on the roadmap post-SOC 2 if customer demand is there.
What's already in place
Monthly milestones to attestation
We update this table on the first business day of every month. If a milestone slips, the new date is published here with the reason — we will not retroactively edit past dates.
| Quarter | When | Milestone | Status |
|---|---|---|---|
| Q2 2026 | May 2026 | Trust Services Criteria gap analysis (Security TSC, 32 CC controls) | ✓ Done |
| Q2 2026 | May 2026 | Controls matrix published internally (compliance/soc2/CONTROLS.md) | ✓ Done |
| Q2 2026 | May 2026 | Risk register published internally (compliance/soc2/RISK_REGISTER.md) | ✓ Done |
| Q2 2026 | May 2026 | Access Control / Vendor Management / Incident Response policies signed | ✓ Done |
| Q2 2026 | Jun 2026 | Auditor selection (Big-Four-adjacent vs. boutique CPA firm) — shortlist + intro calls | → In progress |
| Q3 2026 | Jul 2026 | Engagement letter signed; readiness assessment begins (Type I review of design effectiveness) | Scheduled |
| Q3 2026 | Jul 2026 | Quarterly access review #1 completed and filed; vendor sub-processor list snapshot | Scheduled |
| Q3 2026 | Aug 2026 | First incident-response tabletop drill (scenario: leaked Supabase service-role key) | Scheduled |
| Q3 2026 | Sep 2026 | Type I letter received; observation period begins (minimum 3 months for Type II) | Scheduled |
| Q4 2026 | Oct 2026 | Monthly Fort Knox + access-review evidence collection rolling forward | Scheduled |
| Q4 2026 | Nov 2026 | Second incident-response drill (scenario: vendor outage with data-exposure ambiguity) | Scheduled |
| Q4 2026 | Dec 2026 | SOC 2 Type II report issued (Security TSC, 3-month observation window) | Scheduled |
Open gaps before the observation period
Honest list. Each gap has a planned close date. If we miss one, we update this table the month it slips.
| Gap | Closing by |
|---|---|
| Formal evidence-collection schedule (which evidence, when, by whom) | Jul 2026 — part of readiness assessment |
| Annual penetration test by an outside firm | Q3 2026 — booked after auditor selection |
| Bus-factor mitigation (single founder is the highest-rated risk in the register) | Ongoing — staged via documented runbooks + Fort Knox automation; first hire decision Q3 2026 |
| Vulnerability disclosure program with a bug bounty payout | Q4 2026 — [email protected] is live and triaged today |
| Customer-facing audit-log retention beyond Cloudflare's default windows | Q3 2026 — Supabase audit table + R2 archive |
Need the controls coverage today?
If your security review needs the controls matrix, sub-processor list, DPA, or a written response to a SIG / CAIQ questionnaire before our Type II report is issued, email [email protected].
Initial reply within 24 hours. We answer enterprise security questionnaires directly — no portal, no gatekeeping.