Back to trust home

SOC 2 Compliance Roadmap

Pulsent Labs Inc. — Superlog · Last updated 2026-05-20

In progress Probo · Q2 2026
Step 01

Compliance platform

Probo engaged Q2 2026 — evidence collection automated end-to-end.

Step 02

SOC 2 Type I

Target Q2 2026. Point-in-time attestation, Security scope.

Step 03

SOC 2 Type II

Target Q4 2026. 6-month observation window starts at Type I.

Current posture

Superlog is not yet SOC 2 certified. Our compliance program is in active build-out, in partnership with Probo as our compliance automation platform (engaged Q2 2026). This document describes our current control environment and the timeline for formal certification.

While we work toward formal attestation, we operate under the controls described in the Security Whitepaper, which is written to map directly to the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality).

Commitment

We are committing to SOC 2 Type II as our anchor compliance milestone. Pursuing Type II directly (with Type I as a milestone along the way) is consistent with how enterprise prospects expect the journey to run.

Plan

Milestone Target date Notes
Engage compliance automation platform (Probo) Q2 2026 Evidence collection automated through Probo
Engage SOC 2 auditor Q2 2026 CPA firm to be selected via Probo's auditor network
Define audit scope and trust criteria Q2 2026 Security for Type I; expansion to Availability considered for Type II
Implement control evidence collection Q2 2026 Automated via Probo
SOC 2 Type I report Q2 2026 Point-in-time attestation
Begin Type II observation window Q2 2026 6-month window starts immediately after Type I attestation
SOC 2 Type II report Q4 2026 Operating-effectiveness attestation

What we will share before certification

We recognize that "in progress" alone doesn't unblock a security-conscious buyer. To compensate, we offer the following while certification is pending:

  1. Security Whitepaper — the comprehensive description of our control environment.
  2. Written security policies — covering access control, incident response, data retention, vulnerability management, secure SDLC, vendor management, business continuity, encryption, and acceptable use.
  3. Subprocessor list — complete and kept current.
  4. Data Processing Agreement (DPA) — available on request; signed at contract.
  5. Pre-filled security questionnaire (SIG Lite / CAIQ) — available on request.
  6. Contractual security commitments — we are willing to negotiate specific clauses in the MSA / DPA covering incident notification SLAs, audit rights, data return / deletion on termination, and subprocessor change notice, in lieu of a formal report.
  7. Direct access to the founding team — for technical security questions, prospects can speak directly with our engineering and security leads.

Penetration testing

An independent third-party penetration test will be commissioned in Q2 2026, aligned with the Type I attestation and the start of the Type II observation window. The attestation letter / executive summary will be made available to customers under NDA.

Questions

Direct compliance questions to legal@superlog.sh.