SOC 2 TYPE II
Préparation à la conformité — Type II en cours
Auditus.ai est en cours de préparation à l'audit SOC 2 Type II selon les cinq critères des Trust Services. Cette page récapitule notre registre de contrôles actuel afin que les prospects puissent évaluer où nous en sommes avant l'émission du rapport d'audit formel.
Total controls
18
Implemented
14
In progress
4
Overall readiness
78%
Security (Common Criteria)
Logical + physical access, change management, system operations.
- CC6.1Logical access controls — RBAC + tenant isolationImplemented
lib/security/authorization.ts · canAccessEngagement gate on every tenant-scoped route · activity log records every access attempt
- CC6.6Encryption in transitImplemented
TLS 1.2+ enforced via Vercel; HSTS preload pending
- CC6.7Encryption at restImplemented
Neon PostgreSQL · AES-256 at rest · Vercel Blob server-side encryption
- CC7.2Continuous monitoringIn progress
Activity events table captures all data access; Sentry integration pending
- CC8.1Change management — release processImplemented
All deploys via Vercel preview → main with required PR review; git history immutable
- CC9.2Vendor management — sub-processor listImplemented
/subprocessors with DPA links; 30-day notice on additions
Availability
System uptime + recovery commitments.
- A1.2Backup + recoveryImplemented
Neon point-in-time-recovery 7-day window; daily snapshot retained 30 days
- A1.3Capacity planningIn progress
Connection pool tuned (max:10 long-running, max:1 serverless); load testing schedule TBD
- A1.1Performance monitoringIn progress
Vercel Analytics live; structured app metrics to /api/metrics in dev only
Confidentiality
Information classified as confidential is protected.
- C1.1Confidentiality of customer dataImplemented
Tenant isolation gate on all engagement-scoped routes (34 routes); zero cross-tenant data leak confirmed via curl tests
- C1.2Disposal of confidential dataImplemented
DELETE /api/account/delete (GDPR Art. 17) cascades + anonymizes; 30-day retention for accidental deletion recovery
Privacy
Personal information lifecycle managed.
- P1.1Privacy noticeImplemented
/privacy — versioned (current 2026-06-11); re-prompts cookie consent on version bump
- P2.1Consent for non-essential dataImplemented
ConsentBanner gates analytics + functional cookies pre-consent; anon-ID write blocked until granted
- P5.1Data subject rights — access + portability + erasureImplemented
/account self-service: GET /api/account/export (JSON) + DELETE /api/account/delete; rights honored within 30 days per GDPR Art. 12
- P6.4Breach notificationIn progress
Notification template ready; 72-hour escalation playbook drafted; tabletop exercise scheduled Q3
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized.
- PI1.1Audit trail — forensic activity logImplemented
activity_events table captures every state transition with actor + timestamp + payload; immutable, partition-pruned
- PI1.4Cryptographic signatures on deliverablesImplemented
SHA-256 content hash on every signed audit report; signature chain prevents tampering
- PI1.5AI processing disclosure (GDPR Art. 22)Implemented
/upload AI-processing strip + /privacy disclosure; Anthropic DPA in /subprocessors
Timeline
- Q3 2026 — Type I observation window completes; readiness assessment delivered.
- Q4 2026 — Type II observation window opens (6-month minimum).
- Q2 2027 — Type II report issued and available under NDA.
Vendors performing the audit: Big-4 affiliate / regional CPA firm with SOC 2 experience. Data Processing Agreement and sub-processor list available for security review now.
To request our Trust Center summary under NDA: ceo@theupcapital.com.