Security
Certification roadmap
Matter's security certification roadmap. SOC 2 Type I and II, ISO 27001 + 27017 + 27018, HIPAA readiness, GDPR Art. 28 DPA, CCPA, PCI-DSS scope, CSA STAR. Target windows, owners, evidence sources.
Last updated
This page is the authoritative roadmap for Matter's security certifications. Each certification has a target window, an owner, an evidence-source list, and a status. The roadmap is reviewed quarterly by the CISO and the engineering lead.
The customer-facing security questionnaire library at the bottom of this page indexes pre-canned responses to SIG, CAIQ, VSA, and bespoke questionnaires. Enterprise sales references back to specific sections of this page.
Roadmap table
| Certification | Target window | Owner | Status | Evidence anchor |
|---|---|---|---|---|
| SOC 2 Type I | Within P11 | CTO | Evidence pack assembled during P0–P10 phases | Audit chain + RBAC + access reviews + KMS controls |
| SOC 2 Type II | 12 months after Type I | CTO | Continuous evidence collection from P11 onwards | Same controls + observation period |
| ISO 27001 | 18 months after SOC 2 Type II | CISO | Shared control mapping with SOC 2 | Same control universe, ISMS gap analysis |
| ISO 27017 (cloud) | With ISO 27001 | CISO | Cloud-specific extensions to 27001 | KMS regional sub-regions + multi-region + provider ACLs |
| ISO 27018 (cloud PII) | With ISO 27001 | CISO | PII-specific extensions | Field-level encryption + erasure + classification matrix |
| HIPAA-readiness (no live ePHI yet) | 24 months from GA | CISO | BAA template + technical safeguards in place | Encryption at rest + audit chain + retention + access controls |
| CCPA / CPRA | At GA | Counsel | Workflows in place at P0.D4 | Erasure + access + opt-out endpoints |
| GDPR Article 28 DPA | At GA | Counsel | One-click DPA from dashboard | Standard Contractual Clauses + sub-processor list |
| PCI-DSS scope analysis | At GA | CISO | Stripe handles cardholder data; Matter is out-of-scope | Documented at apps/docs/content/docs/security/pci-scope.mdx (lands P11) |
| CSA STAR Level 1 | 18 months from GA | CISO | Self-assessment; public registry | CCM v4 mapping to SOC 2 controls |
SOC 2 Type I — what we are aiming for
The five SOC 2 Trust Services Criteria (TSC), Matter's control posture:
CC1 — Control Environment
Ownership matrix at ownership.mdx. Per-bounded-context owners; on-call rotation; quarterly access review. The team has documented integrity and ethics policies.
CC2 — Communication and Information
Customer comms: this docs site, the status page, monthly customer digest, deprecation emails, incident comms per incident-comms.mdx. Internal comms: the #incident-<> channel pattern, the post-mortem publication policy.
CC3 — Risk Assessment
Threat model at threat-model.mdx — a living document updated with every security-relevant PR. Annual external pentest. Quarterly internal purple-team. Quarterly capacity-plan review (also a risk-assessment surface).
CC4 — Monitoring Activities
- SLO board at
apps/api/SLOs.mdenforced by CI. - External synthetic probes from US/EU/APAC (P0.A10).
- Continuous chaos (nightly).
- Quarterly game days.
- Data-integrity check cron (P0.G19) scans for invariant violations.
- Linkability check cron (P0.G20) scans for foreign-key invariants.
- Audit-chain rebuild-from-Rekor drill (P0.G18) verifies recoverability.
CC5 — Control Activities
The architecture tests at apps/api/__contracts__/architecture/ (P0.B2) plus the per-phase four-audits gate (Design / Security / Architecture / Testing) are the primary control activities. Spec linting (Spectral), backwards-compat (oasdiff), SAST/DAST/SCA in CI.
CC6 — Logical and Physical Access Controls
- Bearer auth with argon2id + KMS pepper.
- Scope DSL with constant-time evaluation.
- Per-token IP allowlist, optional mTLS, optional device binding.
- M2M OAuth client-credentials.
- SCIM + SAML for enterprise SSO.
- Step-up authentication for high-stakes operations.
- Token rotation with attribution disambiguation.
- Audit-on-auth-failure (T5 control).
- Anomaly detection with auto-quarantine.
CC7 — System Operations
- KMS-backed key hierarchy.
- Per-tenant DEK envelope encryption.
- Field-level encryption mandatory for Highly Restricted data.
- Append-only audit chain; Sigstore Rekor + WORM bucket anchoring; m-of-n genesis ceremony.
- Cryptographic agility.
- SLSA L3 supply chain (P11.7).
CC8 — Change Management
- API Council weekly forum + ~80-item review checklist + production-readiness review.
- Spec-first PR discipline.
- Feature-flag cutover ladder (Shadow → 1% → 10% → 50% → 100%).
- 90-day deprecation notice + 24-month sunset window.
CC9 — Risk Mitigation
Bug bounty + 24h triage SLO + tiered rewards. Annual external pentest with findings tracked at apps/docs/content/docs/security/pentest-findings/. Quarterly purple-team exercises.
