Compliance
SOC 2
Effective date: June 25, 2026
Wirehead is not SOC 2 certified at v1.0.0. SOC 2 Type I attestation is a post-launch engagement on our roadmap. This page describes our current security posture and what we are doing to be audit-ready.
Current posture
The platform is architected to support a SOC 2 Type I audit without rework. Specifically:
- Security. All data in transit is TLS 1.2 or higher (Vercel + Cloudflare default). All data at rest is encrypted (Neon, Cloudflare R2, Vercel KV).
- Availability. Synthetic monitors from Checkly run against the homepage, the contracts board, and an
/api/healthendpoint that probes the database. Sentry catches and alerts on unhandled exceptions across the client, server, and edge runtimes. - Processing integrity. Every form submission is server-validated with Zod schemas. Database migrations are versioned and replayed from a single SQL file per change (drizzle/NNNN_*.sql). All builds pass typecheck, lint, format, automated tests, Lighthouse (perf ≥ 90, a11y ≥ 95), and axe-core (zero violations) before merge.
- Confidentiality. Production secrets live in Vercel encrypted env vars, scoped per environment, never in code. OAuth scopes are restricted to
openid email profile. Auth.js uses database sessions (not JWTs), enabling immediate revocation server-side. - Privacy. Cookieless analytics, no IP capture, third-party processors publicly disclosed under /privacy and /trust.
Audit trail
Every change to the Platform is committed to GitHub with a CODEOWNERS-required review. Branch protection on the main branch requires CI workflows green and at least one approving review before any merge. The full commit history, PR review history, and CI run history is auditable.
Roadmap
SOC 2 Type I attestation is targeted post-launch, scoped under a separate engagement. The Type II attestation that builds on Type I's point-in-time controls with a 6–12 month operating-effectiveness window will follow. Until those are complete, Wirehead does not claim SOC 2 certification.
Independent diligence
A full architecture + security review is available to qualified reviewers under NDA. The diligence package documenting our architecture, quality gates, security posture, and regulatory compliance is curated under /trust.
Questions
Write to trust@wirehead.com for security disclosures or audit-readiness questions.
