# SOC 2 Readiness Statement

Status: readiness packet, not a SOC 2 Type I or Type II report.

Annotate does not currently have an independent SOC 2 report. For buyer review, the service now has technical controls that map to common Security, Availability, Confidentiality, and Privacy review areas:

| Area | Current Evidence |
| --- | --- |
| Access control | JWT-authenticated dashboard APIs, owner/admin/member project roles, owner-only destructive actions. |
| Auditability | `GET /audit-logs` and dashboard Audit page cover project, report, integration, export, screenshot, retention, and AI-triage activity. |
| Data retention | Per-project retention days plus owner-triggered purge endpoint. |
| Secret handling | Production requires `SECRET_ENCRYPTION_KEY`; GitHub/Slack secrets are encrypted at rest. |
| Backup and recovery | Litestream replica URL support, startup restore, and restore-drill runbook. |
| Change management | GitHub CI runs type-check, tests, and build before deploy. |

SOC 2 next steps:

1. Select CPA/auditor and final trust-services scope.
2. Freeze control owners and evidence cadence.
3. Run readiness assessment.
4. Complete Type I design review.
5. Operate controls through the Type II observation window.

References: AICPA SOC 2 Trust Services Criteria overview, https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2