Skip to main content

SOC 2 Type II Roadmap

ThornGuard is not currently SOC 2 certified. This page describes the planned roadmap toward attestation.

What Is SOC 2 Type II?

SOC 2 (System and Organization Controls 2) is a widely recognized audit framework developed by the AICPA. It evaluates an organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy.
  • Type I — point-in-time assessment: “Are the right controls designed and in place?”
  • Type II — period-of-time assessment: “Did these controls operate effectively over 3–12 months?”
Type II is the gold standard for enterprise procurement because it proves sustained operational discipline, not just a snapshot.

Why SOC 2 Matters for ThornGuard

ThornGuard sits in the critical path of AI agent traffic — inspecting tool calls, redacting sensitive data, and enforcing security policies. Enterprise customers need assurance that:
  • Audit logs are tamper-resistant and retained appropriately
  • Access controls (license keys, team tokens, OAuth) are properly enforced
  • PII redaction operates consistently and correctly
  • The proxy infrastructure itself is secured against compromise
SOC 2 Type II attestation provides this assurance through independent third-party verification.

Planned Scope

Initial Scope: Security (CC) Only

The first SOC 2 cycle will focus exclusively on the Security common criteria (CC6.x, CC7.x, CC8.x). This covers:
Criteria GroupFocus Area
CC6Logical and physical access controls
CC7System operations and monitoring
CC8Change management
Additional trust services criteria (Availability, Confidentiality, Processing Integrity, Privacy) can be added in subsequent audit cycles as the program matures.

Timeline

The estimated timeline from kickoff to report issuance is 7–8 months:
PhaseDurationActivities
Gap AnalysisMonths 1–2Identify control gaps, author policies, select compliance platform
RemediationMonths 2–3Implement missing controls, configure automated evidence collection
Observation PeriodMonths 3–6Minimum 3-month window where controls must operate effectively
Auditor FieldworkMonths 6–7Independent auditor reviews evidence, interviews team
Report IssuanceMonth 7–8Final SOC 2 Type II report delivered

Cloudflare Carve-Out

ThornGuard runs entirely on Cloudflare’s infrastructure:
  • Cloudflare Workers — compute
  • D1 — structured data (audit logs, settings, OAuth tokens)
  • KV — caching (license validation, baselines)
  • Durable Objects — stateful processing (rate limiting, anomaly detection)
  • Queues — async webhook delivery
Cloudflare maintains its own SOC 2 Type II report. Using the AICPA carve-out method, ThornGuard’s audit can reference Cloudflare’s report for infrastructure-level controls, significantly reducing the scope to:
  • Application-layer access controls (license auth, team tokens, OAuth)
  • Data handling practices (PII redaction, audit retention, GDPR purge)
  • Change management (feature flags, migration-based schema changes)
  • Monitoring and incident response (anomaly detection, webhook alerting)
This carve-out approach is standard practice for cloud-native SaaS products and reduces both audit cost and timeline.

Current Controls Mapping

ThornGuard already implements controls that map to SOC 2 Security criteria:
SOC 2 CriterionDescriptionThornGuard Control
CC6.1Logical access securityLicense key authentication, team tokens with RBAC, OAuth 2.1 with PKCE
CC6.2Encryption of dataHTTPS-only transport enforcement, AES-256-GCM encryption of stored tokens
CC6.3Role-based accessOwner/admin/viewer roles, approval workflows for sensitive operations
CC6.6Boundary protectionSSRF blocking, IP whitelisting, origin validation, domain blocklists
CC6.7Data classificationPII/secret redaction (10+ pattern types), custom redaction rules, taint-based data flow labels
CC7.1MonitoringStructured D1 audit logs with correlation IDs, webhook alerting integrations
CC7.2Incident detectionBehavioral anomaly detection (EWMA, drift, sequence analysis), tool poisoning alerts
CC7.3Incident responseReal-time webhook notifications, audit log export (CSV), GDPR purge capability
CC8.1Change managementFeature flags for phased rollout, migration-based D1 schema changes
Gaps identified for remediation include: formal incident response procedures, documented change approval workflows, vulnerability management program, and business continuity planning.

Compliance Platform

Two leading platforms are under evaluation:
FactorVantaSprinto
Annual cost~$20–30K~$15–25K
Cloudflare integrationMature — Workers, D1, KV supportedGrowing — API-based collection
Automated evidenceContinuous monitoring + screenshotsPolicy-driven collection
Auditor networkLarge partner networkSmaller but growing
Time to readiness~3 months~2–3 months
Both platforms provide policy templates, automated evidence collection, and auditor coordination. The final selection will depend on Cloudflare integration depth at the time of kickoff.

Estimated Costs

ItemCost
Compliance platform (year 1)$15–30K
Independent auditor fees$10–20K
Total year 1$25–50K
Ongoing annual$15–25K
These estimates assume a focused Security-only scope with the Cloudflare carve-out. Adding additional trust services criteria would increase auditor fees by approximately $5–10K per criterion.

Next Steps

  1. Select compliance platform and begin gap analysis
  2. Author formal security policies (access control, incident response, change management)
  3. Configure automated evidence collection for existing ThornGuard controls
  4. Begin the observation period
  5. Engage independent auditor for fieldwork
If SOC 2 attestation is a requirement for your organization’s procurement process, contact us to discuss timeline and priorities.