GlobMaps Climate Intelligence
Trust Center/SOC 2 Roadmap
Compliance Roadmap

SOC 2 Type II

GlobMaps is actively pursuing SOC 2 Type II certification. This page details our readiness journey, current controls, and expected timeline for our customers and partners.

🔄
Audit In Progress — Target Q4 2026
Observation period commenced May 2026. Report expected November 2026.

Trust Service Criteria (TSC)

AICPA SOC 2 criteria covered in our audit scope

CC
Security
In Scope

Protection against unauthorized access, disclosure, and damage to systems.

A
Availability
In Scope

System availability for operation and use as committed.

C
Confidentiality
In Scope

Information designated as confidential is protected.

PI
Processing Integrity
Phase 2

System processing is complete, valid, accurate, and timely.

P
Privacy
In Scope

Personal information is collected, used, retained, and disclosed appropriately.

Readiness Timeline

Q1 2026
Readiness Assessment

Gap analysis against SOC 2 TSC. Identified and remediated control deficiencies.

Q2 2026
Control Implementation

Security headers, Redis rate limiting, DSAR flow, consent logging, retention policies deployed.

May 2026
Observation Period Begins

Auditor (independent CPA firm) begins 6-month observation of controls in operation.

Q3 2026
Evidence Collection

Continuous evidence gathering: access logs, incident records, vendor reviews, penetration test.

Q4 2026
Auditor Fieldwork

Auditor reviews evidence, interviews personnel, tests control effectiveness.

Nov 2026
SOC 2 Type II Report

Report issued. Available to customers and partners under NDA upon request.

Controls Currently in Place

Key controls implemented and operating as of May 2026

TLS 1.2+ encryption in transit
AES-256 encryption at rest
API key hashing (bcrypt)
Redis-backed rate limiting
Security response headers (CSP, HSTS)
DSAR flow (export, delete, correct)
Consent logging with IP & country
Usage log retention policy (90 days)
Stripe webhook signature verification
Least-privilege access controls
Dependency vulnerability scanning
Google OAuth + credential auth
Cookie consent management
Incident notification within 48 hours
Data Processing Agreements (DPA)

Request the SOC 2 Report

Once issued (November 2026), the SOC 2 Type II report will be available to customers and prospects under NDA. Enterprise tier customers receive automatic access.

Request Report Access