In Progress

SOC 2 Compliance Roadmap

Our path to SOC 2 Type I certification — with transparency at every stage.

Where We Are Today

LostChurn is actively working toward SOC 2 Type I certification. Here's what we've already put in place.

AES-256 encryption at rest, TLS 1.3 in transit
Role-based access control with Clerk OIDC authentication
Comprehensive audit logging across all operations
Automated security scanning in CI/CD (Semgrep, gitleaks, npm audit)
12 SOC 2 policies drafted and adopted (access control, incident response, change management, etc.)
Data Processing Agreement available for all customers
GDPR-compliant data handling with right to erasure and data portability
Multi-tenant data isolation at the database level
Application monitoring via Sentry with error alerting
Automated daily backups with cross-region replication
Edge-deployed webhook processing on Cloudflare Workers (global, low-latency)
EU data residency planned for future release

Certification Timeline

Our target milestones toward SOC 2 Type I certification.

Foundation

Complete

Q4 2025 – Q1 2026

Draft and adopt all 12 SOC 2 policies
Implement automated security scanning in CI/CD
Deploy audit logging and access controls
Establish incident response procedures
Complete SOC 2 readiness self-assessment

Hardening

In Progress

Q2 2026

Deploy production monitoring and alerting (Grafana Cloud)
Complete vendor security reviews
Conduct independent penetration test
Formalize evidence collection and retention
Begin continuous compliance monitoring

Type I Audit

Planned

Q3 2026

Engage SOC 2 auditor (point-in-time assessment)
Demonstrate controls are designed and operating effectively
Remediate any findings from the auditor
Receive SOC 2 Type I report

Type I Audit

Planned

Q4 2026 – Q1 2027

Begin 3–6 month observation period
Continuous evidence collection across all Trust Services Criteria
Ongoing monitoring, incident tracking, and change management
Final audit and SOC 2 Type I report

Trust Center

While we complete our certification journey, here's what you can review today.

Security Overview

Encryption, infrastructure, and data handling practices.

Data Processing Agreement

GDPR-compliant DPA available on request.

How we collect, use, and protect your data.

Security Documentation

Detailed security architecture in our help center.

Frequently Asked Questions

Can I get a copy of your SOC 2 report?

Our SOC 2 Type I report will be available to customers and prospects under NDA once the audit is complete (target Q3 2026). Contact sales@lostchurn.com to be notified when it's ready.

What Trust Services Criteria are you targeting?

We are targeting Security (CC) and Availability (A1) as our primary criteria, with Confidentiality (C1) as an additional criterion.

Do you have a security questionnaire I can review?

Yes. We can complete your security questionnaire or provide our standard security documentation package. Contact security@lostchurn.com.

Does LostChurn store credit card numbers?

No. LostChurn never stores raw card numbers, CVVs, or sensitive cardholder data. We only store tokenized references from your payment processor. PCI DSS compliance is handled entirely by Stripe, Braintree, and your PSP.

Where is my data stored?

Data is stored in SpacetimeDB instances. US merchants use our primary instance; EU merchants can opt into our EU-hosted instance (AWS Frankfurt) for GDPR data residency.

Have security questions?

Our team is happy to walk through our security posture, share documentation, or complete your vendor questionnaire.

Contact Security Team

Certification Timeline

Our target milestones toward SOC 2 Type I certification.

Foundation

Complete

Q4 2025 – Q1 2026

Draft and adopt all 12 SOC 2 policies
Implement automated security scanning in CI/CD
Deploy audit logging and access controls
Establish incident response procedures
Complete SOC 2 readiness self-assessment

Hardening

In Progress

Q2 2026

Deploy production monitoring and alerting (Grafana Cloud)
Complete vendor security reviews
Conduct independent penetration test
Formalize evidence collection and retention
Begin continuous compliance monitoring

Type I Audit

Planned

Q3 2026

Engage SOC 2 auditor (point-in-time assessment)
Demonstrate controls are designed and operating effectively
Remediate any findings from the auditor
Receive SOC 2 Type I report

Type I Audit

Planned

Q4 2026 – Q1 2027

Begin 3–6 month observation period
Continuous evidence collection across all Trust Services Criteria
Ongoing monitoring, incident tracking, and change management
Final audit and SOC 2 Type I report

Frequently Asked Questions

Can I get a copy of your SOC 2 report?

Our SOC 2 Type I report will be available to customers and prospects under NDA once the audit is complete (target Q3 2026). Contact sales@lostchurn.com to be notified when it's ready.

What Trust Services Criteria are you targeting?

We are targeting Security (CC) and Availability (A1) as our primary criteria, with Confidentiality (C1) as an additional criterion.

Do you have a security questionnaire I can review?

Yes. We can complete your security questionnaire or provide our standard security documentation package. Contact security@lostchurn.com.

Does LostChurn store credit card numbers?

Where is my data stored?

Data is stored in SpacetimeDB instances. US merchants use our primary instance; EU merchants can opt into our EU-hosted instance (AWS Frankfurt) for GDPR data residency.