kolm  /  security  /  SOC 2

Type 1 . in audit window

SOC 2 status, in public.

Most early-stage vendors say "SOC 2 in progress" and leave it there. We post the timeline, the auditor, the audit window, and the date the letter will be available. If a date slips, the page is updated within 48 hours.

Timeline

2026-03-15

Readiness assessment

Vanta deployed across infra, CI, and laptops. 142 controls in place at scan time.

2026-04-22

Auditor engaged

Engagement letter signed with Prescient Assurance (PCAOB-registered). Type 1 + Type 2 scope.

2026-05-01

Evidence collection complete

Policies, control narratives, system descriptions, and 142 evidence items submitted to the audit room.

2026-06-01 to 2026-08-31

Type 1 audit window

Point-in-time control design assessment. No customer access required; we are the subject.

2026-09-15

Type 1 letter posted

SOC 2 Type 1 letter published on this page. Available under NDA at /baa sister flow.

2026-09-15 to 2027-03-15

Type 2 observation window

6-month operating-effectiveness period. Controls run, evidence accumulates, no scope changes allowed.

2027-04-30

Type 2 letter posted

Full SOC 2 Type 2 letter with operating-effectiveness opinion.

Trust services criteria in scope

Type 1 and Type 2 cover the same five TSCs. We are not scoping out availability or confidentiality.

Security

Logical and physical access controls. Network segmentation. Encryption at rest and in transit. Vulnerability management.

Availability

System uptime monitoring. Incident response. Capacity planning. Documented recovery objectives.

Confidentiality

Customer data handling. Access reviews. Data classification. Disposal procedures.

Processing integrity

Receipt chain over compile pipeline. K-score gate enforcement. CI verification of every artifact.

Privacy

PII handling matches our privacy notice. Subject access requests handled within 30 days.

While you wait

If you need to ship before our Type 1 letter, the same controls that go into the audit are in production today. Three artifacts a procurement team can use now:

1. Vendor security questionnaire (CAIQ-Lite) - filled, signed
2. Penetration test report (Q1 2026, Halborn) - available under NDA
3. SOC 2 readiness scan from Vanta - shareable on request

ask: hello@kolm.ai with subject "vendor security pack"

Pre-letter customers (the design-partner cohort) signed under the readiness pack. None of them blocked on the formal letter; the architecture answers most procurement questions before the letter does.