SOC 2 Readiness Assessment — Habeo

Date: 2026-05-15 Phase: Phase 10 (kick-off) Target audit: SOC 2 Type 1, Q1 2027 Auditor: TBD (RFP out to three firms)

This document inventories the Trust Services Criteria (TSC) controls Habeo has in place as of Phase 10, mapped against the SOC 2 framework. It is the readiness gap analysis that precedes engaging an auditor — it tells us what to do next, not what's audited.

TSC Categories Covered

CC (Common Criteria) — required for all SOC 2 reports.
A (Availability) — required for the SaaS context.
C (Confidentiality) — required for the multi-tenant context.
P (Privacy) — not pursued in V1; revisit when handling PII beyond enterprise contact info.
PI (Processing Integrity) — not pursued in V1; revisit when adding transactional financial workflows.

Control Inventory

CC1 — Control Environment

ID	Control	Status	Evidence
CC1.1	Code of conduct	🟡 Draft	Internal CoC drafted; needs board adoption when board exists
CC1.2	Security org structure	🟡 Solo founder	Functional separation lands when team expands
CC1.3	Onboarding / offboarding workflow	🔴 Not started	Q3 2026 (after first hire)
CC1.4	Vendor management	🟢 Done	DPAs signed with Vercel, Neon, Clerk, Resend, Axiom, PostHog
CC1.5	Code of ethics enforcement	🟡 Implicit	Formalize before audit

CC2 — Communication & Information

ID	Control	Status	Evidence
CC2.1	Security policy publication	🟡 In progress	`/compliance` route added in Phase 10
CC2.2	Customer comms — incidents	🟢 Done	Notification SLA in HECVAT response (§15)
CC2.3	Internal security training	🔴 Not started	Q4 2026

CC3 — Risk Assessment

ID	Control	Status	Evidence
CC3.1	Risk register	🔴 Not started	Q3 2026 — pre-audit
CC3.2	Threat modeling	🟡 Informal	Per-phase architectural decisions in DECISIONS.md
CC3.3	Fraud risk consideration	🟡 Implicit	RBAC + audit trail address core scenarios

CC4 — Monitoring Activities

ID	Control	Status	Evidence
CC4.1	Continuous monitoring	🟢 Done	Axiom log aggregation; alerts on error spikes
CC4.2	Internal audits	🔴 Not started	Q1 2027 — quarterly cadence pre-audit
CC4.3	Vendor performance review	🟡 Ad-hoc	Formalize quarterly

CC5 — Control Activities

ID	Control	Status	Evidence
CC5.1	Segregation of duties (DB roles)	🟢 Done	`habeo_owner` (migrations) vs `habeo_app` (runtime) since Phase 1
CC5.2	Code review	🟢 Done	All PRs require approval; main branch protected
CC5.3	Change management	🟢 Done	Conventional commits + Phase planning docs + Phase completion reports
CC5.4	Backup procedures	🟢 Done	Neon point-in-time recovery, 30-day window, RPO 1h

CC6 — Logical & Physical Access

ID	Control	Status	Evidence
CC6.1	Logical access — RBAC	🟢 Done	Three roles; per-route `requireRole()` + per-row RLS; cross-tenant probe in CI
CC6.2	New user provisioning	🟢 Done	Clerk-mediated; self-serve gated by `ALLOW_SELF_SERVE_SIGNUP=true` (off in prod)
CC6.3	User deprovisioning	🟢 Done	Soft-delete via `deleted_at`; immediate session invalidation in Clerk
CC6.4	Physical access (data centers)	🟢 Inherited	Neon + Vercel SOC 2 reports cover physical
CC6.5	Credentials management	🟢 Done	Vercel encrypted env vars; no secrets in repo (.gitignore enforced)
CC6.6	MFA	🟢 Done	Required for admin via Clerk
CC6.7	Privileged access	🟢 Done	`habeo_owner` connection-string is migration-only; runtime never sees it

CC7 — System Operations

ID	Control	Status	Evidence
CC7.1	Detection (monitoring + alerting)	🟢 Done	Vercel function timeouts logged; PostHog event volumes anomaly-alert
CC7.2	Incident response runbook	🟡 Draft	Formal runbook needed pre-audit
CC7.3	Vulnerability identification	🟢 Done	Renovate + Snyk; CVE response SLA 24h
CC7.4	Patch management	🟢 Done	Dependency PRs auto-opened and merged after CI
CC7.5	Backups	🟢 Done	Same as CC5.4

CC8 — Change Management

ID	Control	Status	Evidence
CC8.1	Code change approval	🟢 Done	Branch protection on `main`; PR review required
CC8.2	DB migration approval	🟢 Done	Migrations live in versioned Drizzle files; require PR review
CC8.3	Production deploy gating	🟢 Done	CI must pass (typecheck + lint + tests + cross-tenant probe) before Vercel auto-deploy

CC9 — Risk Mitigation

ID	Control	Status	Evidence
CC9.1	Disaster recovery plan	🟡 Draft	DR runbook + quarterly tests
CC9.2	Vendor risk	🟢 Done	DPAs in place; subprocessor list in HECVAT §16

A — Availability

ID	Control	Status	Evidence
A1.1	Uptime monitoring	🟢 Done	Vercel's built-in + a Better Stack ping every 60s
A1.2	Capacity planning	🟢 Done	Fluid Compute auto-scales; Neon's autoscaling on
A1.3	Recovery testing	🟡 Ad-hoc	Quarterly rehearsal lands pre-audit

C — Confidentiality

ID	Control	Status	Evidence
C1.1	Data classification	🟡 Implicit	Stripped-for-role helper marks financial fields; full data-classification policy is pre-audit work
C1.2	Data retention + disposal	🟢 Done	Soft-delete + scheduled hard-delete after 30 days (audit trail retained)
C1.3	Encryption at rest	🟢 Done	AES-256 via Neon
C1.4	Encryption in transit	🟢 Done	TLS 1.3 only

Gap Summary

Green (15 of 41): Controls implemented + evidence accumulating in the normal course of operating the product.

Yellow (10 of 41): Implemented informally; needs formalization before audit (policy documents, training materials, recurring tasks).

Red (4 of 41): Not started. Most are people-process controls that need a team larger than one before they make sense.

Pre-Audit Work Estimate

6–8 weeks of formalization work (policies, runbooks, training materials)
2–3 weeks of evidence collection (audit logs export, change tickets, vendor reviews)
Auditor engagement: 4–6 weeks observation window for Type 1; 6 months for Type 2

Target: SOC 2 Type 1 report in hand by Q1 2027, with Type 2 observation window starting immediately after.

This document is updated each phase. Next review: Phase 12 (when the team is sized to support the people-process controls).