Caugia SOC 2 pre-audit checklist

Self-assessment of our current posture against the Trust Services Criteria most relevant to a SOC 2 Type I audit. The target audit window is Q3 2026. Most items below are honestly marked "not started" because we are a solo-founder product at pre-seed stage; the goal of this document is to be accurate, not aspirational.

Last updated 2026-04-24.

Legend:

• complete: control is in place and evidenced.
• in progress: partial implementation; measurable gap remains.
• not started: no work yet; captured here so it can be scoped.

Organisation and governance

1. Code of conduct. Status: not started. Next step: publish a one-page code of conduct covering harassment, conflicts of interest, and data handling.
2. Security policy handbook. Status: in progress. Next step: consolidate SECURITY.md, ARCHITECTURE.md, and this checklist into a single governance binder under docs/compliance/handbook.md.
3. Annual risk assessment cadence. Status: not started. Next step: schedule the first formal risk assessment for 2026-Q3, output logged under docs/compliance/risk-assessments/.
4. Executive accountability for security. Status: complete. The founder-CEO is the named security owner until a dedicated hire lands. Contact security@caugia.com.
5. Change log of governance policies. Status: not started. Next step: create docs/compliance/CHANGELOG.md and commit policy updates with dated entries.

Access control

1. Multi-factor authentication for all privileged accounts. Status: complete. Vercel, Supabase, GitHub, and Anthropic dashboards all enforce TOTP MFA.
2. SSO for team members. Status: not started. Next step: revisit once the first hire is made.
3. Role-based access control inside the product. Status: in progress. Workspace-level membership is enforced via workspace_members + RLS; per-role tiers (owner / admin / viewer / finance / operator) are planned in W58.
4. Offboarding runbook. Status: not started. Next step: draft a checklist covering credential revocation, session invalidation, and backup key rotation.
5. Quarterly access review. Status: not started. Next step: run the first access review in 2026-Q2 (self-audit of Vercel, Supabase, GitHub collaborators) and log the output.

Data protection

1. Encryption at rest. Status: complete. Supabase Postgres and Supabase Storage encrypt all data at rest using AES-256 under the managed-key model.
2. Encryption in transit. Status: complete. TLS 1.2+ enforced on every client-facing endpoint. Vercel terminates HTTPS with an automatic cert.
3. Customer-managed encryption keys. Status: not started. Next step: evaluate Supabase BYOK tier against expected enterprise demand.
4. Key rotation policy. Status: in progress. Service role keys rotate on an ad-hoc basis; formal rotation schedule targeted for 2026-Q3.
5. Data classification scheme. Status: not started. Next step: classify tables into public / internal / confidential / restricted and document in the handbook.
6. Data retention and deletion policy. Status: in progress. GDPR deletion path is scaffolded; retention defaults per data class are pending.

Change management

1. Pull-request review on every merge to main. Status: complete. Every merge goes through a PR; the solo-founder case is acknowledged and the next engineer hire will formalise the two-reviewer rule.
2. CI running on every PR. Status: complete. Playwright E2E smoke, Vitest unit, and TypeScript typecheck run on every PR.
3. Migration review and approval. Status: in progress. Migrations live under supabase/migrations/; a formal approval checklist is targeted for 2026-Q3.
4. Infrastructure-as-code for all environments. Status: in progress. Vercel configuration via vercel.json; Supabase configuration is partially codified, fully codified migration targeted for 2026-Q3.
5. Release notes and changelog. Status: in progress. Wave commits ship with a short summary; a customer-facing changelog is pending.

Incident management

1. Detection and alerting. Status: in progress. /admin/health exposes a heartbeat; external synthetic monitoring is targeted for 2026-Q3.
2. Incident response runbook. Status: not started. Next step: draft docs/runbooks/INCIDENT_RESPONSE.md covering triage, communication, and post-mortem.
3. Post-mortem template. Status: not started. Next step: add docs/runbooks/POSTMORTEM_TEMPLATE.md with the standard five-whys structure.
4. Customer communication procedure for incidents. Status: not started. Next step: define the notification matrix (who, when, through what channel) and log it in the runbook.
5. Annual tabletop exercise. Status: not started. Next step: schedule the first tabletop in 2026-Q4.

Vendor management

1. Subprocessors list. Status: in progress. Current subprocessors: Supabase (Postgres, Storage, Auth, eu-central-1), Vercel (compute, CDN, EU edge), Anthropic (LLM inference, US region), Stripe (billing, EU), Resend (transactional email). A public-facing list is targeted for the /legal/data-residency page.
2. DPA in place with each subprocessor. Status: in progress. DPAs on file with Supabase, Vercel, and Anthropic; Stripe and Resend pending signature.
3. Annual vendor security review. Status: not started. Next step: add the review cadence to the governance handbook.
4. Subprocessor change-notification commitment to customers. Status: not started. Next step: publish the commitment on /legal/data-residency and notify design partners on each change.

Scoring summary

• Complete: 6 items.
• In progress: 10 items.
• Not started: 14 items.

Honest reading: we have the platform-level foundations (encryption, MFA, auth guards, RLS, CI) in place thanks to the managed hosts; most of the remaining gap is governance paperwork and formal process, which is exactly what a SOC 2 Type I audit requires us to document. The 2026-Q3 audit target is achievable with a focused quarter of compliance work once the first compliance-savvy hire is on board.