Trust Services Criteria: Security, Availability, Confidentiality
Last Updated: April 14, 2026 | Document Classification: Public — Shareable
SigmaShake is pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality Trust Services Criteria. This page tracks our progress toward audit readiness.
The technical controls required for SOC 2 scope are fully implemented and documented. Four rounds of independent security auditing have been completed with all 42 findings remediated. We are currently in the auditor selection phase.
Defined Trust Services Criteria scope: Security, Availability, Confidentiality, and Processing Integrity. Identified in-scope systems, data flows, and personnel. Published comprehensive THREAT_MODEL.md covering OWASP Top 10 (Web + LLM), STRIDE, CIS Benchmarks, and SLSA.
Implemented all technical controls required for SOC 2 scope: encryption at rest (AES-256) and in transit (TLS 1.3), session management (24h TTL), audit logging (per-row Ed25519 signed governance events; SSO IdP events SHA-256 hash-chained; daily Merkle-chained compliance evidence manifests), access controls (RBAC, SAML/OIDC SSO, IP allowlists), input validation (ReDoS protection, body size limits), and Ed25519 bundle signing.
Completed four rounds of independent security audit: Fleet infrastructure (23 findings), CLI core (10 findings), MCP server (6 findings), QA integration (3 critical bugs). All 42 findings remediated and verified closed before shipping to production.
Documented security policies covering: incident response (48h breach notification SLA), data retention (tier-based: 7d Pro, 90d Enterprise), access management (least privilege, hardware MFA required), change management (PR-based, CI-gated), vendor management (SOC 2 vendors only), and business continuity (IaC via Wrangler, Cloudflare D1 point-in-time recovery).
Published internal Controls Evidence Report (v1.1.0) documenting code-level proof of every security control across 12 sections: Risk Profile, Product Security, Data Security, App Security, Endpoint Security, Data Privacy, Access Control, Infrastructure, Network Security, Security Grades, Corporate & Operations, and Compliance Certifications. Available to enterprise customers under NDA.
All sub-processors vetted under a Data Processing Agreement and annual review: Cloudflare (SOC 2 Type II, ISO 27001), Stripe (PCI-DSS L1, SOC 2 Type II), GitHub (SOC 2 Type II, ISO 27001), Anthropic (SOC 2 Type II, ISO 27001), Resend (SOC 2 Type II). No sub-processor has access to user source code.
AI-assisted white-box, code-level security review by Claude Opus 4.7, aligned to OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. Q1 deep review across 12 services completed; every Critical and High finding remediated same-day. Quarterly AI-assisted cadence established. Note: this is an internal review, not a third-party human penetration test; engaging a qualified firm is a planned operator action.
CPA firm selection not yet commenced. Criteria when engagement begins: AICPA-accredited firm with SaaS/cloud-native expertise, experience with Cloudflare Workers architecture, and prior AI/ML SaaS audits. Engaging a licensed CPA firm is a planned operator action.
6-month observation window open: 2026-05-18 → 2026-11-17. Evidence is being collected continuously via cron-driven collectors (daily / weekly / monthly / quarterly). A CPA auditor has not yet been engaged; the formal external review has not commenced.
Final SOC 2 Type II report issued by the CPA firm. Earliest realistic date is Q1 2027, contingent on engaging an auditor and completing the full observation window (closes 2026-11-17). Expected availability will be published on this page once a CPA firm is engaged.
| Criteria | Status | Key Controls |
|---|---|---|
| CC: Security | Controls Implemented | AES-256 at rest, TLS 1.3, RBAC, SAML/OIDC SSO, nonce-based CSP, parameterized queries, Ed25519 signing, per-row signed audit log |
| A: Availability | Controls Implemented | Cloudflare edge (300+ PoPs), circuit breaker, daemon supervisor, DDoS mitigation, offline-first CLI, fail-open design |
| C: Confidentiality | Controls Implemented | Tenant isolation, per-org D1 databases, OAuth token encryption (AES-GCM), data retention policies, SIEM log egress, field redaction |
Note: This readiness report shows our progress toward SOC 2 Type II. It is not a SOC 2 report itself. The formal report will be issued by an independent CPA firm upon completion of the observation window. For detailed, code-level evidence of each control, request the Controls Evidence Report (NDA required).
SigmaShake — SOC 2 Type II Readiness Report
This document is public and may be shared with prospects, partners, and security reviewers.
Contact: security@sigmashake.com | Trust Center: trust.sigmashake.com