¿ROSS tiene certificación SOC 2 Type II?

No · ROSS está en preparation phase canonical Q4-2026 milestone. No claim certification real hasta firma auditor + observation period 6-12 meses completado.

¿Qué trust criteria cubre el roadmap?

5 trust criteria canonical · Security · Availability · Processing Integrity · Confidentiality · Privacy. ROSS prioriza Security + Confidentiality + Privacy en fase preparation.

Vanta integra evidence collection automatizado vs manual screenshots · reduce audit cost 30-40% vs manual · estándar de facto Series A SaaS EU+US.

Trust · SOC 2 Type II · DEC-V11-80 · Q4-2026 milestone

SOC 2 Type II · ROSS · 12-month roadmap canonical

Preparation phase · Q4-2026 observation start milestone · 5 trust criteria · Vanta evidence automation · audit firm engagement pre-Series A Enterprise customer requirement preview.

Status · preparation phase · NO claim certification real

Section 1

5 Trust Criteria canonical

SOC 2 cubre 5 Trust Services Criteria firmados por AICPA. ROSS prioriza Security · Confidentiality · Privacy en Phase 1 preparation · Availability + Processing Integrity Phase 2-3.

CC1 · Security

Priority · P1

Controles acceso · authentication · authorization · network security · vulnerability management · incident response. Base obligatoria SOC 2 cualquier tipo.

CC2 · Availability

Priority · P2

Uptime SLA · disaster recovery · backups · monitoring · capacity planning. ROSS targets 99.9% uptime production tier.

CC3 · Processing Integrity

Priority · P3

Completeness · accuracy · validity · timeliness · authorization processing. Relevante voice agent + audit-trail SHA-256 chained.

CC4 · Confidentiality

Priority · P1

Data classification · encryption at-rest + in-transit · NDA + access controls · secure disposal. Crítico multi-tenant + Enterprise customers.

CC5 · Privacy

Priority · P1

GDPR cross-reference · DPIA · data subject rights · consent management · retention policies. ROSS dual cumple SOC 2 Privacy + GDPR by design.

Section 2

Vanta integration · evidence automation

ROSS integra Vanta MCP canonical en CI/CD pipeline · evidence collection automatizado vs screenshots manuales. Reduce audit cost 30-40% vs manual collection · estándar de facto Series A SaaS EU+US. Vanta cubre 90+ integraciones nativas (AWS · GCP · GitHub · Vercel · Supabase · 1Password · CrowdStrike · Datadog).

Continuous compliance monitoring · alertas drift control · evidence re-collection automatizado pre-audit. Probo bridge alternativa considerada DEC-V11-58 phase 4 · Vanta primary canonical Q2-2026 sign.

Section 3

Audit firm engagement strategy

Auditor candidato shortlist · BSI Group (EU-first preference DEC ISO 27001 sister roadmap) · Cobalt (SOC 2 + pentest combined) · Vanta-recommended auditor network (KPMG · BDO · Schellman EU offices). NO Big-4 obligatorio · ROSS prioriza EU-presence + SaaS expertise + AI/voice domain experience.

Type I engagement target Q3-2026 · point-in-time controls design review. Type II observation period 6-12 meses · Type II report target Q2-2027 · Series A fundraising window alignment.

Section 4

12-month roadmap · 3 phases

Phase 1 · Foundations

Q2-2026

Vanta MCP integration · evidence collection automatizado
Policy library canonical · 14 SOC 2 policies firmadas
Asset inventory · risk register · vendor management

Phase 2 · Type I readiness

Q3-2026

Audit firm engagement · BSI/Cobalt/Vanta-recommended Big-4 alternative
Type I report · point-in-time controls design
Penetration test annual + remediation cycle

Phase 3 · Type II observation

Q4-2026

Observation period start · 6-12 meses operating effectiveness
Quarterly internal audit cycles · continuous evidence
Type II report target Q2-2027

Enterprise customer · SOC 2 questionnaire preview

Pre-Series A Enterprise customer security questionnaire walkthrough · gap analysis · roadmap acceleration discussion · 30 min.

Book ROSS Hour · SOC 2 prep walkthrough

AI Act art 50 disclosure · contenido generado con asistencia IA (Claude · Anthropic) · revisión humana firmada Will CTO + Patxi Compliance · DEC-V11-80.