← Back to SecuritySOC 2 Compliance Roadmap
Trust Service Criteria alignment · Last updated: April 23, 2026
SOC 2 Type I — In ProgressTarget: Q3 2026
Lexitio’s controls are designed to the SOC 2 Trust Service Criteria from the start. Formal Type I certification is planned for Q3 2026, followed by Type II after the 6-month observation period. This page tracks our progress against each control.
CC1 — Control Environment
Security policy documentationIn Progress
Written security policies covering access control, data classification, incident response, and vendor management.
Security awareness trainingPlanned
Annual security training for all personnel with access to production systems.
Background checksPlanned
Background verification for personnel with access to customer data.
CC2 — Communication and Information
Security overview pageComplete
Public-facing security overview documenting controls, encryption, and data isolation.
Privacy PolicyComplete
Full privacy policy with subprocessor disclosure, data retention, and user rights.
Business Associate AgreementComplete
Standard BAA template available; executed BAAs on request for HIPAA-covered entities.
Vulnerability disclosure policyComplete
Responsible disclosure program at security@lexitio.com.
CC3 — Risk Assessment
Annual risk assessmentPlanned
Formal identification and assessment of risks to confidentiality, integrity, and availability.
Threat modelingIn Progress
Documented threat model for the application and infrastructure.
CC6 — Logical and Physical Access
Role-Based Access ControlComplete
RBAC enforced at the API layer. Every endpoint requires explicit permission check.
Multi-factor authenticationComplete
MFA available for all accounts via TOTP.
API key scopingComplete
Programmatic access via scoped API keys (sk-lex_ prefix), hashed before storage.
JWT logout invalidationComplete
Logged-out JWT tokens are blocklisted and rejected on all subsequent requests.
Least privilege principleComplete
Production database accessible only from application containers; no public DB port.
Access reviewsPlanned
Quarterly review of user access rights and privilege escalations.
Privileged access managementIn Progress
Separate admin credentials for production systems; break-glass access documented.
CC7 — System Operations
Row Level Security (RLS)Complete
PostgreSQL RLS policies on all tenant-scoped tables — database-level tenant isolation.
Audit loggingComplete
Append-only audit log on every sensitive action; 7-year retention; accessible to firm admins.
Error monitoringComplete
Application error monitoring via Sentry with anomaly alerting.
Intrusion detectionComplete
Login rate limiting, account lockout, and anomalous access alerts.
Patch managementIn Progress
Documented process for applying security patches to OS, dependencies, and Docker images.
Dependency scanningPlanned
Automated scanning of Python and Node.js dependencies for known vulnerabilities.
CC8 — Change Management
Version controlComplete
All code changes tracked in Git with commit history and pull request review.
Database migration managementComplete
Alembic migrations with version control; no manual schema changes in production.
CI/CD pipelinePlanned
Automated build, test, and deployment pipeline with pre-deploy checks.
Rollback procedureIn Progress
Documented rollback procedure for failed deployments.
A1 — Availability
Daily backupsComplete
Automated daily pg_dump backups encrypted and shipped to Backblaze B2 (30-day retention).
Backup restore testingIn Progress
Periodic restore tests to verify backup integrity.
Uptime monitoringIn Progress
External uptime monitoring with alerting for availability degradation.
Incident response planIn Progress
Documented IR plan covering detection, containment, notification, and post-mortem.
C1 — Confidentiality
Encryption in transitComplete
TLS 1.2+ enforced on all connections. No plaintext HTTP allowed.
Encryption at restComplete
AES-256 encryption for all stored files (S3 SSE). Database volume encryption.
Tenant data isolationComplete
Application-level tenant_id filtering + PostgreSQL RLS on all tenant tables.
AI zero-data-retentionComplete
Anthropic API used under zero-data-retention terms. No training on customer data.
Data classification policyPlanned
Formal classification of data types and handling requirements.
P — Privacy (CCPA / HIPAA)
Privacy PolicyComplete
Full privacy policy with subprocessor list, retention schedule, and user rights.
CCPA Do Not Share pageComplete
California resident opt-out page and privacy rights request mechanism.
BAA availableComplete
Standard BAA available for HIPAA-covered entities handling PHI.
Data minimizationComplete
Only necessary data collected; no behavioral advertising or data brokering.