SOC 2 Type 1 audit

SOC 2 Type 1 audit

What it does: External-auditor attested Type 1 report on TapPass's control environment as of a point in time; filter-question status for enterprise/regulated buyers.

1. Vision context

Procurement for enterprise / regulated / EU buyers filters on SOC 2 before architecture conversations even begin. Without a report, deals don't start. With a Type 1 report (point-in-time attestation), TapPass clears the filter; Type 2 (period-of-time) follows in 2027 H1.

This is operations, not engineering. The engineering side of the work (audit, encryption, access controls) is largely done; the audit is calendar-bound (~6 months) and costs ~$30-60k.

2. Functional specification

Standard SOC 2 Type 1 scope: Security (always), Availability (typical), Confidentiality (relevant for AI governance). Privacy and Processing Integrity optional in v1; add when customers ask.

3. Technical design — audit scope

Control area	Status today	Audit-ready by
Access controls (SSO, RBAC, audit)	Largely shipped	Q3
Encryption at rest/transit	Shipped (KMS envelope, TLS 1.3)	Q3
Logging + monitoring	Shipped (audit hash-chain)	Q3
Change management	Process needs documentation	Q3
Vendor management	Documented in trust center	Q3
Incident response	Plan needs documentation	Q3
Business continuity	Plan needs documentation	Q4

4. Definition of done

• All acceptance_criteria pass.
• Type 1 report in hand by end of Q4 2026.
• Report shareable under NDA via the trust center.

5. Coordination notes

With public-trust-page: trust page describes our claims; auditor verifies. Page must be honest before audit kicks off.

With Engineering: any control gaps surfaced during readiness assessment become engineering work items.

6. Out of scope

• ISO 27001 (2027 roadmap).
• Type 2 (Q1 2027 roadmap).
• HIPAA BAA (case-by-case based on customer demand).