Trust · SOC 2 Type II
Our path to SOC 2 Type II.
Where Resolute Security stands on every Common-Criteria control today, what evidence backs each one, and when we expect the audited report.
See also: Policy library · Trust page
CC criteria total
33
Satisfied
2988%
Partial
3
Not yet
1
In-scope
Security (Common Criteria) only for the first audit cycle. Availability + Confidentiality folded in after the Type II report ships.
Security (Common Criteria) only. Availability and Confidentiality added after audit firm engaged. Observation period planned to start Jan 2027.
Timeline
- Readiness: ongoing — policies, controls, evidence accumulating since project start
- Observation period start: Jan 2027
- Audit fieldwork: Q3 2027
- Type II report: Q4 2027 (target)
Per-criterion status
Every AICPA Common Criterion with our current self-assessed status. Click a row to read the policy that proves it.
- CC1.1Integrity & ethical valuesSatisfied
Code of Conduct + Acceptable Use Policy define the integrity standard. Founder is sole acknowledger today; pattern scales when the first hire signs the same.
- CC1.2Board oversightNot yet
Solo founder — no board exists. Mitigation: external pen test + external security disclosure surface (security@) provide independent oversight. Will satisfy after Seed raise + first board seat.
- CC1.3Structure & authoritySatisfied
Information Security Policy section 4 names the roles, reporting lines, and decision authorities. Today they all collapse to the founder; the structure scales without rework.
- CC1.4Personnel competencePartial
Annual security training documented in Secure SDLC Policy section 11 (founder watches OWASP refresher + reviews own threat model). Will graduate to formal vendor-delivered training once headcount > 1.
- CC1.5AccountabilitySatisfied
Quarterly self-review (Separation of Duties memo Control 6) plus auditable production_access_reviews table. Reviews skipped = visible gap.
- Policy: Access Control Policy
- Policy: Acceptable Use Policy
- Production Access Inventory + quarterly review log
- CC2.1Quality informationSatisfied
Logging & Monitoring Policy + Sentry + the audit_log table provide quality information. Logs are append-only at the app layer.
- CC2.2Internal communicationPartial
Solo founder makes internal comms trivial. The policies + SoD memo document the comms paths that scale at first-hire (PR review channel, IR Slack channel, quarterly review meeting).
- CC2.3External communicationSatisfied
External comms surface: SECURITY.md, /trust page, /status page, monthly customer email, and the security@ inbox. All publicly accessible.
- Policy: Incident Response Plan
- Policy: Vulnerability Management Policy
- SECURITY.md
- Public status page
- +1 more
- CC3.1ObjectivesSatisfied
Information Security Policy section 2 names the objectives (CIA + customer trust + SOC 2 Type II ready by Q3 2026). Risk Assessment Policy section 3 traces risks to these objectives.
- CC3.2Risk identificationSatisfied
18-entry risk register scored Likelihood x Impact on a 5x5, reviewed quarterly. Methodology documented in Risk Assessment Policy.
- CC3.3Fraud riskSatisfied
Separation of Duties memo enumerates the fraud-risk surface (single-human bypass) and the 8 compensating controls. Risk register entries R-PPL-02 + R-FIN-01 track residuals.
- CC3.4Significant changeSatisfied
Change Management Policy section 4 requires risk assessment on significant changes (new sub-processor, schema change, auth-flow change).
- CC4.1Ongoing & separate evaluationsSatisfied
Quarterly self-review (founder reviews access inventory, finds, PRs, sub-processor bills). Recorded in production_access_reviews. Annual external pen test.
- Policy: Access Control Policy
- Policy: Vulnerability Management Policy
- Quarterly review log
- CC4.2Communicate deficienciesSatisfied
Incident Response Plan section 6 defines deficiency communication (customer notify, status page update, post-incident report). Pen-test findings tracked in the risk register.
- CC5.1Select & develop controlsSatisfied
18 policies map to control activities across CC + A + C. Selection driven by Risk Assessment Policy.
