SOC 2 at CodeCourier.
We treat SOC 2 the way our customers do: as a binding promise about how we build, operate, and audit. Type I controls are mapped today; the Type II observation window is open with an independent CPA firm.
Reports and bridge letters are shared under a mutual NDA. We respond within one business day.
What SOC 2 actually means.
A quick primer for security teams who already know the score - and a short tour for everyone else.
SOC 2 is an attestation framework defined by the AICPA. Independent CPA firms issue reports that describe how a service organisation designs and operates controls aligned with one or more Trust Service Criteria.
A Type I report is a point-in-time snapshot: it confirms that controls were designed properly on a given date. A Type II report covers a continuous observation window (typically 6 to 12 months) and tests whether those controls actually operated as designed.
Scope, criteria, and the report itself are negotiated up front. Customers receive the report under NDA. A bridge letter covers any gap between two consecutive Type II windows so procurement teams never lose continuity.
Point-in-time. Confirms control design as of a specific date. Useful as an early proof point before the Type II window matures.
Continuous. Tests operating effectiveness across a 6 to 12 month window. The artifact most enterprise buyers require.
All five TSCs, mapped to concrete controls.
Security is mandatory for every SOC 2 report. We include the four additional criteria because our customers ship code, store data, and serve regulated industries.
Security
Protect systems and data against unauthorised access, disclosure, and damage.
- Zero-trust network with short-lived tokens
- SSO (SAML / OIDC) with MFA enforcement
- RBAC, immutable audit logs, exportable
- Continuous vulnerability scanning
Availability
Make the service available for operation and use as committed.
- Multi-region failover, active standby
- 99.95% uptime SLA target
- Continuous health checks and synthetic probes
- Automated rollback on deploy regressions
Processing Integrity
Process data completely, accurately, timely, and with authorisation.
- Idempotent job execution per agent run
- Signed payloads between internal services
- Versioned schemas with backward compatibility
- End-to-end reconciliation on critical paths
Confidentiality
Protect information designated as confidential per agreement.
- TLS 1.3 in transit, AES-256 at rest
- Customer-managed keys (BYOK) on enterprise
- Need-to-know access with quarterly review
- Data classification and labelling enforced
Privacy
Collect, use, retain, disclose, and dispose of personal data per commitments.
- GDPR-aligned lawful basis per purpose
- DPA available; subprocessor list published
- Cryptographic erasure within 30 days
- Right-to-access and right-to-delete flows
What the audit covers - and what it does not.
Scope decisions are documented in the engagement letter. We keep them explicit so buyers can match the report against their own risk assessment.
- Production application and APIs serving customer workloads
- Customer data stores, backups, and key management systems
- Employee access systems and identity provider integration
- Sandbox runtime, orchestrator, and per-agent isolation boundary
- Observability stack, audit log pipeline, and SIEM
- Subprocessors handling customer data on our behalf
- Marketing website and unauthenticated public pages
- Sales CRM and internal go-to-market tooling
- Internal R&D environments that do not process customer data
- Customer-managed integrations operated outside our boundary
Our audit cadence.
From readiness assessment to continuous monitoring. Each milestone has an owner, an exit criterion, and a customer-facing artifact.
Inventory snapshot.
A view into the control categories an auditor walks through. The full controls matrix is delivered with the report.
Access Management
Who can do what, on which system, for how long. Provisioned and de-provisioned through the identity provider.
- SSO + MFA
- Quarterly access review
- JIT elevation
- Session timeouts
Change Management
Every change to production code, infrastructure, or configuration is reviewed, approved, and traceable to its author.
- Mandatory code review
- Signed artefacts
- Staged rollouts
- Automated rollback
Risk Management
We maintain a living risk register tied to controls. Material risks have owners, mitigations, and review dates.
- Annual risk assessment
- Risk register reviewed monthly
- Threat modelling per feature
- Board-level reporting
Vendor Management
Every subprocessor is reviewed before onboarding and re-reviewed annually. Material findings drive contractual controls.
- Pre-onboarding review
- Annual re-review
- DPA in place
- Termination playbook
Incident Response
Documented severities, paging matrix, and customer-notification timelines. Post-mortems are blameless and shared.
- Severity definitions
- On-call rotation
- Customer notification SLA
- Annual tabletop
Data Lifecycle
Data is classified, encrypted, retained per policy, and cryptographically erased when its purpose ends.
- Data classification
- Retention schedules
- Crypto-erasure
- Deletion certificate
We update the list whenever the stack changes.
Our subprocessor list is part of the trust package. We update it whenever a vendor that processes customer data is added or removed. Request the latest list with the SOC 2 report, or independently.
Ready to review the report?
Reports, bridge letters, and the controls mapping ship as a single trust package. We respond within one business day.
Full report once the observation window closes; current Type I report and bridge letter in the meantime.
Covers gaps between consecutive Type II windows so procurement never loses continuity.
Standardized Information Gathering response, completed and signed by the security team.
Mapping from our controls to ISO 27001, GDPR, HIPAA, or your internal framework on request.
An NDA is required before sharing artefacts. We accept yours or send our standard mutual NDA on request.
Common questions from procurement.
When will Type II be available?
Which auditor are you working with?
Do you map controls to ISO 27001, GDPR, or HIPAA?
Can I get a bridge letter?
Are subprocessors covered in your SOC 2?
How often is the report updated?
Hire your first AI engineer.
Ship by lunchtime.
5 minutes to onboard. First PR within an hour. Cancel anytime.