Compliance Roadmap
Path to SOC 2 certification and enterprise security readiness.
Compliance Roadmap
Steadybase is on a deliberate path toward SOC 2 Type II certification and enterprise-grade security. This page outlines our current position and the work ahead.
Current Position
We are in the early stages of our compliance journey. Our approach is transparency-first: we document exactly where we stand rather than making aspirational claims.
What We Have
- Authentication and authorization controls
- Encryption in transit (TLS 1.2+)
- Rate limiting and abuse prevention
- Audit logging (local)
- Per-user data isolation
- Temporal Cloud's SOC 2 controls for workflow execution
What We Don't Have (Yet)
- SOC 2 Type I or Type II certification
- HIPAA compliance
- PCI DSS compliance
- ISO 27001 certification
- Penetration testing reports
- Independent security audits
SOC 2 Gap Analysis
Security (CC6)
| Control | Status | Gap |
|---|---|---|
| Logical access controls | Partial | Need SSO, MFA, RBAC expansion |
| Network security | Partial | Need firewall rules, port restrictions |
| Encryption at rest | Partial | Need application-level encryption |
| Change management | Not started | Need CI/CD, code review policies |
| Monitoring & alerting | Not started | Need CloudWatch, alerting rules |
| Incident response | Not started | Need IR plan and playbook |
Availability (A1)
| Control | Status | Gap |
|---|---|---|
| Uptime monitoring | Not started | Need health checks, uptime SLA |
| Disaster recovery | Not started | Need backup/restore procedures |
| Capacity planning | Not started | Need auto-scaling (ECS) |
| Redundancy | Not started | Need multi-AZ deployment |
Confidentiality (C1)
| Control | Status | Gap |
|---|---|---|
| Data classification | Not started | Need data classification policy |
| Access reviews | Not started | Need periodic access reviews |
| Data retention | Partial | Need formal retention policies |
| Secure disposal | Not started | Need data deletion procedures |
Roadmap to SOC 2
Phase 1: Security Hardening (Current)
Network hardening Close exposed ports, configure firewall rules, restrict SSH access.
Auth improvements Remove localStorage token storage, add CSRF protection, implement token refresh.
Centralized logging Enable CloudWatch, configure audit log shipping, set up alerting.
Backup strategy Implement daily encrypted backups to S3 with tested restore procedures.
Phase 2: Container Migration
- Migrate from EC2 to ECS Fargate (container isolation, no SSH)
- Move secrets to AWS Secrets Manager (no .env files)
- Implement CI/CD pipeline (GitHub Actions with security scanning)
- Enable CloudWatch logging and monitoring
Phase 3: Enterprise Controls
- Implement SSO (SAML 2.0, OIDC)
- Add MFA (TOTP, WebAuthn)
- Migrate to PostgreSQL (RDS) for structured data
- Create incident response plan
- Begin SOC 2 Type I preparation
- Engage auditor for readiness assessment
Phase 4: Certification
- Complete SOC 2 Type I audit
- Begin SOC 2 Type II observation period (6-12 months)
- Complete SOC 2 Type II certification
- Publish trust page with real-time compliance status
Timeline
| Phase | Target | Status |
|---|---|---|
| Phase 1: Security Hardening | Q1 2026 | In Progress |
| Phase 2: Container Migration | Q2 2026 | Planned |
| Phase 3: Enterprise Controls | Q3-Q4 2026 | Planned |
| Phase 4: SOC 2 Certification | 2027 | Planned |
:::note Steadybase leverages Temporal Cloud's existing SOC 2 Type II certification for all workflow execution, data durability, and state management. This significantly reduces our audit surface. :::