SupplierClear
← Trust center

SOC 2 Type I readiness

Type I program ready — Type II observation not yet underway.

What this means

SupplierClear has implemented controls mapped in [`SOC2-CONTROLS.md`](SOC2-CONTROLS.md) and supporting evidence: | Control area | Evidence | |--------------|----------| | Access | RBAC, API key hashing, [`ACCESS-REVIEW.md`](ACCESS-REVIEW.md) | | Privacy | GDPR export/delete, [`ROPA.md`](ROPA.md), [`DPA-TEMPLATE.md`](DPA-TEMPLATE.md) | | Incident response | [`INCIDENT-RESPONSE.md`](INCIDENT-RESPONSE.md) | | Vendors | [`SUB-PROCESSORS.md`](SUB-PROCESSORS.md) | | Security testing | [`PEN-TEST-SCHEDULE.md`](PEN-TEST-SCHEDULE.md) | | Change integrity | Engine parity CI, golden scenarios | | Marketing honesty | [`SAFE-CLAIMS.md`](../SAFE-CLAIMS.md) + `verify:safe-claims` |

What we do not claim

- SOC 2 Type II certificate (observation period not complete) - FedRAMP authorization - Supplier certification

Next step

Engage 3PAO for Type I point-in-time audit. Type II requires 6–12 month observation window after Type I.

Verification

```bash pnpm verify:compliance ```