Foundrypowered by soulprint engine
SOC 2 Roadmap

What's already live. What's in flight.

We publish a working list of SOC 2 controls so security reviewers don't have to take our word for it. Every control below is mapped to a Trust Service Criterion (Security, Availability, Confidentiality, Processing Integrity, Privacy). No target dates — we'll let the attestation letter speak for the timeline.

Live today
27
controls operating with evidence
In progress
20
designed, evidence-collection ramping
Security (CC) — Common Criteria
Required for every SOC 2 audit.
  • Live
    TLS 1.2+ on every endpoint with HSTS preload
  • Live
    MongoDB Atlas AES-256 full-disk encryption at rest
  • Live
    Browser-session credential vault — Fernet (AES-128 + HMAC) keyed by env-only secret
  • Live
    Bcrypt password hashing (cost factor 12) + Firebase Google sign-in (JWKS-verified)
  • Live
    Brute-force protection — per-IP+email lockout after N failures
  • Live
    Per-org and per-team authorization checks on every data endpoint
  • Live
    Private Chief-of-Staff threads scoped to owner-user only
  • Live
    Security headers middleware (CSP, X-Frame-Options, Referrer-Policy)
  • Live
    Secrets in env only — no credentials in source control
  • Live
    Centralized superadmin action logging (actor, action, target, timestamp)
  • Live
    Proof-of-integrity — every artifact SHA-256 anchored on Bitcoin via OpenTimestamps
  • In progress
    MFA-required for all administrator accounts
  • In progress
    Quarterly access reviews — formal sign-off log
  • In progress
    Vulnerability scanning in CI (Trivy / Snyk) — block on critical CVEs
  • In progress
    Dependency upgrade SLA (critical: 7d, high: 30d)
  • In progress
    Annual penetration test by external firm
Availability (A)
Optional category — included to support enterprise uptime expectations.
  • Live
    Managed MongoDB Atlas with automated geo-replicated backups
  • Live
    Encrypted GridFS mirror for every uploaded file (durable through pod redeploys)
  • Live
    Supervisor-managed services with automatic restart on crash
  • In progress
    External uptime monitoring + on-call rotation
  • In progress
    Documented Disaster Recovery (RPO/RTO) runbook + tabletop test
  • In progress
    Quarterly backup-restore drill with timed evidence
Confidentiality (C)
Optional category — required by most enterprise security questionnaires.
  • Live
    Per-org data isolation enforced at the query layer
  • Live
    Capability-URL-gated file serving (unguessable, scoped to org)
  • In progress
    Customer-managed encryption keys (BYOK) on Refine dedicated builds
  • In progress
    Data classification labels for every collection
  • In progress
    Data Loss Prevention scanning on outbound integrations
Processing Integrity (PI)
Optional category — relevant because we run autonomous agents on customer data.
  • Live
    LLM call telemetry — every request logged with kind, model, tokens, latency, cost
  • Live
    Mission event log — append-only audit trail per mission (think / tool_call / tool_result / artifact)
  • Live
    Artifact tamper-evidence — Bitcoin-anchored SHA-256 proofs
  • Live
    Anti-hallucination — agents auto-fetch user-supplied URLs as ground truth before responding
  • Live
    Empty-promise detector + auto-retry forces same-turn artifact delivery
  • In progress
    Formal change-management — PR review + deployment log linked to ticket
Privacy (P)
Optional category — included for GDPR and B2B customer alignment.
  • Live
    Right-to-erasure via full account deletion (cascades orgs, teams, conversations, files)
  • Live
    Sub-processors disclosed publicly at /legal/sub-processors
  • Live
    Standard DPA available on request for every tier
  • Live
    Privacy policy + data retention windows published at /legal/privacy
  • In progress
    Per-org data export (machine-readable JSON dump)
  • In progress
    Cookie-consent banner for marketing surfaces (EU/UK visitors)
Operational maturity & governance
Cross-cutting controls auditors look for.
  • Live
    Incident response contact + 24h acknowledgement SLA (team@archeforge.com)
  • Live
    Sub-processor inventory maintained on a public page
  • In progress
    Documented incident response playbook (detection, containment, eradication, recovery, post-mortem)
  • In progress
    Vendor risk assessment for every sub-processor (annual review)
  • In progress
    Employee onboarding security training + acknowledgement
  • In progress
    Background checks for engineers with production access
  • In progress
    Annual policy review + version control on policy docs
  • In progress
    Compliance automation platform — Vanta / Drata / Secureframe
Refine tier · dedicated deployment

SOC 2 Type II — on the roadmap for the dedicated build.

The shared platform's roadmap above is one stream of work. The other is the Refine reference build — a dedicated single-tenant deployment template we operate separately. When we engage an auditor it will be scoped to this template; once the Type II attestation lands, every Refine customer inherits the report under NDA without paying for their own audit. Until then, Refine customers get the dedicated deployment with all controls listed above operating today.

See Refine pricing Security overview
Security review team needs a SIG / CAIQ questionnaire walked through?
Talk to security