Why we say "SOC 2 in progress" instead of "SOC 2 certified"

The marketing problem

Walk through any AI-app-builder website. Look at the security claims:

• •"SOC 2 compliant" (with no Type II report)
• •"GDPR compliant" (with no DPA available on request)
• •"Enterprise-grade security" (with no specifics)

These are red flags. Buyers know this. Procurement teams know this.

What we say instead

On /factory/security we list 38 specific security controls grouped into 8 areas. Each one is marked:

• •Shipped — production-deployed, code on GitHub
• •In progress — code exists, evidence collection underway, audit pending
• •Planned — known gap, not started

Currently we have ~15 shipped, ~20 in-progress, ~3 planned. That's a more accurate picture than "SOC 2 compliant" and an empty page underneath.

Why this matters for procurement

A security questionnaire response that says "SOC 2 compliant" with no Type II report makes procurement teams suspicious. A response that says "Working with Drata, Type II audit in Q3 2026, here's our evidence-collection code" makes procurement teams confident.

We've found being honest about gaps closes more deals than overstating posture. Counterintuitive, but real.

What we have

• •Tenant-scoped audit log with agent identity (actor_is_agent, agent_run_id)
• •Row-level security on every customer table
• •TLS 1.2+ end-to-end
• •Pre-commit secret scanning (Gitleaks)
• •Daily backup verification (planned, code exists)
• •6-scenario chaos engineering harness (production-safe guards)
• •DR runbook with RTO 15min target

Read the security page for the full list. Read the code for verification.

What we don't have yet

• •SOC 2 Type II report (we're working toward it)
• •ISO 27001 certification (control mappings shipped, audit not started)
• •FedRAMP authorization (gap analysis only)
• •Verified penetration test (bug bounty live, formal pentest planned)

If you need any of those right now, we're not your vendor yet. Talk to us in 6 months.