AAuditus.ai

SOC 2 TYPE II

Compliance readiness — Type II in progress

Auditus.ai is undergoing SOC 2 Type II audit readiness across five Trust Services Criteria. This page summarizes our current control register so prospects can assess where we stand before the formal audit report is issued.

Total controls

18

Implemented

14

In progress

4

Overall readiness

78%

CC

Security (Common Criteria)

Logical + physical access, change management, system operations.

  • CC6.1Logical access controls — RBAC + tenant isolation
    Implemented

    lib/security/authorization.ts · canAccessEngagement gate on every tenant-scoped route · activity log records every access attempt

  • CC6.6Encryption in transit
    Implemented

    TLS 1.2+ enforced via Vercel; HSTS preload pending

  • CC6.7Encryption at rest
    Implemented

    Neon PostgreSQL · AES-256 at rest · Vercel Blob server-side encryption

  • CC7.2Continuous monitoring
    In progress

    Activity events table captures all data access; Sentry integration pending

  • CC8.1Change management — release process
    Implemented

    All deploys via Vercel preview → main with required PR review; git history immutable

  • CC9.2Vendor management — sub-processor list
    Implemented

    /subprocessors with DPA links; 30-day notice on additions

A

Availability

System uptime + recovery commitments.

  • A1.2Backup + recovery
    Implemented

    Neon point-in-time-recovery 7-day window; daily snapshot retained 30 days

  • A1.3Capacity planning
    In progress

    Connection pool tuned (max:10 long-running, max:1 serverless); load testing schedule TBD

  • A1.1Performance monitoring
    In progress

    Vercel Analytics live; structured app metrics to /api/metrics in dev only

C

Confidentiality

Information classified as confidential is protected.

  • C1.1Confidentiality of customer data
    Implemented

    Tenant isolation gate on all engagement-scoped routes (34 routes); zero cross-tenant data leak confirmed via curl tests

  • C1.2Disposal of confidential data
    Implemented

    DELETE /api/account/delete (GDPR Art. 17) cascades + anonymizes; 30-day retention for accidental deletion recovery

P

Privacy

Personal information lifecycle managed.

  • P1.1Privacy notice
    Implemented

    /privacy — versioned (current 2026-06-11); re-prompts cookie consent on version bump

  • P2.1Consent for non-essential data
    Implemented

    ConsentBanner gates analytics + functional cookies pre-consent; anon-ID write blocked until granted

  • P5.1Data subject rights — access + portability + erasure
    Implemented

    /account self-service: GET /api/account/export (JSON) + DELETE /api/account/delete; rights honored within 30 days per GDPR Art. 12

  • P6.4Breach notification
    In progress

    Notification template ready; 72-hour escalation playbook drafted; tabletop exercise scheduled Q3

PI

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized.

  • PI1.1Audit trail — forensic activity log
    Implemented

    activity_events table captures every state transition with actor + timestamp + payload; immutable, partition-pruned

  • PI1.4Cryptographic signatures on deliverables
    Implemented

    SHA-256 content hash on every signed audit report; signature chain prevents tampering

  • PI1.5AI processing disclosure (GDPR Art. 22)
    Implemented

    /upload AI-processing strip + /privacy disclosure; Anthropic DPA in /subprocessors

Timeline

  • Q3 2026 — Type I observation window completes; readiness assessment delivered.
  • Q4 2026 — Type II observation window opens (6-month minimum).
  • Q2 2027 — Type II report issued and available under NDA.

Vendors performing the audit: Big-4 affiliate / regional CPA firm with SOC 2 experience. Data Processing Agreement and sub-processor list available for security review now.

To request our Trust Center summary under NDA: ceo@theupcapital.com.