The full control map is in docs/SOC2-READINESS.md (shared under NDA on request). This is the customer-facing summary: every Trust Services Criterion, its current implementation, and where the gaps are.
Auditor scoping call targeted for 2026-06-15. Type 1 audit asserts that every control is designed correctly at a point in time. Type 2 (12 months of operational evidence) follows after Type 1 has been live for ≥6 months.
Continuous evidence collection means the auditor walks in to a year of clean records instead of a one-week scramble. Cost is line-itemed in the 2026 ops budget.
Standard SOC 2 expectation. First test commissioned in advance of the Type 2 window opening.
The four criteria categories that map to a SaaS handling pre-RFP intelligence and marketplace transactions.
Re-evaluated when customers begin using Bridger as the system of record for their proposal output. Not yet.
GDPR / CCPA posture is covered separately under /legal/privacy. Privacy as a SOC 2 criterion adds redundant overhead for v1.
Org structure documented; advisory board with CISO-track advisor confirming 2026-Q3. Quarterly access review cadence formalized.
Sentry + Vercel + Postgres telemetry into operator inbox; customer-facing channels (info@, security@, legal@) live.
Continuous observability via Sentry, Vercel function logs, and the AuditLog table. Vanta/Drata adoption adds the continuous-evidence layer.
NextAuth + bcrypt(12), separate JWT subsystems for admin / provider / lobbyist, multi-tenant orgId scoping, TLS 1.3 + AES-256 at rest. Vercel + Neon physical security under their SOC 2 Type 2 attestations.
Every change flows through GitHub PR → CI must pass (build, lint, typecheck, CodeQL, Gitleaks) → squash-merge to main → Vercel auto-deploy. Branch protection enforces no direct pushes to main. Rollback is one Vercel-dashboard click.
Detection (CC7.1), vulnerability monitoring (CC7.2), and recovery (CC7.5) live today. Formal incident response plan (CC7.3 + CC7.4) shipped in docs/INCIDENT-RESPONSE.md; quarterly drill cadence begins 2026-Q3.
7-day point-in-time recovery on the current plan; 30-day on Scale. We can restore the entire database to any moment in the retention window into a fresh project in under 1 hour.
Measured from the /api/health endpoint, excluding scheduled maintenance windows announced ≥48h in advance. No exclusions for cloud-vendor outages.
Restore-from-PITR drill into a fresh Vercel project, end-to-end. Time-to-recovery captured in docs/incident-drills/. First drill before SOC 2 audit.
status.bridger.levenhall.com via Better Stack or UptimeRobot. Independent of the platform, so customers can check status even during an outage. Targeted 2026-Q3.
fci (default, FAR 52.204-21), cui (NIST 800-171, blocks third-party LLM endpoints), itar_restricted (same LLM block + admin-side audit flagging). Tier set at onboarding, gates every LLM-backed endpoint.
Postgres encrypted at rest by Neon; Vercel Blob encrypted at rest by Vercel. TLS 1.0 / 1.1 / 1.2 disabled at the edge.
Every contractor query filters by session.user.orgId. There is no path through the contractor surface that reads or mutates another org’s data. Provider and lobbyist routes are similarly scoped to the row identified by their JWT.
Soft-delete is immediate (account locked, listings hidden). Hard-delete via cron after a 30-day grace window so the customer can cancel by replying to the confirmation email. Backup data follows the same retention window.
Until the ZDR agreement is on file, customers on the cui / itar_restricted tier have all third-party LLM calls blocked server-side. The block is enforced on every gated endpoint regardless of caller.
docs/SECURITY-QUESTIONNAIRE.md covers the standard CAIQ / SIG-Lite categories with explicit answers. Email security@levenhall.com to request a copy on company letterhead — we return signed responses within 1 business day.
Every third party that touches your data, with their compliance posture. Customers are notified by email 30 days before any new sub-processor is added.
Standard DPA available on request from legal@levenhall.com. Custom DPAs negotiable for Enterprise customers with their own paper.
Every SEV1 / SEV2 incident posted with a blameless postmortem within 7 days. Zero incidents to date.