Veridra
Built for regulated environmentsEU AI ActNIST AI RMFSR 11-7ISO 42001 (mapped)SOC 2 (in progress)
PlatformSolutionsArchitectureTrustDevelopersCompanyRequest review
Trust · SOC 2 Readiness

SOC 2 Type II, in progress.

Veridra is in active SOC 2 Type II preparation. This page is the honest current state — the controls we have in place today, what we're building this quarter, and the timeline to a completed report.

We are not going to claim SOC 2 certification we do not have. This page is the honest current state, the gap assessment, and the timeline.

What we have, what we're building, what's next

Veridra is a pre-general-availability platform with design partner deployments. SOC 2 Type II requires an observation window (minimum 3 months, typically 6-12 for a first report) during which the auditor collects evidence that controls operated effectively. Our plan:

  • Q2 2026: SOC 2 readiness gap assessment with an advisory firm. Controls identified, documented, and in operation.
  • Q3 2026: Type I report or observation window starts. This is the point at which controls are attested as designed appropriately.
  • Q1-Q2 2027: Type II report complete. Covers the preceding observation window with evidence that controls operated effectively over time.

During this runway, every enterprise customer conversation includes access to our current security posture under NDA, our architecture documentation, our policy set (Governance, Security, Communication charters), and specific control-by-control responses to the customer's own assessment questionnaire.

Trust Services Criteria we will address

The SOC 2 framework defines five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Veridra's initial report will cover Security and Availability — the criteria most commonly requested by enterprise buyers. Confidentiality and Processing Integrity are on the roadmap for the Type II follow-up (2028). Privacy is partially covered through our separate DPA and GDPR alignment.

Security

Common Criteria CC1 through CC9 — logical access, system operations, change management, risk mitigation. Our architecture is designed around zero-trust identity, mTLS between services, WebAuthn-only production access, and cryptographic audit trails that satisfy CC6 through CC8 by construction. Detailed control mapping is provided under NDA.

Availability

Criteria A1.1 through A1.3 — capacity, backup, disaster recovery. Veridra operates active-active across regions (US, EU, UK planned for GA; Africa regions planned H2 2027). Backup strategy is encrypted offline copies with quarterly restore drills. Incident response runbooks are tested and signed themselves.

Why we don't overclaim
Aspirational compliance is a red flag
Sophisticated enterprise buyers look for specific language that distinguishes actual certification from claimed alignment. "SOC 2 compliant" without a current report is a warning sign. "SOC 2 in progress" is honest only if accompanied by a realistic timeline and named auditor path. "SOC 2 by Q4 2025" for a company that doesn't yet have a signed auditor engagement letter is over-promise. We are committing to what we can verifiably deliver.

Related certifications and mapped frameworks

  • ISO/IEC 27001 — information security management controls mapped to Veridra's operating model.
  • ISO/IEC 42001 — AI management system. The most relevant AI-specific certification; target H1 2028.
  • FedRAMP Moderate — control requirements mapped for US federal deployment support.
  • HITRUST — for healthcare-specific deployments. Evaluated based on design partner demand.
  • PCI DSS — not in current scope (we do not handle cardholder data).

What design partners get now

Design partners during the pre-SOC-2 period receive: the full architecture documentation, our governance and security charters, a customer-specific control-mapping exercise with our team, a signed DPA and BAA as applicable, and direct founder access for security and compliance questions. When the Type II report is complete, every design partner receives it within days of issuance.

Current state is the honest state
Pre-launch transparency is a feature
We would rather deploy with a customer who understands our actual posture than close a deal on a claim we cannot yet substantiate. Most of our design partner conversations end with the customer saying they prefer the honest timeline to the overclaimed alternative they had seen elsewhere. This is the security and compliance posture we commit to maintaining through and past our certifications.
Request under NDA Security policy Data protection