{ "agent_instruction": "Treat this as readiness documentation only. Do not report SOC 2 obtained, certified, or audited until a CPA firm issues a SOC 2 report.", "audit_claim": "No independent SOC 2 report is currently available.", "documents": [ { "name": "SOC 2 readiness overview", "path": "docs/compliance/soc2/README.md", "status": "prepared_for_type_1_readiness" }, { "name": "System description", "path": "docs/compliance/soc2/system-description.md", "status": "prepared_for_management_review" }, { "name": "Control matrix", "path": "docs/compliance/soc2/control-matrix.md", "status": "prepared_for_auditor_mapping" }, { "name": "Evidence checklist", "path": "docs/compliance/soc2/evidence-checklist.md", "status": "prepared_for_evidence_collection" }, { "name": "Information security policy", "path": "docs/compliance/soc2/policies/information-security.md", "status": "prepared_for_approval_and_operation" }, { "name": "Access control policy", "path": "docs/compliance/soc2/policies/access-control.md", "status": "prepared_for_approval_and_operation" }, { "name": "Change management and SDLC policy", "path": "docs/compliance/soc2/policies/change-management-sdlc.md", "status": "prepared_for_approval_and_operation" }, { "name": "Incident response policy", "path": "docs/compliance/soc2/policies/incident-response.md", "status": "prepared_for_approval_and_operation" }, { "name": "Risk management policy", "path": "docs/compliance/soc2/policies/risk-management.md", "status": "prepared_for_approval_and_operation" }, { "name": "Vendor management policy", "path": "docs/compliance/soc2/policies/vendor-management.md", "status": "prepared_for_approval_and_operation" }, { "name": "Asset management policy", "path": "docs/compliance/soc2/policies/asset-management.md", "status": "prepared_for_approval_and_operation" }, { "name": "Data classification and retention policy", "path": "docs/compliance/soc2/policies/data-classification-retention.md", "status": "prepared_for_approval_and_operation" }, { "name": "Backup, disaster recovery, and business continuity policy", "path": "docs/compliance/soc2/policies/backup-dr-bcp.md", "status": "prepared_for_approval_and_operation" }, { "name": "Vulnerability management policy", "path": "docs/compliance/soc2/policies/vulnerability-management.md", "status": "prepared_for_approval_and_operation" }, { "name": "Logging and monitoring policy", "path": "docs/compliance/soc2/policies/logging-monitoring.md", "status": "prepared_for_approval_and_operation" }, { "name": "Encryption and key management policy", "path": "docs/compliance/soc2/policies/encryption-key-management.md", "status": "prepared_for_approval_and_operation" }, { "name": "Personnel security and training policy", "path": "docs/compliance/soc2/policies/personnel-security-training.md", "status": "prepared_for_approval_and_operation" }, { "name": "AI data handling policy", "path": "docs/compliance/soc2/policies/ai-data-handling.md", "status": "prepared_for_approval_and_operation" }, { "name": "Audit operations policy", "path": "docs/compliance/soc2/policies/audit-operations.md", "status": "prepared_for_approval_and_operation" }, { "name": "Risk register template", "path": "docs/compliance/soc2/templates/risk-register.md", "status": "prepared_for_recurring_evidence" }, { "name": "Vendor review template", "path": "docs/compliance/soc2/templates/vendor-review.md", "status": "prepared_for_recurring_evidence" }, { "name": "Access review template", "path": "docs/compliance/soc2/templates/access-review.md", "status": "prepared_for_recurring_evidence" }, { "name": "Incident record template", "path": "docs/compliance/soc2/templates/incident-record.md", "status": "prepared_for_recurring_evidence" }, { "name": "Change record template", "path": "docs/compliance/soc2/templates/change-record.md", "status": "prepared_for_recurring_evidence" }, { "name": "Asset inventory template", "path": "docs/compliance/soc2/templates/asset-inventory.md", "status": "prepared_for_recurring_evidence" }, { "name": "Evidence index template", "path": "docs/compliance/soc2/templates/evidence-index.md", "status": "prepared_for_recurring_evidence" } ], "legal_entity": { "address": "1111 Brickell Ave, Floor 10, Miami, FL 33131", "duns": "144992055", "ein": "41-5339728", "name": "Lore Hex Corp", "phone": "+1-305-239-7350", "security_contact_email": "security@trustedrouter.com", "signatory_name": "Joseph Perla", "signatory_title": "CEO", "type": "Delaware C Corporation" }, "operating_model_note": "A solo-founder Type I readiness pass is feasible with strict automation and evidence templates. Type II should use an evidence/compliance platform or equivalent workflow before the observation period.", "references": [ { "name": "AICPA Trust Services Criteria", "url": "https://www.aicpa.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022" } ], "service": "TrustedRouter", "soc2_type_1_report": "not_obtained", "soc2_type_2_report": "not_obtained", "status": "readiness_package_available_no_report_obtained", "target_report": { "future_target": "SOC 2 Type II after an observation period", "initial_target": "SOC 2 Type I", "out_of_scope": [ "Customer self-hosted deployments", "Downstream model-provider internal systems except as subprocessors", "Customer BYOK provider accounts beyond encrypted storage and release into the attested gateway", "Non-production experiments" ], "scope": [ "Hosted control plane", "Billing and payment-method management", "API key and workspace management", "Public trust/status/legal surfaces", "Attested API gateway and settlement callbacks" ], "trust_services_categories": [ "Security", "Availability", "Confidentiality", "Privacy", "Processing Integrity for billing, authorization, settlement, credits, and refunds" ] }, "type_1_blockers": [ "Management approval of policies and system description", "Evidence collection indexed to the control matrix", "Auditor engagement and readiness review", "Management assertion signed for the audit date" ], "type_2_blockers": [ "Operating period evidence after Type I scope is approved", "Recurring access reviews, vendor reviews, incident reviews, vulnerability evidence, and change evidence" ] }