Last updated Jun 14, 2026

SOC 2 audit engagement

Matter pursues SOC 2 Type I within the P11 window and Type II 12 months after Type I. Evidence is collected continuously from P0 onward; the audit itself ratifies what's already in place.

Trust Services Categories in scope

CC (Common Criteria) — required.
A1 (Availability) — required.
C1 (Confidentiality) — required.
PI1 (Processing Integrity) — required.
P1 (Privacy) — added Type II year onward.

Security category is implicit in CC.

Auditor selection criteria

AICPA-licensed CPA firm.
≥ 5 years SaaS / fintech SOC 2 experience.
Familiar with Trust Services Criteria 2017 with 2022 updates.
References: ≥ 3 customers in the size + industry range.
Pricing transparency: fixed-fee for Type I, fixed-fee + monitoring retainer for Type II.

Evidence pack

The canonical control catalog lives at apps/api/lib/soc2-controls.ts. Each control cites:

A codepath.
A test.
A process document.

Auditors traverse the map at evidence-collection time.

Per-quarter evidence rollover

Quarter	Evidence collected
Q1	Access reviews (quarterly cadence); KMS rotation drill; chaos cadence snapshot.
Q2	Pentest report (annual); SDLC sign-offs; deprecation policy enforcement.
Q3	Bug-bounty findings + remediation; postmortem publications; SLA credit issuances.
Q4	Game-day rehearsal; annual policy review; access-review attestation.

Type I scope

Snapshot in time — auditor verifies controls are designed suitably and implemented as of a single date.

Window: 2-3 weeks of evidence collection.

Type II scope

Operational effectiveness over a 6+ month period — auditor verifies controls actually operate as designed.

Window: 6 months minimum (typically 9-12 months); evidence sampling throughout.

Readiness checklist (pre-audit)

All controls in soc2-controls.ts have non-empty codepath + test + process-doc citations.
All process docs are current (apps/docs/content/docs/process/, apps/docs/content/docs/security/).
All access reviews ≤ 90 days old.
Postmortem publications current (no SEV1/SEV2 unresolved

35 days).
Pentest report current (≤ 12 months old).
Chaos cadence summary green (apps/api/lib/chaos-cadence.ts).
Bug-bounty triage SLO green (apps/api/lib/bug-bounty.ts).

Outputs

Type I report — distributable to enterprise prospects under NDA. Published on the trust page.
Type II report — same.
Bridge letter — between Type II report renewals; signed by CISO + CPA firm.
Customer trust page — mattermode.com/trust lists all certifications + links to download (NDA-gated).

SOC 2 audit engagement

SOC 2 Type I + Type II audit scope + readiness checklist.

Last updated Jun 14, 2026

SOC 2 audit engagement

Matter pursues SOC 2 Type I within the P11 window and Type II 12 months after Type I. Evidence is collected continuously from P0 onward; the audit itself ratifies what's already in place.

Trust Services Categories in scope

CC (Common Criteria) — required.
A1 (Availability) — required.
C1 (Confidentiality) — required.
PI1 (Processing Integrity) — required.
P1 (Privacy) — added Type II year onward.

Security category is implicit in CC.

Auditor selection criteria

AICPA-licensed CPA firm.
≥ 5 years SaaS / fintech SOC 2 experience.
Familiar with Trust Services Criteria 2017 with 2022 updates.
References: ≥ 3 customers in the size + industry range.
Pricing transparency: fixed-fee for Type I, fixed-fee + monitoring retainer for Type II.

Evidence pack

The canonical control catalog lives at apps/api/lib/soc2-controls.ts. Each control cites:

A codepath.
A test.
A process document.

Auditors traverse the map at evidence-collection time.

Per-quarter evidence rollover

Quarter	Evidence collected
Q1	Access reviews (quarterly cadence); KMS rotation drill; chaos cadence snapshot.
Q2	Pentest report (annual); SDLC sign-offs; deprecation policy enforcement.
Q3	Bug-bounty findings + remediation; postmortem publications; SLA credit issuances.
Q4	Game-day rehearsal; annual policy review; access-review attestation.

All controls in soc2-controls.ts have non-empty codepath + test + process-doc citations.
All process docs are current (apps/docs/content/docs/process/, apps/docs/content/docs/security/).
All access reviews ≤ 90 days old.
Postmortem publications current (no SEV1/SEV2 unresolved

35 days).
Pentest report current (≤ 12 months old).
Chaos cadence summary green (apps/api/lib/chaos-cadence.ts).
Bug-bounty triage SLO green (apps/api/lib/bug-bounty.ts).

Outputs

Type I report — distributable to enterprise prospects under NDA. Published on the trust page.
Type II report — same.
Bridge letter — between Type II report renewals; signed by CISO + CPA firm.
Customer trust page — mattermode.com/trust lists all certifications + links to download (NDA-gated).

SOC 2 audit engagement

SOC 2 audit engagement

Trust Services Categories in scope

Auditor selection criteria

Evidence pack

Per-quarter evidence rollover

Type I scope

Type II scope

Readiness checklist (pre-audit)

Outputs

On this page

SOC 2 audit engagement

SOC 2 audit engagement

Trust Services Categories in scope

Auditor selection criteria

Evidence pack

Per-quarter evidence rollover

Type I scope

Type II scope

Readiness checklist (pre-audit)

Outputs

On this page