Skip to content
Claresia Docs

SOC 2 status

This is the developer-facing SOC 2 page. The public, evidence-grade page lives at trust.claresia.com/soc2.

Current status

Section titled “Current status”
TrackStatusTarget
SOC 2 Type 1Audit window opens Q1 2026Type 1 report Q2 2026
SOC 2 Type 212-month observation Q1 2026 → Q4 2026Type 2 report Q4 2026
AuditorSchellman / Prescient (selection complete)
Continuous monitoring toolingVanta or Drata (selection in progress)

Scope

Section titled “Scope”

The SOC 2 audit covers:

Trust Service CriteriaIn scope
Security
Availability
Confidentiality
Processing Integrity
Privacyoptional (added Q3 2026)

In-scope systems:

  • Identity (WorkOS integration, SCIM endpoint, JWT issuance)
  • Hub (Postgres, RLS, provenance + cosign)
  • Distribution Plane (Anthropic / Microsoft / OpenAI / Slack publishers)
  • Telemetry Pipeline (pull connectors, ClickHouse, Command Center surface)
  • Command Center (admin console, RBAC, audit log export)
  • Onboarding Portal
  • All supporting infrastructure (Terraform, CI/CD, observability tenants, on-call paging)

Out-of-scope:

  • The customer’s own LLM platform infrastructure (Anthropic / Microsoft / OpenAI / Google have their own SOC 2 reports, referenced here)
  • The customer’s own cloud (Mode C BYOC — customer-owned, customer-audited)
  • Marketing site, Trust Center static site, this docs site

What controls are tested

Section titled “What controls are tested”

Mapped to AICPA TSC v2017 Common Criteria + Additional Criteria for Availability + Confidentiality + Processing Integrity:

  • CC1: Control environment
  • CC2: Communication and information
  • CC3: Risk assessment
  • CC4: Monitoring activities
  • CC5: Control activities
  • CC6: Logical and physical access controls
  • CC7: System operations
  • CC8: Change management
  • CC9: Risk mitigation
  • A: Availability (uptime SLO, DR drills, capacity planning)
  • C: Confidentiality (encryption, access control, data classification)
  • PI: Processing Integrity (provenance + cosign chain, telemetry reconciliation, change-management gating)

Continuous monitoring

Section titled “Continuous monitoring”

Pre-audit, Claresia maintains continuous evidence collection via Vanta/Drata:

  • Automated control checks 24/7
  • Ticketing integration (any control failure auto-creates a Jira ticket)
  • Quarterly internal control review with the Claresia executive team
  • Auditor evidence collection automated end-to-end (no manual evidence requests)

Accessing the SOC 2 report

Section titled “Accessing the SOC 2 report”

Once issued (Type 1: Q2 2026, Type 2: Q4 2026):

  • Public summary on Trust Center
  • Full report under NDA via your CSM or compliance@claresia.com (CAIQ-style summary available without NDA)

SOC 2 in customer security questionnaires

Section titled “SOC 2 in customer security questionnaires”

When a customer’s procurement team asks “Do you have SOC 2?”:

  • Today (pre-audit): “SOC 2 Type 1 audit window opens Q1 2026; Type 2 report expected Q4 2026. Continuous monitoring via Vanta/Drata is live.”
  • Q2 2026+: “SOC 2 Type 1 report available under NDA.”
  • Q4 2026+: “SOC 2 Type 1 + Type 2 reports available under NDA.”

What we provide instead, today

Section titled “What we provide instead, today”

Pre-SOC 2:

  • This documentation site (architecture whitepaper)
  • The Trust Center page
  • Pre-filled CAIQ-Lite + SIG-Lite
  • DPA template
  • Pen test summary (Q2 2026)
  • The 7-year governance_event audit chain (cc-050 contract)

For most procurement gates, this is sufficient through Q1 2026. Mid-market deals (Mode A/B) close on this stack today; large-enterprise deals (Mode B/C) typically wait for the SOC 2 Type 1 letter (Q2 2026).

After SOC 2

Section titled “After SOC 2”

Once SOC 2 Type 2 is in hand:

  • ISO 27001 in flight (Q2 2027)
  • ISO 42001 (AI management systems) — first in industry to certify
  • NIS2 Readiness Pack (Q3 2026)

Reference

Section titled “Reference”