SOC 2 Type 1
In progressAudit window Q3 2026. Gap analysis closed Feb 2026, control matrix maintained against the AICPA TSC criteria. Type 2 follows Q1 2027.
We build GRIP OS for European operators who handle revenue-critical data. This page gathers everything a prospective design partner, investor, or security reviewer needs before signing: SOC 2 status, EU data residency, GDPR readiness, audit-log access, and Sophie citation audit trail. Reach security@caugia.com for anything not covered here.
Compliance posture
EU data residency
LiveWorkspace data lives in Supabase eu-north-1 (Stockholm). No customer data crosses the Atlantic for storage. Vercel edge serves the UI from EU regions.
GDPR
ReadyData Processing Agreement available on request. Sub-processor list public. Subject access, rectification, erasure, and portability honoured within 30 days.
GDPR readiness
Caugia SASU is the controller for visitor data and the processor for workspace customer data. We process the minimum necessary categories and retain only as long as needed.
- ✓Lawful bases documented per processing activity (contract, legitimate interest, consent for marketing).
- ✓Subject access requests answered within 30 days. Erasure within 7 days for non-archived data.
- ✓Sub-processor list published at /legal/data-residency. 14-day notice on additions or material change.
- ✓EU representative requirement does not apply: established in France, single legal entity.
- ✓Cross-border transfers blocked at the storage layer. Stockholm-only.
Audit log access
Compliance teams get scoped read-only access to the platform audit log: who logged in, what data they read or wrote, what Sophie citations they triggered, and from which IP. CSV export, plus a tamper-evident hash chain on the back end.
Request audit log access→Sophie audit trail
Sophie operates under a citation discipline contract: every claim she makes must resolve to a real entity slug in the live knowledge graph. Every response is fully traceable.
- →Citation format [framework:slug] [paper:slug] [blog:slug]. Every slug resolves to a real entity in the live knowledge graph (sophie_frameworks, sophie_papers, sophie_blogs). Dangling-reference count audited weekly via /api/cron/sophie-hallucination.
- →Confidence score (0.0-1.0) computed and persisted per turn from archetype-resolution + framework-coverage + knowledge-coverage signals. Low-confidence turns (< 0.5) are flagged "low" in the response shape and stored in sophie_turn_logs.confidence_level.
- →Every cited entity carries source url, author, year, and authority_score in the corresponding library row. Available via /api/sophie/resolve.
- →Hallucination report: every Monday at 04:00 UTC the /api/cron/sophie-hallucination cron audits the prior 7 days of citations, verifies every entity_slug resolves, and emails the team with hallucination rate + per-slug breakdown.
- →Right-to-explanation: every Sophie answer carries the citation block in the response, and the framework_applications + knowledge_hits arrays let any caller display a one-click "show your sources" affordance.
Documents and live evidence
Direct links to the underlying material. Everything below is public.
Security posture
Threat model, auth guards, data isolation, secret handling, backups, and incident response.
Open SECURITY.md→
Architecture
Runtime topology, data flow, tenancy model, and the AWS + EU infrastructure footprint.
Open ARCHITECTURE.md→
SOC 2 control matrix
30-control self-assessment, current status, target audit dates, and remediation owners.
Open checklist→
Platform status
Real-time health for GRIP OS, Sophie, and the four public demo workspaces.
Open status page→
Contact
Security disclosure: security@caugia.com. Privacy requests: privacy@caugia.com. Commercial and design partner enquiries: contact@caugia.com.
Last updated 2026-04-24.