ISO 27001 — incremental cost
ISO 27001 reuses most of the SOC 2 control universe. Incremental work:
- Formal ISMS (Information Security Management System) documentation.
- Risk register with quantified impact / likelihood per threat.
- Statement of Applicability against ISO 27001 Annex A.
- Internal audit programme.
- Management review cadence.
The gap analysis lives at apps/docs/content/docs/security/iso-27001-gap.mdx (lands P11 alongside SOC 2 Type II evidence collection).
ISO 27017 + 27018 — cloud extensions
ISO 27017 (cloud) covers shared-responsibility model, virtualisation isolation, multi-tenancy. Matter's per-tenant DEK isolation + Prisma mode-segregation extension + per-region KMS sub-regions cover the core requirements.
ISO 27018 (cloud PII) covers PII processing in the cloud. Matter's data-classification matrix + field-level encryption + erasure flow + retention policy cover the requirements.
HIPAA-readiness
Matter does not currently process electronic Protected Health Information (ePHI). HIPAA-readiness means we have:
- Encryption at rest for every Restricted and Highly Restricted field (P0.C2).
- Encryption in transit (TLS 1.3 mandatory at edge; certificate pinning available in SDKs).
- Access controls (scope DSL + audit-on-read).
- Audit trails (append-only chain + Rekor + per-(org, mode) genesis).
- Backup + disaster recovery (Postgres point-in-time-recovery via Neon; cold-tier offsite; audit-chain rebuild from Rekor).
- Workforce training (quarterly).
- BAA template ready to execute when a customer with ePHI signs.
If a customer wishes to process ePHI on Matter, they sign a Business Associate Agreement (BAA), and we engage them through the dedicated-tier ladder (Stage 4) for physical separation of duties.
GDPR — what we already deliver
- Article 5 (lawfulness, fairness, transparency). Data classification matrix + retention policy + this docs page.
- Article 13/14 (information to data subjects). Customer-facing privacy notice; per-document explainers.
- Article 17 (right to erasure).
POST /v1/stakeholders/{id}/erase(P0.D4). Erasure is irreversible (DEK destruction). Audit-chain entry sealed. - Article 20 (right to data portability). Customer-initiated data export at
POST /v1/account/data_export(P11.28). Industry-standard formats supported (P0.I4 data import for round-trip). - Article 28 (data processing). Standard DPA at
apps/docs/content/docs/customer-contracts/dpa.mdx(lands P11). One-click sign from dashboard. - Article 32 (security of processing). Threat model + encryption + audit chain + access controls.
- Article 33/34 (breach notification). Severity matrix + incident comms; SEV1 customer notification within 30 minutes; SEV2 within 60 minutes.
- Sub-processor list. Published at
apps/docs/content/docs/security/sub-processors.mdx(lands P11).
CCPA / CPRA
Same workflows as GDPR (erasure, access, portability) cover CCPA / CPRA. The customer-facing opt-out for "Do Not Sell or Share My Personal Information" is available at the customer's portal (P9.17 StakeholderPortalSession) — Matter does not sell or share PII, but the opt-out toggle is preserved for transparency.
PCI-DSS scope
Matter does not process cardholder data directly. Stripe handles all payments via @repo/payments. Matter's PCI scope is therefore SAQ-A (the lightest tier — outsourced e-commerce). Documented at apps/docs/content/docs/security/pci-scope.mdx (lands P11).
If a customer wishes to surface ACH bank details for stakeholder distributions (post-dissolution, per P10), Matter holds those Highly Restricted fields and encrypts them per P0.C2. The bank ACL (packages/api-providers/bank/acl.ts) handles transit to the bank; the bank is the PCI-burdened processor.
CSA STAR Level 1
Self-assessment against the Cloud Security Alliance Cloud Controls Matrix (CCM v4). Maps directly to SOC 2 controls. Posted to the public CSA registry once Type II is complete.
Questionnaire library
The customer security-questionnaire library lives at apps/docs/content/docs/security/questionnaire-responses/ (scaffold at P0.K8; populated over P11). Pre-canned responses to:
- SIG (Shared Assessments) — full and lite.
- CAIQ (Cloud Security Alliance) — Consensus Assessment Initiative Questionnaire.
- VSA (Vendor Security Assessment) — generic enterprise template.
- Bespoke questionnaires — common patterns extracted as we receive them.
Each response references the threat / control / evidence in this docs site. The library is a productivity multiplier for enterprise sales.
How the roadmap is governed
- Quarterly review by CTO + CISO + engineering lead.
- Annual external audit for SOC 2 Type II (continuous evidence collection).
- Gap analysis ahead of each new certification target.
- Customer-facing updates via this docs page; major status changes (e.g., SOC 2 Type II achieved) announced on the status page.
See also
- Threat model — what each certification's controls defend against.
- Data classification — input to ISO 27018 + GDPR.
- Retention policy — input to SOC 2 CC7 + GDPR Article 5.
- Customer SLA — the availability commitment.
- Ownership matrix — input to SOC 2 CC1.