SOC 2 Type II — Trust Services Criteria
AICPA Trust Services Criteria for Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Why this matters: SOC 2 is the standard US enterprise buyers expect from SaaS vendors. HQ Cortex is not currently SOC 2 audited. We operate many controls a SOC 2 audit would test, and we have mapped them transparently below. This page is updated as controls graduate from manual procedures to evidence-collected automation.
We are not currently certified to this standard. The mapping below shows where our day-to-day controls already align.
Status legend
- SupportedWe can do this today.
- In progressPartially in place or actively in development.
- Not yet plannedNot yet started or not in scope.
Security (Common Criteria)
CC6.1 — Logical access provisioning and deprovisioning
SupportedAccess requests are approved, granted on a least-privilege basis, and revoked promptly when no longer needed.
In HQ Cortex: Clerk handles organization invites and role assignment; permission profiles scope what each role can do, and deactivated users are flagged so access is revoked promptly.
SOC 2 CC6.1
CC6.2 — Authentication
In progressMFA enforced for administrative and customer-admin access; SSO supported.
In HQ Cortex: Clerk supports MFA and SSO. Enforced MFA-on-by-default and tenant-level SSO controls are being formalized.
SOC 2 CC6.2
CC6.6 — Boundary protection
In progressNetwork segmentation, no public database endpoints, WAF in front of public traffic.
In HQ Cortex: The database is not exposed to the public internet, and Vercel provides edge protections in front of public traffic. A documented network architecture diagram is being prepared.
SOC 2 CC6.6
CC6.7 — Encryption in transit and at rest
SupportedTLS 1.2+ and AES-256 across all production paths.
In HQ Cortex: Provided by Vercel (TLS) and PlanetScale + Vercel Blob (AES-256 at rest).
SOC 2 CC6.7
CC7.1 — Vulnerability management
Not yet plannedQuarterly penetration test; continuous SAST/DAST; documented remediation SLAs.
In HQ Cortex: Not yet in place.
SOC 2 CC7.1
CC7.2 — System monitoring and alerting
In progressCentralized logs, alerts on auth failures, privileged actions, and anomalies.
In HQ Cortex: Per-request timing and per-domain audit logs exist; centralized SIEM-style monitoring is being added.
SOC 2 CC7.2
CC7.3 — Incident response
In progressRunbook, on-call rotation, tabletop exercises, post-mortems retained.
In HQ Cortex: Internal incident-response process exists; tabletop cadence and retained post-mortems are being formalized.
SOC 2 CC7.3
CC8.1 — Change management
SupportedAll production changes via PR with reviewer, CI gate, and traceable deploys.
In HQ Cortex: Every production change goes through mandatory peer review on a protected main branch, passes automated code-quality gates, and is captured in Vercel deploy logs for traceability.
SOC 2 CC8.1
Availability
Public status page
In progressCustomer-visible uptime and incident history.
In HQ Cortex: A public /status page links directly to the live status pages of every upstream provider HQ Cortex depends on (Vercel, PlanetScale, Clerk, Upstash, Vercel Blob). A unified, HQ Cortex-branded incident history is not yet published.
SOC 2 A1
Disaster recovery testing
In progressDocumented RTO/RPO with tested restore evidence.
In HQ Cortex: Underlying providers offer multi-AZ and managed backups; HQ Cortex-level DR runbook with recorded test cadence is being prepared.
SOC 2 A1
Processing Integrity
Server-side validation of formulation math
SupportedCritical calculations (sum of ingredient % = 100, unit consistency, yield math) validated server-side and reproducible.
In HQ Cortex: Formulation calculation logic is server-side, deterministic, and covered by tests.
SOC 2 PI1
Tamper-evident batch records
In progressBatch records produce reproducible outputs given the same inputs, with computation version recorded.
In HQ Cortex: A snapshot of the formulation version is recorded with each batch; a hash-based tamper-evident link across the full batch production record is on the roadmap.
SOC 2 PI1
Last reviewed: May 2026.