SigmaShake

SOC 2 Type II Readiness Report

Trust Services Criteria: Security, Availability, Confidentiality

Last Updated: April 14, 2026 | Document Classification: Public — Shareable

7 / 10 Milestones Complete 70% Readiness

Overview

SigmaShake is pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality Trust Services Criteria. This page tracks our progress toward audit readiness.

The technical controls required for SOC 2 scope are fully implemented and documented. Four rounds of independent security auditing have been completed with all 42 findings remediated. We are currently in the auditor selection phase.

Overall Readiness70%

Milestone Timeline

Risk Assessment & Scope Definition

Complete Mar 2026

Defined Trust Services Criteria scope: Security, Availability, Confidentiality, and Processing Integrity. Identified in-scope systems, data flows, and personnel. Published comprehensive THREAT_MODEL.md covering OWASP Top 10 (Web + LLM), STRIDE, CIS Benchmarks, and SLSA.

Technical Controls Implementation

Complete Apr 2026

Implemented all technical controls required for SOC 2 scope: encryption at rest (AES-256) and in transit (TLS 1.3), session management (24h TTL), audit logging (per-row Ed25519 signed governance events; SSO IdP events SHA-256 hash-chained; daily Merkle-chained compliance evidence manifests), access controls (RBAC, SAML/OIDC SSO, IP allowlists), input validation (ReDoS protection, body size limits), and Ed25519 bundle signing.

Security Audit Remediation (4 Rounds)

Complete Apr 2026

Completed four rounds of independent security audit: Fleet infrastructure (23 findings), CLI core (10 findings), MCP server (6 findings), QA integration (3 critical bugs). All 42 findings remediated and verified closed before shipping to production.

Policy & Procedure Documentation

Complete Apr 2026

Documented security policies covering: incident response (48h breach notification SLA), data retention (tier-based: 7d Pro, 90d Enterprise), access management (least privilege, hardware MFA required), change management (PR-based, CI-gated), vendor management (SOC 2 vendors only), and business continuity (IaC via Wrangler, Cloudflare D1 point-in-time recovery).

Controls Evidence Report

Complete Apr 2026

Published internal Controls Evidence Report (v1.1.0) documenting code-level proof of every security control across 12 sections: Risk Profile, Product Security, Data Security, App Security, Endpoint Security, Data Privacy, Access Control, Infrastructure, Network Security, Security Grades, Corporate & Operations, and Compliance Certifications. Available to enterprise customers under NDA.

Vendor Risk Management

Complete Apr 2026

All sub-processors vetted under a Data Processing Agreement and annual review: Cloudflare (SOC 2 Type II, ISO 27001), Stripe (PCI-DSS L1, SOC 2 Type II), GitHub (SOC 2 Type II, ISO 27001), Anthropic (SOC 2 Type II, ISO 27001), Resend (SOC 2 Type II). No sub-processor has access to user source code.

AI-Assisted Internal Security Review

Complete Apr 2026

AI-assisted white-box, code-level security review by Claude Opus 4.7, aligned to OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. Q1 deep review across 12 services completed; every Critical and High finding remediated same-day. Quarterly AI-assisted cadence established. Note: this is an internal review, not a third-party human penetration test; engaging a qualified firm is a planned operator action.

Auditor Selection & Engagement

In Progress

CPA firm selection not yet commenced. Criteria when engagement begins: AICPA-accredited firm with SaaS/cloud-native expertise, experience with Cloudflare Workers architecture, and prior AI/ML SaaS audits. Engaging a licensed CPA firm is a planned operator action.

Type II Observation Window

In Progress

6-month observation window open: 2026-05-18 → 2026-11-17. Evidence is being collected continuously via cron-driven collectors (daily / weekly / monthly / quarterly). A CPA auditor has not yet been engaged; the formal external review has not commenced.

Report Issuance

Pending

Final SOC 2 Type II report issued by the CPA firm. Earliest realistic date is Q1 2027, contingent on engaging an auditor and completing the full observation window (closes 2026-11-17). Expected availability will be published on this page once a CPA firm is engaged.

Trust Services Criteria Coverage

Criteria Status Key Controls
CC: Security Controls Implemented AES-256 at rest, TLS 1.3, RBAC, SAML/OIDC SSO, nonce-based CSP, parameterized queries, Ed25519 signing, per-row signed audit log
A: Availability Controls Implemented Cloudflare edge (300+ PoPs), circuit breaker, daemon supervisor, DDoS mitigation, offline-first CLI, fail-open design
C: Confidentiality Controls Implemented Tenant isolation, per-org D1 databases, OAuth token encryption (AES-GCM), data retention policies, SIEM log egress, field redaction

Note: This readiness report shows our progress toward SOC 2 Type II. It is not a SOC 2 report itself. The formal report will be issued by an independent CPA firm upon completion of the observation window. For detailed, code-level evidence of each control, request the Controls Evidence Report (NDA required).

SigmaShake — SOC 2 Type II Readiness Report

This document is public and may be shared with prospects, partners, and security reviewers.

Contact: security@sigmashake.com | Trust Center: trust.sigmashake.com