Trust Services Criteria: Security, Availability, Confidentiality
Last Updated: April 14, 2026 | Document Classification: Public — Shareable
SigmaShake is pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality Trust Services Criteria. This page tracks our progress toward audit readiness.
The technical controls required for SOC 2 scope are fully implemented and documented. Four rounds of independent security auditing have been completed with all 42 findings remediated. We are currently in the auditor selection phase.
Defined Trust Services Criteria scope: Security, Availability, Confidentiality, and Processing Integrity. Identified in-scope systems, data flows, and personnel. Published comprehensive THREAT_MODEL.md covering OWASP Top 10 (Web + LLM), STRIDE, CIS Benchmarks, and SLSA.
Implemented all technical controls required for SOC 2 scope: encryption at rest (AES-256) and in transit (TLS 1.3), session management (24h TTL), audit logging (Merkle-chain, tamper-evident), access controls (RBAC, SAML/OIDC SSO, IP allowlists), input validation (ReDoS protection, body size limits), and Ed25519 bundle signing.
Completed four rounds of independent security audit: Fleet infrastructure (23 findings), CLI core (10 findings), MCP server (6 findings), QA integration (3 critical bugs). All 42 findings remediated and verified closed before shipping to production.
Documented security policies covering: incident response (48h breach notification SLA), data retention (tier-based: 7d Pro, 90d Enterprise), access management (least privilege, hardware MFA required), change management (PR-based, CI-gated), vendor management (SOC 2 vendors only), and business continuity (IaC via Wrangler, Cloudflare D1 point-in-time recovery).
Published internal Controls Evidence Report (v1.1.0) documenting code-level proof of every security control across 12 sections: Risk Profile, Product Security, Data Security, App Security, Endpoint Security, Data Privacy, Access Control, Infrastructure, Network Security, Security Grades, Corporate & Operations, and Compliance Certifications. Available to enterprise customers under NDA.
All sub-processors vetted under a Data Processing Agreement and annual review: Cloudflare (SOC 2 Type II, ISO 27001), Stripe (PCI-DSS L1, SOC 2 Type II), GitHub (SOC 2 Type II, ISO 27001), Anthropic (SOC 2 Type II, ISO 27001), Resend (SOC 2 Type II). No sub-processor has access to user source code.
AI-assisted white-box, code-level penetration testing by Claude Opus 4.7, aligned to OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. Q1 deep review across 12 services completed; every Critical and High finding remediated same-day. Quarterly AI-assisted surveillance cadence established, complemented by a separate annual human-led engagement.
Evaluating AICPA-accredited CPA firms with SaaS/cloud-native expertise. Engagement letter expected Q2 2026. Criteria: experience with Cloudflare Workers architecture, startup-friendly pricing, and prior AI/ML SaaS audits.
Minimum 3-month (target 6-month) continuous observation period during which the auditor evaluates operating effectiveness of controls. Start date dependent on auditor engagement.
Final SOC 2 Type II report issued by the CPA firm. Expected availability will be published on this page once the observation window is scheduled.
| Criteria | Status | Key Controls |
|---|---|---|
| CC: Security | Controls Implemented | AES-256 at rest, TLS 1.3, RBAC, SAML/OIDC SSO, nonce-based CSP, parameterized queries, Ed25519 signing, Merkle audit log |
| A: Availability | Controls Implemented | Cloudflare edge (300+ PoPs), circuit breaker, daemon supervisor, DDoS mitigation, offline-first CLI, fail-open design |
| C: Confidentiality | Controls Implemented | Tenant isolation, per-org D1 databases, OAuth token encryption (AES-GCM), data retention policies, SIEM log egress, field redaction |
Note: This readiness report shows our progress toward SOC 2 Type II. It is not a SOC 2 report itself. The formal report will be issued by an independent CPA firm upon completion of the observation window. For detailed, code-level evidence of each control, request the Controls Evidence Report (NDA required).
Sigma Shake, Inc. — SOC 2 Type II Readiness Report
This document is public and may be shared with prospects, partners, and security reviewers.
Contact: security@sigmashake.com | Trust Center: trust.sigmashake.com