- CC5.2General IT controlsSatisfied
General IT controls: Access Control, Change Management, Cryptography, Vulnerability Management, Logging & Monitoring policies.
- CC5.3Policies & proceduresSatisfied
Every policy in /policies/ is signed-commit-versioned, reviewed annually, acknowledged by every person with credentials.
- CC6.1Restrict accessSatisfied
Access Control Policy + Production Access Inventory list every system, principal, role, and MFA status. Reviewed quarterly.
- Policy: Access Control Policy
- Production Access Inventory
- CC6.2Provisioning & deprovisioningSatisfied
Onboarding / Offboarding Policy ships per-system checklists for joiners + leavers, even at headcount 1 (the founder followed it for self-onboarding).
- CC6.3Authorize role-based accessSatisfied
Access Control Policy section 4 defines least-privilege roles per system. Inventory enforces named accounts with documented roles.
- CC6.4Physical accessSatisfied
No physical office. Acceptable Use Policy section 6 + Onboarding Policy cover home-office posture (locked devices, no shoulder-surf in coffee shops, no Restricted data on disk).
- CC6.5Disposal & redeploymentSatisfied
Data Retention & Disposal Policy section 5 defines disposal methods per asset class. Devices wiped via OS reset + DBAN-equivalent before redeployment or destruction.
- CC6.6Boundary protectionSatisfied
Boundary protection: TLS 1.3 only on web tier (Cryptography Policy), Fly private networking between app + worker + DB, Cloudflare WAF for public surface.
- CC6.7Transmission & movement of dataSatisfied
All in-transit data over TLS 1.3 (HSTS preloaded). At-rest encryption: Postgres EBS-equivalent (Neon), Redis (Upstash), R2. Cryptography Policy section 3 specifies algorithms.
- CC6.8Malicious softwareSatisfied
Secure SDLC Policy section 3 forbids eval/dynamic-import/child_process-with-user-args. Dependency hygiene via Dependabot daily security + lockfile + signed commits.
- CC7.1Vulnerability detectionSatisfied
Vulnerability Management Policy: Dependabot daily security, weekly non-security, annual third-party pen test, severity-based remediation SLAs (Critical: 7d, High: 30d).
- CC7.2Monitor anomaliesPartial
Sentry alerts on error spikes, Fly logs piped to retention storage, app-layer audit_log table for sensitive actions. Gap: no SIEM. Documented in risk register R-INF-02 with mitigation plan.
- CC7.3Evaluate eventsSatisfied
Incident Response Plan section 3 defines event-classification (informational / event / incident) + section 4 the response phases.
- CC7.4Incident response programSatisfied
Incident Response Plan + quarterly tabletop. Sev definitions, communication SLAs, sub-processor breach handling, evidence-preservation steps.
- CC7.5RecoverySatisfied
Business Continuity & DR Plan: RTO 4h for web tier, 24h full data restore. Quarterly DR test (Backup Policy section 5). Solo-founder BCP scenarios memo covers founder-specific failure modes.
- CC8.1Manage changesSatisfied
Change Management Policy: PR -> CI -> AI-assisted review -> branch-protected merge -> auto-deploy. SoD memo Control 1+2+3 detail the compensating controls.
- CC9.1Business disruptionSatisfied
Business Continuity & DR Plan + Key Person Risk memo (Tier 1/2/3 succession) + Solo-founder BCP scenarios memo. Risk register entries R-PPL-01 + R-PPL-03 tracked.
- CC9.2Vendor & business partner riskSatisfied
Vendor Management Policy: tiered (Critical / High / Standard) review cadence. Sub-processors published with 30-day customer notice for adds.
- Policy: Vendor Management Policy
- Public sub-processor list
Want more detail?
Every policy is in the public repo. The risk register, the solo-founder memos, and the SECURITY.md disclosure policy are all linked from /security/policies. For an NDA-gated readiness pack, email security@resolute-security.com.