Does Abundera Sign have a SOC 2 Type II report today?

Not yet. Abundera Sign is operating under SOC 2 Trust Service Criteria controls and is in the Type II observation window. A Type II report covers a defined observation period (typically 6 to 12 months) during which the auditor tests operating effectiveness of the controls. ISO 27001 certification follows. Email compliance@abundera.ai for the current sequencing if your procurement timeline needs it.

Which SOC 2 Trust Service Criteria are in scope?

Security (the Common Criteria, required for every SOC 2 report) plus Availability and Confidentiality. Processing Integrity and Privacy are evaluated alongside but are most directly covered today by the published privacy policy and the cryptographic-evidence package on every signed envelope. The Common Criteria themselves break down across CC1 (control environment), CC2 (communication and information), CC3 (risk assessment), CC4 (monitoring), CC5 (control activities), CC6 (logical and physical access), CC7 (system operations), CC8 (change management), and CC9 (risk mitigation).

What can we share with procurement before the Type II report ships?

A technical security pack covering the existing controls (TLS 1.3, HSM-backed AATL signing key, hash-chained audit trail, WORM evidence storage, MFA via passkeys and SMS OTP, RFC 3161 timestamps, automated retention enforcement, incident response runbook), a subprocessor list (see Trust Center), the published privacy policy, and the cryptographic-evidence walkthrough. The pack is available under NDA on request to compliance@abundera.ai.

When does Type II ship?

Target: Q4 2026 for the Type II report, with the formal observation window already underway. ISO 27001 certification target: Q2 2027. Both timelines are tied to the BAA program (see /compliance/hipaa/) which procurement teams in healthcare often want bundled with SOC 2 evidence.

Type II observation window underway

SOC 2 Trust Service Criteria, control by control

Q: How does Abundera Sign meet the Common Criteria today?

CC1: documented control environment with named Security Officer (security@abundera.ai). CC2: published trust center, security.txt RFC 9116 disclosure channel, and llms.txt. CC3: annual risk assessment. CC4: continuous monitoring via Cloudflare analytics + structured audit logs. CC5: control activities encoded in policies and in the pre-deploy validation script (48 sections today). CC6: JWT plus product-scoped API keys with KV-cached revocation, HSM-backed signing key, principle-of-least-privilege bindings. CC7: deploy pipeline with explicit pre-flight checks, automated retention cron, anomaly alerting. CC8: every change goes through the pre-deploy script before reaching production. CC9: WORM storage, dual TSA redundancy, multi-anchor evidence package.

Abundera Sign operates under SOC 2 controls today; the Type II report is on the way. This page maps the AICPA Trust Service Criteria to the technical controls already in place so security teams can review the basis directly while the formal audit window runs.

Where SOC 2 is on the roadmap

SOC 2 Type I and Type II reports are not yet published. The observation window is underway. Target dates: Type II report Q4 2026, ISO 27001 certification Q2 2027. A technical security pack is available under NDA in the interim — email compliance@abundera.ai if procurement needs it sooner than the report ships.

CC1Control environment

Demonstration of commitment to integrity, ethical values, and independence.

Documented control environment with named Security Officer (security@abundera.ai)
Code of conduct and disclosure obligations on every engagement
Board-level oversight on security and compliance matters

CC2Communication and information

Internal and external information that enables internal control.

Published Trust Center with subprocessor list and current security posture
security.txt at /.well-known/security.txt (RFC 9116) as a disclosure channel
llms.txt advertises the compliance footprint to AI agents and crawlers
Privacy policy and terms published on abundera.ai

CC3Risk assessment

Ongoing identification, analysis, and management of risk.

Annual risk assessment with documented residual-risk treatment
Threat-modeling review on every major architectural change
Patent + IP register maintained at master-IP-portfolio level (see Trust Center)

CC4Monitoring activities

Ongoing and separate evaluations of control performance.

Cloudflare analytics for traffic anomalies and edge-side errors
Structured audit logs for every envelope action, hash-chained per signer
Failed-delivery retry queue with KV-tracked attempts
Per-deploy pre-flight validation script (48 sections of static checks)

CC5Control activities

Selection and development of control activities, including general IT controls.

