SOC 2 Type II
Status: pre-audit · observation window not yet started · last updated 27 May 2026
Glassbreak is not currently SOC 2 certified. We do not publish a SOC 2 report and any vendor that says otherwise is misinformed. This page is our honest gap assessment against the AICPA Trust Service Criteria so that buyers, auditors, and security teams can make an informed decision today and track our progress toward a Type II report.
What we are pursuing
- Type II, not Type I. Type I is a point-in-time snapshot; Type II measures operating effectiveness over an observation window (we will run a 6-month window for our first report and extend to 12 months thereafter).
- Trust Service Categories in scope: Security (mandatory Common Criteria) plus Availability and Confidentiality. Privacy and Processing Integrity are not in our initial scope; they will be added in later reports if customer demand justifies the additional assertions.
- Auditor:a Big-4 or specialist mid-tier firm to be selected once readiness work is complete. We will publish the auditor's name on this page once the engagement is signed.
- Compliance platform: Drata or Vanta for continuous control monitoring. Selection in progress.
Phasing
- Readiness — control gap remediation against the table below (in flight).
- Type I— point-in-time auditor's opinion against a 30-day window. Interim assurance only; not on its own a substitute for Type II.
- Type II — operating-effectiveness report against a 6-month observation window for the first report, 12-month thereafter.
- Steady state — annual Type II reports against a rolling 12-month observation window.
We do not publish specific dates for these phases on the public page. We will not represent ourselves as "SOC 2 ready", "SOC 2 aligned", or "SOC 2 equivalent" in any marketing material before a real auditor's opinion exists. Customers with a specific buying-window need can request the current phase status under NDA from compliance@glassbreak.io.
Status by Common Criterion
Each row below is our own assessment against the 2017 AICPA Trust Services Criteria (revised 2022). Met = implemented and operating, evidence available under NDA. Partial = implemented but needs hardening before passing auditor sampling. Gap = not yet implemented in a form an auditor would accept; remediation in flight.
CC1 — Control Environment
5 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC1.1 | Integrity and ethical values | Met | Published policies at /policies (InfoSec, Sanctions, Onboarding, Offboarding, IR, BCP/DR) define ethical expectations; acknowledgement is a required onboarding step. |
| CC1.2 | Board oversight of security | Met | Annual board-level ISMS oversight review documented at /policies/cadences/board-isms-review with standing agenda and minutes record. |
| CC1.3 | Org structure, authority, responsibility | Met | Security Officer named as owner on every policy at /policies; roles and responsibilities defined in /policies/information-security §4. |
| CC1.4 | Competence | Met | Engineering hires undergo technical assessment; /policies/onboarding requires role-specific training before independent action. |
| CC1.5 | Accountability | Met | /policies/sanctions defines proportionate consequences for policy breach; /policies/onboarding records signed acknowledgement of every published policy. |
CC2 — Communication & Information
2 met1 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC2.1 | Information needed for internal control | Met | Audit logs, observability stack (Grafana Cloud Tempo / Loki / Mimir), and the daily security-posture snapshot at /trust. |
| CC2.2 | Internal communication of policies | Partial | Policies exist in the repository; not yet centralised in a policy portal with mandatory acknowledgement tracking. |
| CC2.3 | External communication | Met | Public security page, trust page, coordinated disclosure policy (/trust/disclosure), and a monitored security@glassbreak.io mailbox. |
CC3 — Risk Assessment
4 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC3.1 | Objectives | Met | docs/architecture.md defines availability, resilience, and security objectives precisely. |
| CC3.2 | Risk identification | Met | Quarterly /policies/cadences/management-review surfaces emergent risks; annual /policies/cadences/technical-evaluation closes the loop. Risk Treatment Plan at /policies/risk-treatment-plan. |
| CC3.3 | Fraud risk | Met | Annual Fraud Risk Assessment at /policies/fraud-risk-assessment covers insider misuse, social engineering, sub-processor compromise, financial fraud, and collusion. |
| CC3.4 | Change identification | Met | All infrastructure is in OpenTofu under infra/; all code changes flow through pull request with mandatory review and CI. |
CC4 — Monitoring Activities
2 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC4.1 | Ongoing and separate evaluations | Met | Daily snapshot probes + 22 DR scenarios in CI nightly + quarterly /policies/cadences/management-review + annual /policies/cadences/technical-evaluation. |
| CC4.2 | Evaluation of deficiencies | Met | Time-bounded remediation SLAs by severity at /policies/cadences/remediation-slas; daily-snapshot failures + audit findings tracked to closure. |
CC5 — Control Activities
3 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC5.1 | Selection and development of controls | Met | Controls documented in code, in docs/observability.md, and in docs/architecture.md. |
