SOC 2 Readiness Attestation

Executive Summary

PrivionGRC is committed to achieving SOC 2 Type II certification by Q3 2026. This document attests to our current security posture and readiness for formal audit.

We have implemented security controls aligned with the AICPA Trust Services Criteria and maintain a continuous improvement program to ensure the confidentiality, integrity, and availability of our systems and customer data.

Current Status

Security controls implemented (80+ controls operational)
Infrastructure certified (SOC 2 providers: Netlify, AWS/Supabase)
Policies documented (8 core security policies)
Formal audit scheduled (Q2 2026, 3-6 month observation period)
Target completion: Q3 2026

Company Overview

Infrastructure

Application Hosting: Netlify (SOC 2 Type II certified)
Database & Backend: Supabase/AWS (SOC 2 Type II, ISO 27001 certified)
Primary Data Center: AWS [Region]
Geo-Replication: Multi-region backup and failover
Team Size: [Number] employees

Customer Base

Target Market: Mid-market and enterprise organizations (healthcare, life sciences, technology)
Typical Customer Size: 50-5,000 employees
Geographic Coverage: United States, European Union, United Kingdom
Total Customers: [Number]

Trust Services Criteria Covered

PrivionGRC's security program addresses the following TSC:

CC1: Security (REQUIRED)

Comprehensive security controls to protect against unauthorized access, both physical and logical.

CC2: Confidentiality (SELECTED)

Controls to protect confidential information from unauthorized disclosure.

CC3: Privacy (SELECTED)

Controls aligned with GDPR, CCPA, and other privacy regulations for protection of personal information.

Not Currently in Scope

• CC4: Availability (standard SLA, not contractually committed 99.9%+)
• CC5: Processing Integrity (not applicable to our business model)

Rationale: As a privacy compliance platform, Security + Confidentiality + Privacy are most relevant to our business and customer requirements.

Security Controls Summary

CC6: Logical and Physical Access Controls

Implemented

Control	Evidence	Notes
CC6.1 - Restrict logical access	RBAC, RLS policies	6 distinct user roles
CC6.2 - Authenticate users	MFA (TOTP) mandatory	100% MFA adoption
CC6.3 - Authorize users	Role-based permissions	Least privilege enforced
CC6.4 - Restrict access to data	Row-level security (RLS)	Multi-tenant isolation
CC6.5 - Remove access	Automated on termination	Immediate revocation
CC6.6 - Protect data in transit	TLS 1.2+	All connections encrypted
CC6.7 - Protect data at rest	AES-256	Supabase encryption
CC6.8 - Restrict physical access	SOC 2 data centers	AWS/Netlify facilities

Key Implementations:

Multi-Factor Authentication (MFA): TOTP required for all users (no exceptions)
Role-Based Access Control (RBAC): 6 user roles (Viewer, User, Admin, DPO, License Admin, Super Admin)
Row-Level Security (RLS): Database-level tenant isolation (Postgres RLS policies)
Encryption: TLS 1.3/1.2 in transit, AES-256 at rest
Session Management: 30-minute timeout, 12-hour absolute timeout
Password Policy: 12+ characters, complexity requirements, no reuse
Access Reviews: Quarterly user access reviews, monthly privileged access reviews

CC7: System Operations

Implemented

Control	Evidence	Notes
CC7.1 - Detect and respond to threats	Monitoring, alerting	Real-time threat detection
CC7.2 - Monitor system components	Uptime monitoring, logs	24/7 automated monitoring
CC7.3 - Implement change management	Git workflow, reviews	All changes peer-reviewed
CC7.4 - Back up data	Automated daily backups	Point-in-time recovery
CC7.5 - Recover from incidents	Incident response plan	DR runbook in development

Infrastructure Security

All infrastructure runs on SOC 2 Type II certified providers:

Netlify (Application Hosting)

Certifications: SOC 2 Type II, ISO 27001, PCI DSS Level 1
Security Features: DDoS protection, Web Application Firewall (WAF), automated SSL/TLS
Uptime SLA: 99.99% (historical: >99.9%)
Data Centers: Global CDN with edge locations worldwide

Supabase/AWS (Database & Backend)

Certifications: SOC 1/2/3, ISO 27001, PCI DSS, HIPAA eligible, FedRAMP
Security Features: Encryption at rest (AES-256), VPC isolation, automated backups
Data Residency: AWS [Region] (configurable per customer)
Database: PostgreSQL with Row-Level Security (RLS)

GitHub (Source Code)

Certifications: SOC 2 Type II
Security Features: 2FA required, branch protection, security scanning, secrets detection
Access Control: SSO, audit logging, IP allowlists

Inherited Controls: By using SOC 2 certified infrastructure, we inherit their physical security, environmental controls, and data center security controls.

Compliance & Regulatory

GDPR (General Data Protection Regulation)

Full compliance for EU customer data
Data Processing Agreements (DPAs) with all customers
Privacy by Design and Default (Article 25)
Data Protection Impact Assessments (DPIA module)
Records of Processing Activities (RoPA module)
Data Subject Rights (DSR management module)
Breach notification capability (72-hour requirement)

CCPA (California Consumer Privacy Act)

Supported for California customers
Consumer rights management (access, deletion, portability)
"Do Not Sell" compliance (no data sales)

Audit Readiness

SOC 2 Timeline

Current Phase: Preparation (Q4 2025)

• Security controls implemented
• Policies documented
• Gap analysis completed
• Remediation in progress (minor gaps)

Q1 2026: Pre-Audit

• Pre-audit readiness assessment
• Final gap remediation
• Evidence collection

Q2 2026: Audit Engagement

• Engage SOC 2 audit firm
• Begin observation period (3-6 months)
• Continuous evidence collection

Q3 2026: Audit Completion

• Auditor testing and validation
• Receive SOC 2 Type II report
• Distribute to customers

Evidence Available

Upon request, we can provide:

Infrastructure provider SOC 2 reports (Netlify, AWS)
Security policy documentation
Access control matrices
Audit log samples
Security questionnaire responses
Penetration test results (when available)

Contact Information

For Security Inquiries

Email: mfishman@priviongrc.com
Phone: [PHONE NUMBER]
Website: https://priviongrc.com/security

For Compliance Questions

Email: mfishman@priviongrc.com
Data Protection Officer: Matt Fishman, CEO

Attestation

This document represents PrivionGRC's current security posture and commitment to achieving SOC 2 Type II certification. We maintain continuous improvement processes and welcome security assessments from prospective customers.

The information in this document is accurate as of the date shown above and will be updated quarterly or as significant changes occur.

Signed:

[Name], Chief Executive Officer

Date: [DATE]

[Name], Chief Technology Officer