SOC 2 Readiness

Last updated: 2026-01-13

SOC 2 Type II Readiness

Gray Ghost Data Consultants is committed to achieving SOC 2 Type II compliance. This document outlines our current readiness status and roadmap.

Current Status

Readiness Stage: Gap Assessment Complete
Target Audit Date: Q3 2026
Auditor: [To be selected]

Trust Services Criteria Coverage

SOC 2 is based on the AICPA Trust Services Criteria. Here's our current coverage:

Security (Common Criteria) - Required

CriteriaDescriptionStatus
CC1Control Environment✅ Ready
CC2Communication and Information✅ Ready
CC3Risk Assessment✅ Ready
CC4Monitoring Activities✅ Ready
CC5Control Activities✅ Ready
CC6Logical and Physical Access✅ Ready
CC7System Operations✅ Ready
CC8Change Management✅ Ready
CC9Risk Mitigation✅ Ready

Availability - Optional (Included)

CriteriaDescriptionStatus
A1.1Availability commitments✅ Ready
A1.2System monitoring✅ Ready
A1.3Recovery procedures✅ Ready

Confidentiality - Optional (Included)

CriteriaDescriptionStatus
C1.1Confidentiality commitments✅ Ready
C1.2Confidential information disposal✅ Ready

Processing Integrity - Optional (Not in scope)

Not included in initial scope. May be added in future audits.

Privacy - Optional (Not in scope)

Privacy controls documented separately. May be added in future audits.

Key Controls Implemented

Access Control

  • Authentication: MFA required for all system access
  • Authorization: Role-based access control (RBAC)
  • Provisioning: Automated onboarding/offboarding workflows
  • Review: Quarterly access reviews completed

Change Management

  • Version Control: All code changes tracked in Git
  • Code Review: Pull request approval required
  • Testing: Automated testing in CI/CD pipeline
  • Deployment: Staged rollout with rollback capability

Incident Response

  • Detection: Automated monitoring and alerting
  • Response: Documented incident response procedures
  • Communication: Client notification within 72 hours
  • Post-Incident: Root cause analysis and remediation

Business Continuity

  • Backup: Daily encrypted backups with 30-day retention
  • Recovery: Tested disaster recovery procedures
  • RTO/RPO: 4-hour RTO, 1-hour RPO

Evidence Collection

We maintain evidence for SOC 2 audit including:

Evidence TypeCollection MethodFrequency
Access ReviewsAutomated reportsQuarterly
Security TrainingLMS completion recordsAnnual
Vulnerability ScansAutomated scanningWeekly
Penetration TestsThird-party reportsAnnual
Incident ReportsTicketing systemAs needed
Change LogsGit/deployment logsContinuous

Gap Remediation

Areas identified for improvement prior to audit:

GapRemediationTarget DateStatus
Formal risk assessment documentationDocument risk registerQ1 2026✅ Complete
Vendor risk assessmentsImplement vendor review processQ1 2026✅ Complete
Security awareness training recordsImplement LMS trackingQ2 2026🔄 In Progress
Background check documentationFormalize HR proceduresQ2 2026🔄 In Progress

Roadmap

Q1 2026  ─┬─ Gap assessment complete
          └─ Remediation planning


Q2 2026  ─┬─ Control remediation
          └─ Evidence collection begins



Q3 2026  ─┬─ Auditor selection
          ├─ Type II observation period begins
          └─ Readiness assessment



Q4 2026  ─┬─ Type II audit
          └─ Report issuance

Requesting SOC 2 Information

Once our SOC 2 Type II report is available, it will be shared under NDA with clients and prospects.

To request information about our SOC 2 readiness or to be notified when the report is available:

Email: compliance@grayghostdata.com

Sub-Service Organizations

Our SOC 2 report will reference the following sub-service organizations and their SOC 2 reports:

ProviderServiceSOC 2 Status
SupabaseDatabase HostingType II
Google CloudInfrastructureType II
VercelFrontend HostingType II
ClerkAuthenticationType II