SOC 2 Type II timeline
We commit to a public roadmap to SOC 2 Type II so customers can plan their procurement around it. Honest milestones, no "compliance theatre" — Type II requires a real 6-month observation window, not a one-day audit.
Milestones
2026-Q1
Architecture readiness
AWS multi-AZ + AES-256 at rest + TLS 1.2+ + Secrets Manager + IAM least-privilege. All foundational controls shipped.
2026-Q2
GDPR-ready architecture
Privacy audit Wave 1-4 complete: data minimization, right to erasure flows, consent gates, biometric processing under Article 9(2)(a).
2026-Q3
Audit log + incident response baseline
Centralised audit trail (1-3 year retention per tier), incident response runbook, on-call rotation, breach notification protocol.
2026-Q4
Auditor selection — Vanta + A-LIGN
Selected: Vanta for compliance automation (continuous evidence collection from AWS, Stripe, Okta, GitHub, SES) + A-LIGN as the audit firm. SVDY joins the same toolchain Linear, Ramp, ClickUp, Loom run on.
2026-Q4
Readiness assessment
Vanta-driven gap analysis + A-LIGN human readiness review. Reviews policies, access controls, change management, vendor management, encryption — flags any remaining gaps for remediation before the 6-month observation window starts.
2027-Q1
Audit period kickoff
6-month observation window starts. Continuous evidence collection — control operating effectiveness over time, not just point-in-time.
2027-Q2
Audit period close
Auditor finishes evidence review. Exit interview + management response. Report drafting begins.
2027-Q3
SOC 2 Type II report issued
Final report available to customers under NDA. Annual re-audit cadence begins; report refreshed yearly with each Type II observation period.
Vendor selection
We selected industry-standard tooling rather than building a custom compliance pipeline. Pre-customer phase, this trades ~$25k/year for engineer time that goes to product features instead.
Vanta — compliance automation platform
Continuous evidence collection from AWS, Stripe, Okta, GitHub, SES. 1500+ customers including Linear, Ramp, ClickUp, Loom. SOC 2 + GDPR + ISO 27001 + HIPAA modules under one roof.
A-LIGN — audit firm
Vanta's largest partner audit firm; ~40% of Vanta SOC 2 Type II reports route through A-LIGN. SMB SaaS specialty. Mid-tier pricing, ~3 weeks report turnaround after audit period closes.
Why Type II, not Type I
SOC 2 Type I attests that controls existed at a point in time; Type II attests they operated effectively over a period (typically 6 months). Enterprise IT teams discount Type I — it's essentially a snapshot. Type II is the one they ask for.
We're skipping Type I and going straight to Type II to avoid the "useless milestone" trap. Adds about 6 months to the timeline but produces a report customers actually use.
Need to fill out a security questionnaire today?
Until SOC 2 Type II ships in Q3 2027, we provide:
• CAIQ-Lite responses to the standard CSA Cloud Controls Matrix.
• Custom responses to vendor-specific questionnaires (Vanta, Drata, SecurityScorecard imports — typically 3 business days).
• Architecture diagrams + data flow descriptions, signed by engineering leadership.
