SubOps Trust
Trust

SOC 2 roadmap and current control posture

Where SubOps is on the SOC 2 Type II path and how to request the trust portal under NDA.

Last updated

What you get from this page

A snapshot of where SubOps is on the SOC 2 journey, which control families are already implemented and operating, and the path to request the trust portal under NDA. If you are running a procurement or lender diligence checklist, this page should answer the structural questions; the trust portal answers the evidence-level questions.

Why this matters

SOC 2 Type II is the default trust signal for SaaS vendors in finance-adjacent workflows. Lenders, factoring partners, brokers, and larger contractors increasingly require either a current Type II report or a credible roadmap with control evidence under NDA. We treat this as table stakes, not a marketing claim.

How it works

SubOps is pursuing SOC 2 Type II with the standard sequence:

  1. Scoping and gap assessment — complete. Trust Services Criteria selected: Security (mandatory), Availability, and Confidentiality. Privacy and Processing Integrity are out of scope for the initial report.
  2. Control implementation — substantially complete for the in-scope criteria. See the posture summary below.
  3. Type I audit — scheduled. The Type I report attests that controls are designed effectively as of a point in time.
  4. Type II observation window — begins after Type I. Typical window is 6–12 months of continuous evidence.
  5. Type II report — issued after the observation window. This is the deliverable that goes on the trust portal as the headline artifact.

We will not represent SubOps as SOC 2 certified until a current report exists. Roadmap status is published here and updated whenever it changes.

Current control posture

These are the control families already in place and operating today, ahead of the audit. Evidence is available on the trust portal under NDA.

Access controls

  • Single sign-on via Clerk for all customer-facing surfaces.
  • Role-based access control (5 roles, 6 permissions, one centralized matrix) enforced at the middleware layer for every protected route. The matrix is in source control and reviewed on every change.
  • Production database and infrastructure access is restricted to a small named set of engineers and gated by SSH key + IP allowlist. No shared accounts.
  • Internal documentation and admin surfaces are role-gated separately from member surfaces; non-admins cannot enumerate admin routes.

Change management

  • All production changes are merged through GitHub pull requests with required review.
  • Continuous integration runs lint, type-check, unit, and migration round-trip tests on every PR.
  • Database schema changes ship as versioned migrations (Prisma + raw SQL where needed) with the migration round-trip tested before merge.
  • Production deployments are immutable container images pulled by tag; release notes are recorded on every deploy.

Vendor management

  • Subprocessors are inventoried, classified by data exposure, and reviewed annually. The list is available on the trust portal.
  • New subprocessors require a documented review before being introduced into the production path.

Incident response

  • A documented incident response procedure covers detection, triage, containment, customer communication, and post-mortem.
  • Errors and anomalies route through Sentry; production alerts page the on-call engineer.
  • Customer-impacting incidents are summarized publicly after the fact.

Continuous monitoring

  • Application errors and performance telemetry stream into Sentry with release tracking.
  • Infrastructure health is monitored via DigitalOcean and Cloudflare native telemetry.
  • A health endpoint is probed on every deployment as part of the release gate.

What you see as an evaluator

  • This roadmap page (public).
  • The trust portal (NDA-gated) with the subprocessor list, control mappings, policy artifacts, and the most recent incident summaries.
  • Type I and Type II reports, when issued, will be made available through the trust portal.

Requesting the trust portal

To request portal access, contact SubOps with the requesting entity, the use case (vendor diligence, lender review, factoring, etc.), and a counterparty contact. We will send an NDA and a time-limited read link. Expect a one-business-day turnaround for standard requests.

Common questions

Can I get the Type I report today? Type I is scheduled, not yet issued. Pre-audit control evidence is available on the trust portal under NDA.

Do you maintain a status page? Internal uptime telemetry feeds the team's on-call rotation. A customer-facing status page is on the roadmap but not yet live.

Do you support customer-specific security questionnaires? Yes. SIG Lite, CAIQ, and ad-hoc questionnaires are answered against the same control inventory the trust portal exposes.

Next steps

  • See Data handling for the data-flow detail behind these controls.
  • See No FedEx credentials for the credential-handling commitment that drives much of the access-control posture.
  • Contact SubOps to request the trust portal NDA.

Sample Owner Brief

An annotated sample Owner Brief showing where every number comes from and what is dispute-eligible.

On this page

What you get from this pageWhy this mattersHow it worksCurrent control postureAccess controlsChange managementVendor managementIncident responseContinuous monitoringWhat you see as an evaluatorRequesting the trust portalCommon questionsNext steps