SOC 2 Readiness Self-Assessment
Effective date: May 11, 2026Last updated: May 28, 2026
Important: This page is a self-assessment against the AICPA Trust Services Criteria (SOC 2 framework). It is not an independent SOC 2 Type I or Type II report, attestation, or certification. Aitros is preparing for a formal examination with a qualified auditor. For contractual assurances, contact us about a Data Processing Addendum (DPA) and security questionnaire support.
1. About this assessment
Product: Aitros Engagement — multi-tenant SaaS for employee listening, values assessments, leadership assessments, and related analytics.
Assessment date: May 28, 2026
In-scope criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy (all five Trust Services Criteria commonly included in SOC 2).
Methodology: Internal review of application architecture, access controls, vendor posture, policies, and operating practices. Status labels below reflect our judgment as of the assessment date.
Status definitions:
- Implemented — Control is designed and operating in our production environment.
- In progress — Control is documented or partially deployed; evidence collection ongoing.
- Planned — Control is on our roadmap before or during independent examination.
2. Executive summary
| Trust Services Criteria | Overall status | Summary |
|---|---|---|
| Security | Implemented | Authentication, role-based access, tenant isolation, audit logging, secure SDLC, and fail-closed automation controls. |
| Availability | In progress | Hosted on enterprise cloud providers with health monitoring; formal SLA and quarterly restore tests documented. |
| Processing Integrity | Implemented | Server-authoritative workflows, input validation, idempotent billing and onboarding paths. |
| Confidentiality | Implemented | Encryption in transit, access controls by role, optional anonymity modes for assessments. |
| Privacy | In progress | Published privacy notices, subprocessors list, DPA available; vendor SOC reports and formal DSR program operationalized. |
3. System boundary and subprocessors
The in-scope system is the Aitros Engagement application and its production dependencies: application hosting, database and authentication, billing, transactional email, optional Slack integrations, AI processing, and error monitoring.
We maintain a current list of subprocessors that may process customer or participant data on our behalf. See our Subprocessors page for provider names, purposes, and data categories.
Production customer data is not used in local development environments without approval. Preview deployments are isolated from production databases.
4. Security (Common Criteria)
4.1 Logical access and authentication
| Control | Status | How we address it |
|---|---|---|
| User authentication | Implemented | Supabase Auth; session validation on protected API routes. |
| Role-based access | Implemented | Organization managers, employees, agents, and platform administrators with least-privilege guards per route. |
| Platform administrator access | Implemented | Dedicated platform admin roster; grant and revoke actions recorded in admin audit logs. |
| Tenant isolation | Implemented | Row Level Security (RLS) on customer data in the database. |
| Privileged session impersonation | Implemented | Logged to impersonation audit records; end-session requires matching session or platform admin. |
| Authentication rate limiting | Implemented | Rate limits on login, admin login, and password reset flows. |
| Quarterly access reviews | In progress | Documented process; evidence collected each quarter for platform and vendor access. |
4.2 System operations and change management
| Control | Status | How we address it |
|---|---|---|
| Privileged action audit logging | Implemented | Centralized logging for platform admin actions (e.g. billing changes, data scrub, exports, trial changes). |
| Error monitoring | Implemented | Sentry with client-side redaction practices. |
| Secure software delivery | Implemented | Pull request review, automated CI quality gate, dependency updates (Dependabot). |
| Secret scanning in CI | Implemented | Automated gitleaks scan on every merge to main. |
| Scheduled job authentication | Implemented | Background jobs require a shared secret; requests fail closed if misconfigured. |
| Incident response | In progress | Written incident response plan; annual tabletop exercise planned. |
4.3 Encryption and network security
| Control | Status | How we address it |
|---|---|---|
| Encryption in transit (TLS) | Implemented | HTTPS for application traffic via hosting provider. |
| Encryption at rest | Implemented | Database encryption provided by managed database infrastructure. |
| HTTP security headers | Implemented | Content Security Policy, HSTS, frame denial, and related headers at the edge and application layer. |
| Payment webhooks | Implemented | Stripe webhook signature verification. |
| Password reset tokens | Implemented | One-time tokens with expiry and verification before reset. |
5. Availability
| Control | Status | How we address it |
|---|---|---|
| Managed hosting | Implemented | Application on Vercel; database on Supabase with provider uptime commitments. |
| Health monitoring | Implemented | Health endpoints and scheduled production smoke checks. |
| Backup and recovery | In progress | Point-in-time recovery via database provider; documented runbooks and quarterly restore tests. |
| Published customer SLA | Planned | Formal availability target for enterprise agreements. |
6. Processing integrity
| Control | Status | How we address it |
|---|---|---|
| Server-authoritative assessment state | Implemented | Assessment phase and progress driven by server state, not client-only storage. |
| API input validation | Implemented | Schema validation at API boundaries; enforced in CI where applicable. |
| Idempotent writes | Implemented | Safe retries for onboarding and billing webhook handling. |
| Billing reconciliation | Implemented | Scheduled billing sync job with authenticated cron access. |
| AI prompt change control | In progress | Platform-admin-only prompt management; formal approval workflow documented. |
7. Confidentiality
| Control | Status | How we address it |
|---|---|---|
| Data classification | Implemented | Public, internal, and confidential categories (assessment responses, PII, billing). |
| Access by classification | Implemented | RLS plus application-layer role checks per organization. |
| Anonymous assessment modes | Implemented | Configurable per campaign; described to customers during setup. |
| Secure data disposal | Implemented | Documented admin scrub and customer deletion processes with audit trail. |
8. Privacy
| Control | Status | How we address it |
|---|---|---|
| Privacy policy and notices | Implemented | Privacy Policy, Participant Privacy Notice, and related legal pages. |
| Data Processing Addendum (DPA) | Implemented | Available on request — see DPA. |
| Subprocessor transparency | Implemented | Published Subprocessors list. |
| Data retention and cleanup | Implemented | Automated token and integration log cleanup; retention per policy and contract. |
| Data subject requests (access / deletion) | In progress | Documented request process with defined response timelines. |
| AI processing disclosure | Implemented | AI Use Disclosure; customer data not used to train third-party foundation models unless otherwise agreed in writing. |
| Vendor security reports | In progress | Collecting SOC / security reports from key subprocessors for enterprise due diligence. |
9. Roadmap to independent SOC 2 examination
We are executing a readiness program with these milestones:
- Completed (engineering): Consolidated security controls (access, cron auth, rate limits, audit logging, headers).
- In progress (operations): Quarterly access reviews, backup restore tests, impersonation and admin audit sampling, vendor evidence collection.
- Planned: Independent penetration test, SOC 2 Type I examination, then Type II observation period (typically 6–12 months) for operating effectiveness.
When a SOC 2 report is available under NDA, enterprise customers may request it through their account or security contact.
10. Related resources
11. Contact
For security questionnaires, DPAs, subprocessors questions, or to discuss this self-assessment:
Aitros Engagement
Email: hello@aitrosengagement.com
Website: aitrosengagement.com