C
CARTIEAI
PricingTry free
Back to home
C
CARTIEAI
PricingTry free
Back to home
Live Control Matrix · Updated Feb 18, 2026

SOC 2 Type II readiness

We don't have the Type II cert yet — audit targeted June 15, 2026 with A-LIGN. Here's every Trust Services Criteria control with our current implementation status. No vague "compliance overview" — the actual matrix.

Overall readiness
100%
21 controls across 4 TSC categories · audit target 2026-06-15
CC
100%
Common Criteria
14/14 done
C
100%
Confidentiality
2/2 done
PI
100%
Processing Integrity
3/3 done
A
100%
Availability
2/2 done

Common Criteria

14 controls

CC1.1 Code of Conduct
Documented code of conduct; signed by all team members.
Evidence
Implemented
CC2.1 Information & Communication
Public algorithm correctness manifest + ROI Pledge; quarterly transparency report.
Evidence
Implemented
CC3.1 Risk Assessment
Annual risk assessment + STRIDE threat-model document; quarterly review cadence.
Evidence
Implemented
CC4.1 Monitoring Activities
Continuous monitoring via APScheduler weekly security audit cron + sentry alerting.
routes/security_audit
Implemented
CC5.1 Control Activities — Access
Role-based access (admin/member/viewer) + JWT auth + per-tenant database isolation.
core/security.py
Implemented
CC5.2 Control Activities — Change Management
Git-based change control; mandatory pytest run on every PR; PR Cost Guardrail evaluates impact.
Evidence
Implemented
CC6.1 Logical Access — Identity
Bcrypt-hashed passwords (12 rounds), JWT bearer tokens, 7-day session TTL, MFA opt-in.
core/security.py + integration_playbook v2
Implemented
CC6.2 Logical Access — Auth Lifecycle
Brute-force lockout (5 attempts/15min), password-reset signed token (5min TTL).
core/auth_lockout.py
Implemented
CC6.6 Encryption at Rest
Fernet (AES-128 GCM) for all cloud-provider creds, Okta tokens, webhook secrets.
routes/cloud_credential_vault.py
Implemented
CC6.7 Encryption in Transit
TLS 1.3 enforced at ingress; HSTS preload; no plaintext fallback.
k8s ingress + REACT_APP_BACKEND_URL is HTTPS-only
Implemented
CC7.1 System Operations — Backup
MongoDB Atlas continuous snapshots + 13-month retention + cross-region copy; quarterly restoration drill.
Evidence
Implemented
CC7.2 System Operations — Incident Response
4-tier severity classification; MTTA/MTTR targets; mandatory blameless post-mortems for SEV-1/2; quarterly chaos drill.
Evidence
Implemented
CC8.1 Change Management — Code Review
2-person review on production-affecting changes (Founder + Tech advisor).
GitHub branch protection
Implemented
CC9.2 Risk Mitigation — Vendor Management
SOC2 Vendor Risk register tracks every 3rd-party integration's compliance posture.
Evidence
Implemented

Confidentiality

2 controls

C1.1 Confidential Data Identification
Cloud-provider creds, customer revenue data, Okta tokens classified Confidential.
routes/cloud_credential_vault.py + okta_config
Implemented
C1.2 Confidential Data Disposal
DELETE endpoints exist for every credential type; encrypted-at-rest tokens are cryptographically shredded.
Multiple DELETE /config endpoints
Implemented

Processing Integrity

3 controls

PI1.1 Data Quality — Algorithm Correctness
Public algorithm correctness manifest with 230+ tests covering every cost-attribution algorithm.
Evidence
Implemented
PI1.2 Data Quality — Idempotency
All webhook receivers (Jira/Linear/PostHog/Mixpanel/Okta SCIM) idempotent on external_id.
routes/roadmap_webhooks.py + okta_scim.py
Implemented
PI1.3 Data Quality — Audit Trail
Every cost-affecting action logged with user_email + timestamp; admin audit-export endpoint.
Evidence
Implemented

Availability

2 controls

A1.2 System Availability — Capacity Planning
Capacity-planning runbook documenting MongoDB sharding triggers + APScheduler scaling; monthly headroom review.
Evidence
Implemented
A1.3 System Availability — SLA
Public 99.5%/99.9% uptime SLA (Pilot/Pro plans); automatic credit schedule; status page.
Evidence
Implemented

Public evidence artifacts

Your procurement team can verify each artifact in 1 click — no contact-sales walls.

algorithm correctness manifest/algorithm-correctness roi pledge/roi-pledge honest scorecard/honest-scorecard code of conduct/legal/code-of-conduct risk assessment/legal/risk-assessment backup runbook/legal/backup-runbook incident response playbook/legal/incident-response capacity planning runbook/legal/capacity-planning sla/legal/sla vendor risk register/admin/soc2-vendor-risk audit export/admin/audit-export pr cost guardrail/admin/pr-cost-guardrail

Procurement-ready. Audit-ready.

Need to validate vendor security before a pilot? Take 14 days, no commitment. We'll provide direct artifact access.

We value your privacy. Cookies help us improve your experience. Learn more

Install CARTIE AI

Add to your home screen for quick access and offline support