Our SOC 2 Type II roadmap (in progress)

This article is for the procurement officer, CISO, or compliance lead asking the question that comes up in 90% of our enterprise sales conversations: "You don't have SOC 2. What's your roadmap?" This is the honest answer. No marketing-speak, no "SOC 2-aligned controls" euphemism, no fake-TBD timeline.

TL;DR

• SOC 2 Type II Target: Q4 2026
• Current state: Pre-audit. Controls implemented and operating. No external audit yet.
• Auditor: TBD — engaging a Big-Four-tier firm in Q3 2026 for the observation period
• Observation period: Q3 2026 - Q4 2026 (90+ day minimum for Type II)
• Pre-audit evidence packs: Available now to enterprise procurement on request — see "Procurement diligence today" below
• Sovereign Tier customers: SOC 2 Type II completion is bundled into your Sovereign Tier engagement; we accelerate per-customer where contractually committed

Why we are public about a "no-yet" status

Most early-stage SaaS companies fudge SOC 2. They say things like "SOC 2-aligned controls" or "SOC 2 in progress" without specifying what is and isn't done. We chose the harder path: be specific, even when the specificity is awkward.

Three reasons:

1. The Trust Doctrine. Manera's pricing argument depends on the buyer trusting us. We cannot demand trust on our pricing claims while obfuscating on our security claims.
2. Procurement reality. Every CISO who pulls a SOC 2 report off a vendor knows whether the report is real. Pretending we have one would be detected in 30 seconds and lose us the deal.
3. The Middle Way. Pretending SOC 2 status would be the indulgence trap. Skipping SOC 2 entirely would be the asceticism trap. The Middle Way is to commit to a real timeline and execute.

What is implemented today

These controls are operating in production. We have evidence (logs, configs, screenshots) for each. The pre-audit evidence pack mentioned below is essentially this list, with timestamps and artifact paths.

Trust Services Criterion — Common Criteria (Security)

• CC6.1 — Logical access controls. Single-tenant isolation enforced at storage layer (Cloudflare R2 per-tenant prefixes), application layer (workspace-scoped queries), and identity layer (Stripe customer ID as workspace primary key).
• CC6.2 — Authentication. Stripe Checkout magic-link auth (no passwords stored). Optional SSO/OAuth via the customer's existing identity provider (Okta, Azure AD, Google Workspace).
• CC6.3 — User access provisioning. Workspace owner adds members via email; magic link auth. No shadow accounts, no shared credentials.
• CC6.4 — Encryption. TLS 1.3 minimum (HSTS preload-listed), AES-256-at-rest in Cloudflare R2, secrets in environment variables (no hard-coded keys).
• CC6.5 — Encryption key management. Cloudflare-managed for R2 storage; founder-managed for Stripe webhook secrets.
• CC6.6 — Boundary protection. Cloudflare WAF + rate limits + bot protection + geo-blocking option.
• CC6.7 — Restriction of physical access. Inherited from Cloudflare + Stripe sub-processors (both SOC 2 Type II compliant).
• CC6.8 — Malicious software protection. No customer file uploads execute in our compute layer. CSP and SRI on the marketing site.

Common Criteria (Availability)

• A1.1 — Capacity planning. PM2-managed processes with horizontal scaling. Cloudflare CDN absorbs traffic spikes.
• A1.2 — Backup. Daily encrypted backups to cross-region R2 replicated storage; 90-day retention; quarterly restore drills.
• A1.3 — Incident detection. PM2 + Cloudflare + custom uptime monitor; PagerDuty-style escalation to founder mobile.

Common Criteria (Confidentiality)

• C1.1 — Data classification. Customer data, sub-processor metadata, internal logs — separately tagged, separately retained.
• C1.2 — Disposal of confidential data. 90-day data-export window post-cancellation; permanent deletion thereafter, including from backups.

Common Criteria (Processing Integrity)

• PI1.1 — Input validation. All user inputs validated at boundary (Flask request validation + petal-level schema checks).
• PI1.2 — System processing. SHA-256 hash on every cross-app synthesis output; lineage replayable.
• PI1.3 — Output integrity. Audit-binder PDF export with hash verification.

Common Criteria (Privacy)

• P1.1 — Notice. Privacy policy at /privacy (Loi 25 + GDPR-aligned).
• P1.2 — Choice and consent. Stripe Checkout shrink-wrap + per-petal opt-in for write-scoped permissions.
• P1.3 — Collection limitation. See "What we do not collect" in Loi 25 + GDPR + DPA.
• P1.4 — Use and retention. 90-day post-cancellation retention; permanent deletion thereafter.

