Compliance Alignment
This is not a certification page. It describes our alignment to security frameworks and our progress toward formal audit. We are transparent about what is in place and what is in progress.
SOC 2 Type I
Targeted Q4 2026We are aligned to SOC 2 security principles and preparing for formal audit. Our controls are documented, implemented, and being tested internally. We expect to engage an auditor for SOC 2 Type I in Q4 2026. We will share the resulting report under NDA upon request.
We do not claim SOC 2 certification. We claim alignment — which means our controls are designed to meet the criteria, but have not yet been independently validated.
CSA CAIQ v4
Available on RequestWe have completed the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v4. The full questionnaire is available as a gated download — visit the Downloads page to request a copy via email.
SOC 2 Control Alignment Summary
| Domain | Our Alignment | Status |
|---|---|---|
| CC1 – Control Environment | Policies documented, roles defined | In progress |
| CC2 – Communication | Internal comms via Slack + GitHub | In progress |
| CC6 – Logical Access | MFA, RBAC, least-privilege enforced | Aligned |
| CC7 – System Operations | CI/CD pipeline, change review required | Aligned |
| CC8 – Change Management | PR-based deploys, migration scripts reviewed | Aligned |
| CC9 – Risk Mitigation | Vendor risk review, subprocessor tracking | In progress |
| A1 – Availability | Vercel + Cloudflare SLAs inherited | Aligned |
| C1 – Confidentiality | ZDR-by-default, encryption at rest + transit | Aligned |
| P1-P8 – Privacy | Privacy policy published, DPA available | In progress |
Vendor SOC 2 Reliance Model
Stereos inherits security controls from infrastructure providers that hold their own SOC 2 certifications. Cloudflare (SOC 2 Type II), Vercel (SOC 2 Type II), Neon (SOC 2 Type II), and Stripe (SOC 2 Type II) form the backbone of our control environment. Our audit will document the scope of reliance on each vendor's report and what complementary user entity controls we implement on top.