SOC 2 readiness
This page is our good-faith self-attestation of controls against the SOC 2 Trust Services Criteria (TSC). We publish it not as a substitute for a formal report, but so prospective partners can see the work and call out gaps.
Status (2026-04-20): Readiness audit window opens Q3 2026. We target a SOC 2 Type II report in Q2 2027. For a signed evidentiary packet today, email security@grailguard.io — we send an NDA-gated PDF with control-by-control evidence IDs.
Legend
Live — implemented and exercised in production Partial — implemented; operational metric or evidence not yet captured Planned — design accepted, execution scheduled
Security (Common Criteria)
| Ref | Criterion | Our control | Status |
|---|---|---|---|
| CC1.1 | Commitment to integrity & ethics | Code of conduct, acceptable-use policy, annual attestation by all staff | Live |
| CC2.1 | Communicates security responsibilities | Onboarding deck, quarterly all-hands security review, documented RACI for incident response | Live |
| CC3.1 | Risk management program | Risk register reviewed quarterly with exec team; top-5 mitigations tracked against deadlines | Live |
| CC4.1 | Monitoring of controls | Centralized logging (structured JSON), Sentry for errors, cron-based SLO & webhook-lag monitors | Live |
| CC5.1 | Control activities for risk mitigation | Admin re-auth on high-risk actions, mutation-allowlist on admin APIs, audited payment mutations | Live |
| CC6.1 | Logical access — least privilege | Role-based auth (customer, courier, partner, admin), reviewed on-role-change; MFA on admin | Live |
| CC6.2 | User authentication | Argon2id password hashing, HTTPS-only cookies, HttpOnly JWT, Sess-timeout & re-auth enforcement | Live |
| CC6.3 | Access provisioning & removal | New-hire and off-boarding playbook; 24h deprovisioning SLA with audit trail | Partial |
| CC6.6 | Protection from external threats | WAF at edge, SSL-only (HSTS preload), security headers audit, rate limits on all sensitive endpoints | Live |
| CC6.7 | Transmission & disposal of sensitive data | TLS 1.3 in transit, at-rest AES-256 (Postgres + S3), card data tokenised (never touched) | Live |
| CC6.8 | Malicious code protection | Dependabot + weekly npm audit, Sentry alerts on new stack frames, CSP nonces on HTML | Live |
| CC7.1 | Detect & respond to threats | Webhook signature verification (timing-safe), per-route SLO alerts, webhook-lag monitor (5 min) | Live |
| CC7.2 | Incident monitoring | PagerDuty rotation (planned Q3 2026), structured kind:slo_alert / kind:webhook_lag lines | Partial |
| CC7.3 | Incident response | Documented runbooks for payment, partner-webhook, PII exposure incidents; post-mortem template | Live |
| CC7.4 | Learning from incidents | Blameless post-mortems within 5 business days; root-cause tracked to closed remediation ticket | Live |
| CC7.5 | Vulnerability management | Security researcher disclosure program at /security; internal "red-team sweep" cadence | Live |
| CC8.1 | Change management | Feature-flag gated deploys, code review mandatory, automated test suite runs on every PR | Live |
| CC9.1 | Business continuity | Postgres PITR + daily logical backup; runbook-driven restore drill (quarterly target) | Partial |
Availability
| Ref | Criterion | Our control | Status |
|---|---|---|---|
| A1.1 | Performance monitoring | Nightly SLO alert cron, Lighthouse nightly, request_log sampling for per-endpoint p95 | Live |
| A1.2 | Environmental protections | Railway multi-region host; Cloudinary + S3 replicated storage; DNS failover | Live |
Confidentiality
| Ref | Criterion | Our control | Status |
|---|---|---|---|
| C1.1 | Identify & protect confidential information | Data classification policy (public / internal / confidential / restricted); PII retention sweeper | Live |
| C1.2 | Disposal of confidential information | PII retention sweeper scrubs resolved tickets & cancelled draft bookings after policy TTL | Live |
Privacy
| Ref | Criterion | Our control | Status |
|---|---|---|---|
| P1.1 | Notice to data subjects | Public privacy policy with DSAR & erasure instructions; cookie banner with granular consent | Live |
| P2.1 | Choice & consent | Marketing opt-in default off; marketing vs analytics split; DNT respected | Live |
| P3.1 | Data subject rights (GDPR Art. 15 & 17) | In-app DSAR export (JSON) + erasure flow gated by re-auth | Live |
This page reflects GrailGuard's control posture as of 2026-04-20. Certain controls are subject to change as we grow. For the signed, versioned evidentiary packet and auditor correspondence, contact security@grailguard.io.