| CC5.2 | Technology controls | Met | Multi-cloud topology, tested cross-vertical failover, EdDSA-with-kid JWT, Argon2id password hashing, TOTP + WebAuthn MFA. Detail at /technology/encryption. |
| CC5.3 | Policies | Met | Information Security, Incident Response, BCP/DR, Onboarding, Offboarding, and Sanctions policies published at /policies and reviewed annually. |
CC6 — Logical & Physical Access
6 met2 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC6.1 | Logical access controls | Partial | RBAC implemented (8 organisation permissions, 25+ team permissions); SSO (SAML/OIDC) and SCIM provisioning not yet available — common enterprise procurement blockers. |
| CC6.2 | New user provisioning | Met | /policies/onboarding §4 governs account creation with least-privilege grants and MFA-on-first-login. In-product invitation flow live. |
| CC6.3 | User removal | Met | Logout route mounted (audit finding C-1 resolved). /policies/offboarding §5 governs access revocation, credential rotation, and asset return. |
| CC6.4 | Physical access | Met | No data centres operated by Glassbreak; physical security delegated to AWS, Scaleway, and Neon, all SOC 2 reported. See /legal/sub-processors. |
| CC6.5 | Decommissioning | Met | Infrastructure decommissioning is OpenTofu-driven; equipment decommissioning at /policies/procedures/endpoint-decommissioning. |
| CC6.6 | Boundary protection | Met | Fastly fronts glassbreak.io; security headers and rate limiting in place; CSP enforced. |
| CC6.7 | Data in transit | Met | TLS 1.2+ enforced across all endpoints; HSTS preloaded. |
| CC6.8 | Threat detection | Partial | Application-level detection (rate limiting, refresh-token reuse detection, failed-MFA tracking); managed EDR / SIEM not currently deployed. |
CC7 — System Operations
4 met1 partial
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC7.1 | Vulnerability management | Partial | Monthly /policies/cadences/vulnerability-review reviews Dependabot, npm audit, sub-processor advisories. External pen test still in flight. |
| CC7.2 | Monitoring of system components | Met | OTLP telemetry → Grafana Cloud; three SLO alerts wired (5xx rate, p95 latency, apex probe) with runbooks (docs/observability.md). |
| CC7.3 | Incident response | Met | /policies/incident-response defines SEV-1/2/3/4 classification, response phases, communication templates, and post-mortem cadence. Tabletop exercise required annually. |
| CC7.4 | Incident handling | Met | Smoke tests + observability alerts feed /policies/incident-response severity classification; /policies/cadences/remediation-slas defines time-bounded closure. |
| CC7.5 | Recovery | Met | 22 DR scenarios run nightly in CI against a real two-vertical Postgres + Hono topology (dr-tests/); cross-vertical failover is exercised, not theoretical. |
CC8 — Change Management
1 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC8.1 | Authorised changes | Met | Every code change requires PR review; every infrastructure change is OpenTofu-planned with mandatory review before apply. Branch protection blocks direct pushes to main. |
CC9 — Risk Mitigation
2 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CC9.1 | Business disruption | Met | /policies/business-continuity defines RTO/RPO, activation criteria, per-scenario recovery procedures, and the nightly DR test cadence (22 scenarios in dr-tests/). |
| CC9.2 | Vendor and business partner management | Met | Sub-processor lifecycle at /policies/supply-chain-risk; intake assessment + annual re-assessment procedure at /policies/procedures/supplier-assessment; sub-processor list at /legal/sub-processors. |
Availability (A1) — additional criteria
3 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| A1.1 | Capacity | Met | Serverless platforms scale automatically; quarterly /policies/cadences/capacity-planning records traffic trend, error-budget burn, and sub-processor quota utilisation. |
| A1.2 | Environmental protection | Met | Met by sub-processors (data-centre operators). |
| A1.3 | Recovery | Met | Backups verified end-to-end in DR scenario 22. RTO/RPO commitments to be formalised in the BCP/DR document. |
Confidentiality (C1) — additional criteria
2 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| C1.1 | Identification of confidential information | Met | Met by design. Zero-knowledge platform: secret, contact, and message content is encrypted on the data subject's device. See /technology/encryption. |
| C1.2 | Disposal | Met | Self-service erasure route mounted (audit finding C-12 resolved). Cryptographic erasure is default for shared secrets. |
What customers can do today
- Request a copy of this gap assessment in a signed PDF form for procurement files: compliance@glassbreak.io.
- Request a redacted copy of the internal security audit (
docs/security-audit-2026-05-27.md) under NDA. - Use the in-product audit log (
/secure/audit) to capture evidence of your own organisation's use of the platform; this is what your auditor will sample for your SOC 2. - Read the live trust page (/trust), which publishes only controls that have been measured green for 30+ consecutive days.
If you need a SOC 2 report today and cannot wait, we will introduce you to vendors who already hold one and explain honestly where their features differ from ours. Contact compliance@glassbreak.io.