# SOC 2 Readiness Checklist — Apache-3 Inc.

**Document version:** 1.0
**Effective date:** 2026-05-20

Apache-3 Inc. is a small-business federal contractor preparing for SOC 2 Type I readiness as a customer-trust artifact. This document is the public checklist of controls Apache-3 maintains, mapped to the AICPA Trust Services Criteria (TSC).

We are not currently SOC 2-attested. The path to attestation is a 3-6 month engagement with a CPA firm. This checklist is the precursor: what we already do, and what remains.

## Trust Services Criteria scope

This checklist covers the five TSC categories:

1. **Security** (TSC CC1-CC9) — required for any SOC 2 engagement
2. **Availability** — optional; included
3. **Processing Integrity** — optional; partial
4. **Confidentiality** — optional; included
5. **Privacy** — optional; included

## Security (CC1-CC9)

### CC1 - Control Environment
- [x] Documented organizational structure (apache3.com/leadership)
- [x] Written code of conduct (referenced in offer letters)
- [ ] Background-check policy applied to all hires (defined; not yet centrally documented)

### CC2 - Communication and Information
- [x] Security policies published (this document set)
- [x] Incident reporting channel (s@apache-3.com + apache3corp@gmail.com)

### CC3 - Risk Assessment
- [x] Annual security risk assessment
- [x] Vendor risk assessment before SaaS adoption
- [ ] Quarterly cadence formalized (currently ad-hoc)

### CC4 - Monitoring Activities
- [x] Daily automated checks of platform state (workspace-admin/checks/)
- [x] Drift detector runs on workspace governance
- [ ] Centralized SIEM / log aggregation (not yet; using per-platform native audit logs)

### CC5 - Control Activities
- [x] Logical access controls via per-platform RBAC
- [x] MFA on all critical systems
- [x] Encrypted disk on workstations

### CC6 - Logical and Physical Access Controls
- [x] Unique user accounts on every system
- [x] Account-removal process for departing personnel (1 business day)
- [x] Physical workstation security (FileVault/BitLocker + locked residence/office)

### CC7 - System Operations
- [x] Production deployments via Vercel (CI-gated)
- [x] Source code in GitHub with branch protection on customer-facing repos
- [ ] Change-management documentation for all production changes (partial)

### CC8 - Change Management
- [x] All changes flow through Pull Request for repos with branch protection
- [x] Code review on customer-facing repos
- [ ] Pre-production / staging environments for all customer-facing apps (partial)

### CC9 - Risk Mitigation
- [x] Backups: cloud platforms provide their own (Supabase point-in-time, GitHub, Stripe)
- [ ] Tested disaster recovery procedure (documented; not formally tested in 12 months)

## Availability

- [x] Uptime monitoring on customer-facing endpoints (Vercel native + health-check routes)
- [x] Documented SLO for customer-facing endpoints (99.5% availability target)
- [ ] Multi-region failover (not required at current scale)

## Processing Integrity

- [x] Production data isolated per project (separate Supabase projects, no shared DBs)
- [x] Stripe webhook signature verification on all payment events
- [ ] Data validation at every system boundary (partial)

## Confidentiality

- [x] All customer data encrypted in transit (TLS 1.2+)
- [x] All customer data encrypted at rest (per-platform default)
- [x] Confidentiality clause in every customer engagement
- [ ] DLP (data loss prevention) tooling (not yet)

## Privacy (mapped to GDPR-style principles even though Apache-3 is US-only)

- [x] Privacy policy published (apache3.com/privacy)
- [x] No third-party tracking beyond essential analytics
- [x] Right-to-access + right-to-delete process documented in privacy policy
- [x] No PII stored on public-facing applications

## What remains for full SOC 2 Type I attestation

1. Engage a CPA firm with SOC 2 practice (~$15-30k for Type I)
2. Centralize evidence collection (Drata, Vanta, or Strike Graph)
3. Run the audit (2-3 months)
4. Receive Type I report

## What remains for Type II

Add 6-12 months of operational evidence after Type I.

## Why we publish this

Small business federal contractors are often asked "are you SOC 2?" The honest answer for most is "not yet." Publishing the readiness posture lets enterprise customers see the gap and decide if it's acceptable for the engagement scope.

For specific compliance questions in support of a contract, email s@apache-3.com.

---

*Apache-3 Inc. is committed to building toward SOC 2 Type I attestation in 2026-2027.*