Every framework with its current status, evidence path, and (where applicable) committed target date. The honest version — not a marketing roadmap dressed up as completed work.
DPA available under /dpa; data export covers 30+ tables (lib/gdpr/*); deletion flows wired to app/api/gdpr/* with tombstone records; immutable audit trail (audit_log + hash chain, migration 20260623).
Last verified:
ISO/IEC 27001:2022
Roadmap — Q4 2026
Information Security Management System
Annex A controls inventory in progress; documentation gap analysis completed 2026-Q1. External certification not yet contracted.
Target:
Last verified:
SOC 2 Type II
In Process — Type I targeted Q3 2026
Security, Availability, Confidentiality TSCs
Controls implemented and observable in code (RBAC: lib/auth/rbac.ts, audit chain: lib/audit/log.ts, encryption: lib/integrations/oauth/crypto.ts). Observation window for Type I report begins 2026-08-01; auditor engagement signed.
Target:
Last verified:
BSI C5:2020
Roadmap — Q2 2027
Cloud Computing Compliance Criteria Catalogue
Mapped to ISO 27001 controls; type-2 attestation depends on completed 27001 audit (preceding line). Not yet contracted with a BSI-listed auditor.
Target:
Last verified:
TISAX (German automotive)
Not in scope
Information Security Assessment for automotive sector
No automotive supply-chain customers currently. Will revisit if vertical demand emerges.
Last verified:
HIPAA (US healthcare)
Not in scope
Protected Health Information processing
Orconic is not a Business Associate today. Service is not marketed for PHI workloads.
Last verified:
Penetration Testing
2026-Q3 (planned) · Vendor: TBD — RFP in progress · Status: planned Scope: External web application + API + authenticated workspace flows First external pentest scheduled for Q3 2026. Internal security review (lib/security/*) covers the major OWASP Top-10 categories pre-engagement.
Need a signed copy of any report, DPA, or vendor questionnaire? security@codaiq.com.