Gaps we are closing

These are the items not yet at full SOC 2 Type II evidence-quality. Each has an owner, target date, and verification approach.

Item	Status	Target	Verification
Formal Information Security Policy	Drafted, in review	Q2 2026	Founder + external counsel sign-off
Vendor risk management program	Spreadsheet-tracked	Q2 2026	Migrate to SecureFrame / Vanta tooling
Background-check policy for new hires	N/A (solo founder)	When first hire (post Q4 2026)	Standard background check vendor
Access review cadence	Quarterly informal	Q3 2026 (formalized)	Logged review with timestamp
Penetration test (external)	Internal red-team only	Q3 2026	Engage external firm (Cure53 / Trail of Bits)
Vulnerability management cadence	Manual	Q2 2026	Snyk / Dependabot automation
Change management process	Git-only today	Q3 2026	Formal change-approval workflow
Disaster recovery test	Quarterly informal	Q3 2026	Documented quarterly drill
Business continuity plan	Drafted, not formalized	Q3 2026	Written BCP doc + tabletop exercise
Risk assessment	Drafted, not formalized	Q2 2026	Written risk register + quarterly update

The realistic timeline

We have learned (the hard way, by talking to 30+ CISOs) that "SOC 2 Type II in 6 months" is almost always a marketing fiction. Type II requires a minimum 90-day observation period, and the auditor needs evidence of operating controls during that window — not just implemented controls.

Q1-Q2 2026 (now-July). Close the gap items above. Engage a SOC 2 readiness firm (likely Vanta or SecureFrame) to manage evidence collection.

Q3 2026 (July-September). Formal observation period begins. We commit to NOT changing critical controls during the window. Auditor (TBD) engaged.

Q4 2026 (October-December). Audit fieldwork. Report drafted. Final report typically issued 4-6 weeks after fieldwork ends.

Q1 2027 (January-March). SOC 2 Type II report distributed to enterprise customers + posted (gated) on /trust.

This is not the fastest possible timeline. It is the realistic timeline. The fastest possible is "Type I in 90 days then Type II 6 months later" — which is acceptable for some buyers but is widely understood by procurement to be a half-step.

Procurement diligence today

If your procurement requires SOC 2 evidence to onboard a new vendor, we can help bridge the gap:

• Pre-audit evidence pack. Available on request via [email protected]. Contains: control matrix, sub-processor list, data flow diagrams, encryption-at-rest configs, backup configs, incident response runbook, privacy impact assessment, vendor risk register, business continuity plan.
• Custom security questionnaire. We respond to CAIQ, SIG-Lite, SIG-Core, and most custom procurement questionnaires. Turnaround: 5-10 business days.
• Sovereign Tier with audit-pack bundling. If your procurement needs SOC 2 to onboard, the Sovereign Tier ($1,500-$7,500/mo) bundles the audit-pack delivery and accelerates the timeline if the engagement is committed.
• Mutual NDA + 1:1 trust review with founder. [email protected] to schedule. We have done this with 12+ enterprise procurement teams; 11 of 12 onboarded after the call.

The honest tradeoff

Some buyers will simply not transact with a vendor pre-SOC 2. We respect that. Manera is not the right vendor for that buyer until 2027.

For everyone else, the trade-off is:

• What you give up: the third-party-attested SOC 2 Type II badge, until Q4 2026.
• What you get: a vendor who will tell you the truth about their security posture, with evidence, with a timeline, with no marketing-speak. And a 45x to 167x cost reduction versus the incumbent stack.

The buyer who values the badge above all else will buy Bloomberg + CrowdStrike + Westlaw + adjacent tools at $544K-$2M/yr today. The buyer who values the trust signal — and is willing to evaluate it on substance, not on a logo — will buy Manera Mesh Tier at $11,988/yr today and wait six months for the badge.

How we will announce SOC 2 completion

When the SOC 2 Type II report is issued (target Q4 2026), we will:

1. Update /trust and this article (last_updated: field) with the new state
2. Email every existing customer with the report-access procedure
3. Post a public security blog announcing it
4. Update sub-processor and DPA links

We will not retroactively claim SOC 2 status before the audit completes. We will not call our pre-audit controls "SOC 2-equivalent" or "SOC 2-aligned" or any other euphemism.

Related articles

• Loi 25 + GDPR + DPA
• Trust Doctrine
• Pricing decoded
• Why $999/mo bypasses procurement

---

← Back to knowledge base · Trust · Privacy · Request evidence pack