SecuritySOC 2 roadmap

SOC 2 roadmap

We are not SOC 2 certified. We are working toward it. This page is the unvarnished version of the path — every item below maps to a control or process we either have not shipped, or have shipped partially.

Q1HardeningQ2Audit + policyQ3Pen test + Type IQ4Type II begins
Four quarters from current posture to Type II observation start. Items shift right when they ship.
💡

This roadmap is updated when items ship or slip. If a quarter passes without an update here, ping security@rubberfit.app.

Where we are today

The technical controls a SOC 2 auditor would expect are largely in production code — see Security posture for the inventory. The gaps fall into three buckets:

  1. Hardening of existing controls — promote CSP from report-only to enforcing, add before/after JSONB to the audit log, sign cut-history PDFs, hard-enforce MFA enrollment for privileged roles.
  2. Process + documentation — codified security policy, vendor-risk scoring, exercised incident-response plan, training records.
  3. External validation — dependency scanning in CI, third-party penetration test, formal SOC 2 audit engagement.

The roadmap below is one quarter at a time.

The path

QuarterItemBucketStatus
Q1Forced MFA enrollment for admin and manager roles — block sign-in for users without an enrolled factorHardeningPlanned
Q1Dependency scanning in CInpm audit + cargo audit, fail the build on high severityExternalPlanned
Q1CSP promoted to enforcing mode — wire per-request nonces, drop 'unsafe-inline' / 'unsafe-eval', flip Content-Security-Policy-Report-Only to Content-Security-PolicyHardeningPlanned
Q2Audit log v2 — split metadata JSONB into explicit before_state / after_state columns and back-fill ip_address / user_agent on every call site (columns exist; some inserts currently leave them NULL)HardeningPlanned
Q2Formal security policy + risk register — codified policies, vendor-risk scoring, training recordsProcessPlanned
Q2External log aggregation — ship Vercel + Supabase logs to a SIEM with 1-year retentionExternalPlanned
Q3Signed URLs for cut-history PDFs — migrate from getPublicUrl to createSignedUrl with bucket-level policyHardeningPlanned
Q3Third-party penetration testExternalPlanned
Q3SOC 2 Type I audit engagement — auditor selected, control mapping signed offExternalPlanned
Q4SOC 2 Type II observation period beginsExternalPlanned

What “Type I” vs “Type II” means

  • SOC 2 Type I is a point-in-time audit: at the moment the audit happens, do the controls exist and are they designed correctly?
  • SOC 2 Type II is an audit over a sustained observation period (typically 6–12 months): do those controls actually operate as designed, every day?

Type I is the on-ramp. Type II is the credential most enterprise buyers expect to see in a security questionnaire. The roadmap above ends with the Type II observation period beginning — the report itself lands ~12 months after that.

Already shipped (so we don’t double-count it)

For honesty, here’s what’s already in production today and does not need to ship to close the SOC 2 gap. These are real controls, not future work:

  • Row-level security on every customer-facing table — 26 ENABLE ROW LEVEL SECURITY statements, 157 policies, all 25 app tables covered
  • Six-role RBAC enforced at the edge (middleware) and the data layer (RLS) — see Security posture
  • TOTP MFA enrollment + inline challenge for opted-in users — every user who enrolls a factor is challenged at sign-in. Q1’s “forced MFA” item is about closing the loophole for users who haven’t enrolled, not about implementing MFA itself.
  • Security headers — HSTS preload-eligible 2-year, X-Frame DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. CSP is in report-only mode (Q1 item promotes it to enforcing).
  • Signed URLs for customer-facing job PDFsjobPdfShareService issues short-lived signed URLs. Q3’s “signed URLs” item is for the internal cut-history PDF surface, which still uses getPublicUrl.
  • Postgres advisory locks during pack solves — concurrency-safe roll allocation
  • Point-in-time recovery, 7-day retention — Supabase platform default
  • TLS 1.3 in transit, encrypted at rest — provided by Supabase + AWS infrastructure
  • No third-party telemetry on the dashboard — zero trackers shipped to the browser

Why we publish this

Two reasons:

  1. It is the honest answer. Pretending to be further along than we are wastes everyone’s time. Buyers who need certified SOC 2 today should know that today.
  2. It pre-empts the questionnaire. Most security questionnaires ask “do you have SOC 2?” and “what’s your roadmap?” If the answer is on a public page, you can paste the URL into the response field and move on.

Got a question?

Email security@rubberfit.app. Most questionnaires can be answered from this page plus Security posture plus Data handling.

Security postureData handling