← Trust center
SOC 2 Type I readiness
Type I program ready — Type II observation not yet underway.
What this means
SupplierClear has implemented controls mapped in [`SOC2-CONTROLS.md`](SOC2-CONTROLS.md) and supporting evidence:
| Control area | Evidence |
|--------------|----------|
| Access | RBAC, API key hashing, [`ACCESS-REVIEW.md`](ACCESS-REVIEW.md) |
| Privacy | GDPR export/delete, [`ROPA.md`](ROPA.md), [`DPA-TEMPLATE.md`](DPA-TEMPLATE.md) |
| Incident response | [`INCIDENT-RESPONSE.md`](INCIDENT-RESPONSE.md) |
| Vendors | [`SUB-PROCESSORS.md`](SUB-PROCESSORS.md) |
| Security testing | [`PEN-TEST-SCHEDULE.md`](PEN-TEST-SCHEDULE.md) |
| Change integrity | Engine parity CI, golden scenarios |
| Marketing honesty | [`SAFE-CLAIMS.md`](../SAFE-CLAIMS.md) + `verify:safe-claims` |
What we do not claim
- SOC 2 Type II certificate (observation period not complete)
- FedRAMP authorization
- Supplier certification
Next step
Engage 3PAO for Type I point-in-time audit. Type II requires 6–12 month observation window after Type I.
Verification
```bash
pnpm verify:compliance
```