Skip to main content
Voight is not SOC 2 certified — and this page doesn’t pretend otherwise. What we publish instead is a full readiness assessment: every implemented control mapped to the Trust Services Criteria a SOC 2 auditor would evaluate, with the gaps stated plainly. A Type II examination is on the roadmap, triggered by enterprise demand.

Quick reference

FieldValue
FrameworkAICPA Trust Services Criteria (2017, rev. 2022)
Criteria in scopeSecurity (Common Criteria) · Availability · Confidentiality
Out of scopeProcessing Integrity · Privacy (covered by GDPR, a stricter regime)
Certification statusNot certified — readiness phase, Type II on roadmap
Inherited attestationsVercel, Railway, Privy — all SOC 2 Type II
Known gaps6, published in §6 of the document
Security Contactteam@voight.xyz
Document Version1.0 — June 2026

Download the full document

Voight — SOC 2 Readiness Documentation

17 pages · Version 1.0 · June 2026Control-by-control mapping across CC1–CC9, Availability, and Confidentiality; the six known gaps; inherited vendor controls; and the documented path to a Type II report.

Readiness vs. certified — the difference

Readiness (this)SOC 2 Type II
Produced byVoight (self-assessment)Licensed CPA firm
AttestsControls designed & documentedControls operated effectively over 3–12 months
Independent verificationNoneYes
A readiness document that lists no gaps is not credible. Ours lists six — including the structural ones (segregation of duties in a founding-size team, no independent pentest yet) — together with the path to closing each.

What’s already in place

  • Encryption everywhere — TLS 1.3 in transit, AES-256 at rest, API keys hashed
  • No password storage — authentication delegated to Privy (SOC 2 Type II)
  • Local-first privacy — 3-level PII scrubbing before telemetry leaves your process
  • Incident response — written procedure with T+0 → T+7d timeframes
  • Supply chain — Dependabot monitoring, npm provenance attestations, defined remediation SLAs
  • Audited foundations — all three infrastructure vendors hold current SOC 2 Type II reports

The path to a Type II report

  1. Readiness (this document) ✓
  2. Gap closure (tracked in revisions)
  3. Compliance platform onboarding (continuous evidence)
  4. Optional Type I examination
  5. 3–12 month observation window
  6. Type II report — available to customers under NDA
We have deliberately not committed to a public date. The trigger is enterprise demand: when a material engagement requires the report, the examination gets scheduled and this page gets updated.

See also