Cloudryption
Log in Book a Demo

Trust & Security

SOC 2 Roadmap

Our current compliance posture and phased path toward SOC 2 Type II certification.

Version: 1.0  ·  Effective date: May 2026  ·  Owner: Cloudryption Security & Privacy

Honest status: Cloudryption is not yet SOC 2 certified. This page describes our compliance target, the controls baseline we are establishing at GA, and the phased roadmap to achieve certification. We believe in transparency over marketing claims.

1. Target trust services scope

Cloudryption's initial SOC 2 engagement will target the Security (CC) trust service criteria. Once the Security category audit cycle is complete and controls are proven, we plan to extend scope to include:

  • Availability (A) — covering uptime monitoring, incident management, recovery targets, and DR testing
  • Confidentiality (C) — covering data classification, encryption, access controls, and disposal

Privacy criteria may be added in a subsequent cycle as customer data processing obligations grow.

2. Pre-GA controls baseline

The following controls are required before broad enterprise GA, and will form the evidence base for the SOC 2 readiness assessment:

  • Production access controls and RBAC documented and enforced
  • MFA enforced for privileged accounts; SSO available for enterprise customers
  • Encrypted backups with tested restore procedures and documented RPO / RTO
  • TLS enforced for all production traffic; obsolete protocols disabled
  • Encryption at rest for all production databases and object storage via cloud KMS
  • Tenant isolation tested in CI with automated negative tests on every PR
  • Audit logging capturing authentication, privileged actions, data access, and exports
  • Vulnerability management including dependency scanning, SBOM, and periodic pen testing
  • Incident response plan with documented severity levels, escalation, and customer notification targets
  • Data retention policy with documented schedules and deletion obligations
  • Vendor / subprocessor inventory with security review criteria
  • Employee security training and acceptable-use agreements
  • Change management — pull-request review, CI gating, and deployment approval

3. Roadmap phases

Phase 0 — GA Baseline (current): establish the minimum controls listed above. This is the foundation for all subsequent phases. Completion is required before accepting enterprise customers at scale.

Phase 1 — Readiness Assessment: engage a qualified SOC 2 auditor or readiness advisor. Conduct a gap assessment against the CC criteria. Document the System Description. Build evidence collection procedures and tooling.

Phase 2 — Remediation: address gaps identified in Phase 1. Update or formalise policies, build control automation, and establish continuous monitoring for key controls.

Phase 3 — Type I Audit: engage auditor for a SOC 2 Type I audit covering design effectiveness of controls at a point in time. Resolve any Type I exceptions.

Phase 4 — Observation Period: operate under the audited controls for a minimum of six months to generate the evidence required for a Type II report.

Phase 5 — Type II Audit: complete a SOC 2 Type II audit covering operational effectiveness of controls over the observation period. Publish report to enterprise customers under NDA.

4. Milestones and exit criteria

Milestone Exit criteria
Phase 0 complete All pre-GA baseline controls documented, implemented, and tested. Restore test evidence exists.
Phase 1 complete Readiness assessment report delivered. Gap register created. System description drafted.
Phase 2 complete All material gaps from Phase 1 remediated. Control monitoring dashboards active.
Phase 3 complete SOC 2 Type I report issued with no material exceptions, or exceptions resolved.
Phase 4 complete Six-month observation period with continuous evidence collection completed.
Phase 5 complete SOC 2 Type II report issued. Report available to enterprise customers under NDA.

5. What this means for customers

Customers evaluating Cloudryption during the pre-certification period can expect:

  • A security packet covering controls, policies, architecture, and compliance posture
  • A completed security questionnaire (see Security Questionnaire)
  • Transparent disclosure of in-progress controls and target dates where available
  • A commitment to share the SOC 2 Type I and Type II reports with enterprise customers under NDA once completed

Enterprise customers with specific SOC 2 requirements are encouraged to engage early so we can prioritise their control evidence needs within the roadmap.

6. Contact

For SOC 2 readiness questions, security questionnaire support, or enterprise compliance discussions: security@cloudryption.com