Per-deploy pre-flight script blocks 48 distinct failure modes from reaching production
Migrations applied via D1, never ad-hoc SQL against production
Branch protection on the production branch with required review
Forward-regression smoke tests for OpenAPI, headers, compliance pages, and the legal-evidence chain

CC6Logical and physical access

Restricts logical and physical access to authorised parties.

JWT plus product-scoped API keys (abnd_sign_*) with KV-cached revocation
HSM-backed AATL signing key at Azure Key Vault (FIPS 140-2 Level 3)
Principle of least privilege on Cloudflare bindings (D1, KV, R2, Queues)
Passkeys (WebAuthn) and SMS OTP for high-assurance signer authentication
Account-isolation policy enforced via siteops audit script

CC7System operations

Detection and management of processing deviations.

Pre-deploy validation pipeline gates every change to production
Automated retention cron purges expired evidence packages on schedule
Anomaly alerting on auth failures, rate-limit breaches, and webhook signature failures
Documented incident response runbook with named on-call rotation
Dual email provider failover (ZeptoMail → Resend) keeps notifications flowing during partial outages

CC8Change management

Authorisation, design, documentation, testing, and approval of system changes.

Every change reaches production through the pre-deploy pipeline (static checks + Vitest)
OpenAPI canonical-and-docs sync enforced at deploy time so the API Shield contract never drifts from code
Forward-regression tests for the legal-evidence chain, security headers, and compliance footprint
Migration files numbered sequentially without gaps or duplicates (enforced)

CC9Risk mitigation

Identifies and selects mitigations for the risks identified.

WORM (Write Once Read Many) storage for sealed evidence packages with 3 to 99-year retention locks
Dual RFC 3161 trusted timestamp authorities (DigiCert primary, Sectigo secondary)
Multi-anchor evidence package (GitHub, GitLab, Sigstore Rekor, Bitcoin OpenTimestamps)
PAdES-LTA digital signature with embedded DSS and Document Timestamp for Long Term Validation

AAvailability (Trust Service Criterion)

Information and systems are available for operation and use.

Deployed on Cloudflare's global edge network with no origin dependency
Business plan: 99.9% SLA
Health endpoint at /api/v1/health monitors D1, KV, R2
Email retry queue with up to 3 automatic re-delivery attempts
Graceful degradation, optional anchors fail independently of the seal pipeline

CConfidentiality (Trust Service Criterion)

Information designated as confidential is protected as committed or agreed.

TLS 1.3 in transit, HSTS preload
R2 storage encrypted at rest
Per-signer signing tokens (256-bit CSPRNG, SHA-256 hashed)
No third-party analytics or tracking on signing pages, no fingerprinting
AI summaries via Cloudflare Workers AI at the edge, never leaving Cloudflare infrastructure

Frequently asked questions

Do you have a SOC 2 Type II report today?

Not yet. Target Q4 2026. The Type II observation window is underway. A technical security pack is available under NDA in the interim.

Which Trust Service Criteria are in scope?

Security (the Common Criteria, required), Availability, and Confidentiality. Processing Integrity and Privacy are evaluated alongside, with Privacy covered today by the published privacy policy and the cryptographic-evidence package on every signed envelope.

Can we get a security pack now?

Yes, under NDA. Email compliance@abundera.ai with the procurement timeline and we will return a pack covering the existing controls, subprocessor list, and the cryptographic-evidence walkthrough.

How does Abundera Sign meet the Common Criteria today?

Every CC line item maps to an existing control on this page (named Security Officer, published Trust Center, annual risk assessment, hash-chained audit log, pre-deploy validation script, HSM-backed signing key, retention cron, incident response runbook, WORM storage). The Type II report formalises the operating-effectiveness testing of those controls over a defined observation period.

What about ISO 27001?

ISO 27001 certification follows SOC 2 Type II. Target: Q2 2027. Many of the same controls underpin both regimes.

Need a target SOC 2 date for procurement, or want the technical security pack under NDA today? Email compliance@abundera.ai. For the broader posture, see the Trust Center, the Compliance Center, or the related HIPAA and 21 CFR Part 11 pages.