SOC 2 TYPE II PREPARATION
Independently verified by OneStepWise
TechFlow AI
TechFlow AI is an AI-powered revenue intelligence platform for enterprise sales teams. This page shows our real-time security and compliance posture, verified daily against SOC 2 controls.
82%
Overall SOC 2 score
14/17
Controls passing
4
Policies published
Daily
Evidence refresh
Compliance Score
82% SOC 2 overall
Last assessed
May 24, 2026
Passing controls14 / 17
Policies approved4 / 4
Evidence artifacts23 collected
Score by control domain
Access Control91%
MFA enforced · SSO via Okta · Quarterly access reviews
Encryption88%
AES-256 at rest · TLS 1.3 in transit · AWS KMS key management
Monitoring & Logging80%
CloudTrail enabled · GuardDuty active · SIEM ingestion
Policy Documentation85%
4 approved policies · Annual review schedule active
Change Management66%
PR review enforced · Penetration test scheduled Q3 2026
Control Status
Multi-factor authentication (MFA)
✓ Pass
MFA enforced via Okta on all production systems. Hardware key required for privileged access.
Encryption at rest
✓ Pass
All S3 buckets encrypted with AWS KMS. RDS instances use AES-256. Key rotation every 90 days.
Encryption in transit
✓ Pass
TLS 1.3 enforced on all endpoints. HTTPS-only policy. HSTS preloaded with 2-year max-age.
Branch protection & code review
✓ Pass
All production branches protected. 2 approvals required. Force-push disabled. Verified via GitHub API.
Audit logging (CloudTrail)
✓ Pass
AWS CloudTrail enabled across all regions. Logs shipped to immutable S3 with 12-month retention.
Vulnerability scanning
✓ Pass
Dependabot alerts active. SAST scanning on all PRs. No critical CVEs unresolved > 30 days.
Incident response plan
✓ Pass
Documented IRP with <4hr detection SLA. Tabletop exercise completed March 2026.
Access reviews (quarterly)
✓ Pass
Last review: April 2026. 3 accounts deprovisioned. Next review: July 2026.
Secrets management
✓ Pass
AWS Secrets Manager in use. No hardcoded credentials detected in last 90-day scan.
Endpoint encryption
✓ Pass
FileVault/BitLocker enforced on 100% of company devices via MDM (Kandji).
Security awareness training
✓ Pass
Annual training completed by 100% of workforce. Phishing simulation: 4% click rate (industry avg 14%).
Data classification policy
✓ Pass
4-tier classification scheme. PII labeled and access-gated. DLP scanning active on email and storage.
Vendor risk management
✓ Pass
12 critical vendors assessed. SOC 2 reports on file for all Tier 1 vendors.
Business continuity plan
✓ Pass
BCP documented. RTO <4h, RPO <1h. Multi-region AWS failover tested January 2026.
Penetration testing
⚠ In Progress
Last pentest: September 2025. Next scheduled: August 2026 with Bishop Fox. Scope defined.
Change advisory board (CAB)
⚠ Partial
Informal change review in place. Formal CAB process being documented, target July 2026.
Continuous monitoring alerts
⚠ Partial
GuardDuty findings routed to PagerDuty. Security Hub consolidation in progress.
Live Evidence Artifacts
🐙
GitHub, Branch protection enabled (main)
Required reviews: 2 · Force-push disabled · Admin enforcement: on · Status checks required
Pass
Verified May 24
🐙
GitHub, Dependabot alerts
0 critical · 2 high (in remediation <30 days) · 8 medium · Auto-PRs enabled
Pass
Verified May 24
☁️
AWS, CloudTrail multi-region logging
All regions enabled · Log file integrity validation on · S3 bucket: techflow-cloudtrail-logs · 12-mo retention
Pass
Verified May 24
☁️
AWS, GuardDuty threat detection
Enabled in us-east-1, us-west-2, eu-west-1 · 0 HIGH findings open · S3 Protection: on · EKS: on
Pass
Verified May 24
☁️
AWS, S3 bucket encryption
14/14 buckets encrypted with SSE-KMS · Public access blocked on all buckets · Versioning enabled
Pass
Verified May 24
🔐
Okta, MFA enforcement
MFA required for all users · 47/47 active users enrolled · Phishing-resistant FIDO2 for privileged roles
Pass
Verified May 24
🔵
Google Workspace, Audit logs
Login events · Drive access · Admin activity · Exported to SIEM · 180-day retention policy
Partial
Verified May 23
Published Policies
Information Security Policy
Approved · Last reviewed Jan 2026 · SOC 2 CC1-CC9
DOC-7a3f9c2d1e4b · HMAC-verified
Access Control Policy
Approved · Last reviewed Feb 2026 · SOC 2 CC6
DOC-b8d4e7a2f9c1 · HMAC-verified
Incident Response Plan
Approved · Last reviewed Mar 2026 · SOC 2 CC7
DOC-c1f5a3d9e2b7 · HMAC-verified
Data Classification Policy
Approved · Last reviewed Jan 2026 · SOC 2 CC5
DOC-e4b8f2a6c3d1 · HMAC-verified

Independently verified by OneStepWise

This trust page is updated daily from live integrations with GitHub, AWS, Okta, and Google Workspace. Every policy document carries a cryptographic HMAC seal. Auditors can verify any document's authenticity using its Doc ID.

Evidence hash-chained, append-only
Policies carry HMAC-SHA256 seals
Machine-verifiable at /verify
82%
SOC 2 TYPE II
VERIFIED BY ONESTEPWISE

Build yours in 8 minutes

Answer 12 questions about your stack. Get a scored gap report, AI policies, and your own live trust page, free.

Start free, no card required

No sales call  ·  No credit card  ·  Cancel anytime

OneStepWise Trust Center · mycomplai.com
This page is a live product demo. Create your own →