Security · SOC 2 roadmap
The path to SOC 2 attestation
SOC 2 (Service Organization Control 2) is the security-controls attestation enterprise customers ask about first. This page documents CredScore’s current security posture, the roadmap to Type I attestation, and the ongoing operational rigor required to maintain Type II.
Current attestation status: in-progress, Type I target Q1 2027. Vendor evaluation begins Q4 2026.
Milestone timeline
Q3 2026
Foundation: policies, access controls, encryption baseline
Codified information security policy, incident response runbook, employee onboarding/offboarding process. SSO on all admin surfaces. Encryption in transit (TLS 1.3) and at rest (Supabase-managed Postgres, Vercel infrastructure) for all customer data.
Q4 2026
Vendor evaluation + gap remediation
Engage a SOC 2 auditor (Vanta / Drata / Secureframe evaluation). Complete initial control gap analysis. Remediate identified gaps. Deploy audit logging for all sensitive operations (analysis runs, verdict access, API key mint/revoke).
Q1 2027
SOC 2 Type I attestation
Complete Type I audit — attestation of controls at a point in time. Publish the report to enterprise buyers under NDA.
Q2-Q4 2027
Observation window for SOC 2 Type II
Six- to twelve-month observation period during which the auditor evaluates control operation over time. Requires sustained control operation, evidence collection, and quarterly reviews.
Q1 2028
SOC 2 Type II attestation
Full Type II report available to enterprise buyers under NDA. Renewal cadence: annual.
Controls in place today
Access management
- Single sign-on (Clerk) on every authenticated surface
- Role-based access on org workspaces (owner / admin / analyst)
- Founder-console pages gated by email allowlist
- API keys stored as SHA-256 hashes; raw key shown once at creation
- Session revocation on user request
Data protection
- TLS 1.3 in transit for all customer-facing traffic
- Encryption at rest via Supabase (PostgreSQL) and Vercel infrastructure
- No PII stored beyond email (Clerk-managed) and Supabase user_id references
- Verdict payloads contain public on-chain data — no privacy-sensitive input
Application security
- Every deploy runs TypeScript type-check and Next.js production build
- Server-side input validation on every mutating endpoint
- Rate limiting on public endpoints (/api/v1, /api/try, /api/embed)
- Content-Security-Policy and HSTS headers on all HTML responses
- Weekly dependency review via GitHub Dependabot alerts
Operational security
- Version-stamped verdicts (engine_version + analysis timestamp on every artifact)
- Immutable audit log of every analysis run (analysis_audit_log table)
- Validation failures logged for engine calibration review
- Founder inbox notifications on high-severity operational events
Incident response
- Incident classification: P0 (data exposure or availability), P1 (partial functional), P2 (informational)
- P0 incidents get customer notification within 24 hours per policy
- Public status page at /status (uptime + incident log)
- Postmortem published on the /changelog for material incidents
Need earlier access or a security review? Enterprise buyers who need SOC 2 documentation before Type I attestation is complete: email security@credscore.us. We’ll walk through the current control set, share a security questionnaire response, and align on the timing to your procurement calendar.