Skip to main content
SVDY Logo
Trust center

/

Targeted Q1 2027

SOC 2 Type II timeline

We commit to a public roadmap to SOC 2 Type II so customers can plan their procurement around it. Honest milestones, no "compliance theatre" — Type II requires a real 6-month observation window, not a one-day audit.

Milestones

2026-Q1

Done

Architecture readiness

AWS multi-AZ + AES-256 at rest + TLS 1.2+ + Secrets Manager + IAM least-privilege. All foundational controls shipped.

2026-Q2

Done

GDPR-ready architecture

Privacy audit Wave 1-4 complete: data minimization, right to erasure flows, consent gates, biometric processing under Article 9(2)(a).

2026-Q3

In progress

Audit log + incident response baseline

Centralised audit trail (1-3 year retention per tier), incident response runbook, on-call rotation, breach notification protocol.

2026-Q4

In progress

Auditor selection — Vanta + A-LIGN

Selected: Vanta for compliance automation (continuous evidence collection from AWS, Stripe, Okta, GitHub, SES) + A-LIGN as the audit firm. SVDY joins the same toolchain Linear, Ramp, ClickUp, Loom run on.

2026-Q4

Planned

Readiness assessment

Vanta-driven gap analysis + A-LIGN human readiness review. Reviews policies, access controls, change management, vendor management, encryption — flags any remaining gaps for remediation before the 6-month observation window starts.

2027-Q1

Planned

Audit period kickoff

6-month observation window starts. Continuous evidence collection — control operating effectiveness over time, not just point-in-time.

2027-Q2

Planned

Audit period close

Auditor finishes evidence review. Exit interview + management response. Report drafting begins.

2027-Q3

Planned

SOC 2 Type II report issued

Final report available to customers under NDA. Annual re-audit cadence begins; report refreshed yearly with each Type II observation period.

Vendor selection

We selected industry-standard tooling rather than building a custom compliance pipeline. Pre-customer phase, this trades ~$25k/year for engineer time that goes to product features instead.

Vanta — compliance automation platform

Continuous evidence collection from AWS, Stripe, Okta, GitHub, SES. 1500+ customers including Linear, Ramp, ClickUp, Loom. SOC 2 + GDPR + ISO 27001 + HIPAA modules under one roof.

A-LIGN — audit firm

Vanta's largest partner audit firm; ~40% of Vanta SOC 2 Type II reports route through A-LIGN. SMB SaaS specialty. Mid-tier pricing, ~3 weeks report turnaround after audit period closes.

Why Type II, not Type I

SOC 2 Type I attests that controls existed at a point in time; Type II attests they operated effectively over a period (typically 6 months). Enterprise IT teams discount Type I — it's essentially a snapshot. Type II is the one they ask for.

We're skipping Type I and going straight to Type II to avoid the "useless milestone" trap. Adds about 6 months to the timeline but produces a report customers actually use.

Need to fill out a security questionnaire today?

Until SOC 2 Type II ships in Q3 2027, we provide:

CAIQ-Lite responses to the standard CSA Cloud Controls Matrix.

Custom responses to vendor-specific questionnaires (Vanta, Drata, SecurityScorecard imports — typically 3 business days).

Architecture diagrams + data flow descriptions, signed by engineering leadership.

Email security@svdy.com