SOC 2 readiness
SOC 2 Type I readiness package for auditor and procurement review. No SOC 2 report has been obtained yet.
This is a SOC 2 readiness package, not an independent CPA report. Do not describe TrustedRouter as SOC 2 audited, certified, or Type I complete until an auditor issues the report.
Use this packet to start Type I readiness, collect evidence, and answer procurement questions while the formal audit is pending.
System boundaries for the first SOC 2.
The first target is Type I readiness for the hosted service and attested API gateway. Type II requires evidence over time after the control set is approved.
| Operating entity | Lore Hex Corp, Delaware C Corporation. |
|---|---|
| Status | readiness_package_available_no_report_obtained |
| Type I report | not_obtained |
| Type II report | not_obtained |
| Target categories | Security, Availability, Confidentiality, Privacy, Processing Integrity for billing, authorization, settlement, credits, and refunds |
| In scope | Hosted control plane; Billing and payment-method management; API key and workspace management; Public trust/status/legal surfaces; Attested API gateway and settlement callbacks |
| Out of scope | Customer self-hosted deployments; Downstream model-provider internal systems except as subprocessors; Customer BYOK provider accounts beyond encrypted storage and release into the attested gateway; Non-production experiments |
Documents prepared for review.
| Document | Status | Repo path |
|---|---|---|
| SOC 2 readiness overview | prepared_for_type_1_readiness | docs/compliance/soc2/README.md |
| System description | prepared_for_management_review | docs/compliance/soc2/system-description.md |
| Control matrix | prepared_for_auditor_mapping | docs/compliance/soc2/control-matrix.md |
| Evidence checklist | prepared_for_evidence_collection | docs/compliance/soc2/evidence-checklist.md |
| Information security policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/information-security.md |
| Access control policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/access-control.md |
| Change management and SDLC policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/change-management-sdlc.md |
| Incident response policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/incident-response.md |
| Risk management policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/risk-management.md |
| Vendor management policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/vendor-management.md |
| Asset management policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/asset-management.md |
| Data classification and retention policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/data-classification-retention.md |
| Backup, disaster recovery, and business continuity policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/backup-dr-bcp.md |
| Vulnerability management policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/vulnerability-management.md |
| Logging and monitoring policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/logging-monitoring.md |
| Encryption and key management policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/encryption-key-management.md |
| Personnel security and training policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/personnel-security-training.md |
| AI data handling policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/ai-data-handling.md |
| Audit operations policy | prepared_for_approval_and_operation | docs/compliance/soc2/policies/audit-operations.md |
| Risk register template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/risk-register.md |
| Vendor review template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/vendor-review.md |
| Access review template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/access-review.md |
| Incident record template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/incident-record.md |
| Change record template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/change-record.md |
| Asset inventory template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/asset-inventory.md |
| Evidence index template | prepared_for_recurring_evidence | docs/compliance/soc2/templates/evidence-index.md |
What remains for Type I and Type II.
Management approval of policies and system description
Evidence collection indexed to the control matrix
Auditor engagement and readiness review
Management assertion signed for the audit date
Operating period evidence after Type I scope is approved
Recurring access reviews, vendor reviews, incident reviews, vulnerability evidence, and change evidence
Treat this as readiness documentation only. Do not report SOC 2 obtained, certified, or audited until a CPA firm issues a SOC 2 report.
Reference: AICPA Trust Services Criteria.