SOC 2 Readiness | EMMA

1. Commitment to SOC 2

Gift of Gab Tech Inc. is actively pursuing SOC 2 Type II certification for the EMMA platform. SOC 2 (Service Organization Control 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates an organization's information systems for security, availability, processing integrity, confidentiality, and privacy.

While we have not yet completed a formal SOC 2 Type II audit, we have designed and implemented controls aligned to the AICPA Trust Service Criteria across all five categories. The following sections detail the controls currently in place.

2. Trust Service Criteria: Current Controls

2.1 Security

Information and systems are protected against unauthorized access, unauthorized disclosure, and damage:

AES-256 encryption for all data at rest; TLS 1.3 for all data in transit.
Role-based access control (RBAC) with granular permissions across all platform functions.
MFA-ready authentication; JWT-based session management with configurable expiration.
Web application firewall (Azure Front Door) and DDoS protection.
Automated vulnerability scanning of dependencies and container images.
Annual third-party penetration testing.
Documented incident response plan with severity-based escalation.

2.2 Availability

Information and systems are available for operation and use as committed:

Hosted on Microsoft Azure with redundant components and automated failover.
Health check endpoints monitored continuously with automated alerting.
Encrypted database backups with point-in-time recovery capability.
Containerized workloads with auto-scaling to handle demand spikes.
Disaster recovery procedures documented and tested periodically.

2.3 Processing Integrity

System processing is complete, valid, accurate, timely, and authorized:

Input validation and sanitization on all API endpoints.
Automated test suites (unit, integration, contract) run in CI/CD pipeline before deployment.
Database schema migration guards to prevent drift between application models and database state.
Audit logging of all data mutations with user attribution.

2.4 Confidentiality

Information designated as confidential is protected as committed:

Multi-tenant data isolation at the application layer; queries scoped by organization ID.
Encryption keys managed through Azure Key Vault with automatic rotation.
Principle of least privilege for all internal access to production systems.
Confidential customer data is never used for model training or shared across tenants.
Non-disclosure agreements required for all personnel with system access.

2.5 Privacy

Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments and criteria:

Published Privacy Policy and Data Processing Agreement defining data handling practices.
Data subject access, correction, and deletion request procedures.
30-day data retention post-cancellation with permanent deletion thereafter.
PIPEDA-compliant data handling practices.
Sub-processor management with advance notification of changes.

3. Certification Roadmap

The following timeline outlines our path to SOC 2 Type II certification:

Q1 2026 — Controls Implementation

Designed and implemented controls aligned to all five Trust Service Criteria. Established policies, procedures, and monitoring.

Complete

Q2 2026 — Readiness Assessment

Internal readiness assessment and gap analysis. Documentation of all control activities and evidence collection processes.

In Progress

Q3 2026 — SOC 2 Type I Audit

Engage an independent CPA firm to perform a SOC 2 Type I audit, evaluating the design of controls at a point in time.

Planned

Q1 2027 — SOC 2 Type II Audit

Complete a SOC 2 Type II audit evaluating the operating effectiveness of controls over a minimum six-month observation period.