SOC 2 Type II Plan
TL;DR: Rōvn is on a documented SOC 2 Type II trajectory with Drata as continuous-evidence platform and a platform engineering partner (BAA executed; named under NDA to investors on request) providing the implementation chassis. SOC 2 Type II is in progress. Drata-managed evidence collection is running, the observation window is opening Q3 2026, and the SOC 2 Type II report is targeted for Q3 2027 (after the 12-month observation period closes). Trust Services Criteria scope: Security, Availability, Confidentiality, Processing Integrity, Privacy. Current state: control implementation underway on a documented trajectory; we do not claim SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation, SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation, or SOC 2 Type II until the report is issued. The partner's healthcare-SaaS implementation depth (10-year operating history, 50+ shipped products, 0 HIPAA violations) gives Rōvn an 18-24 month head start on posture vs greenfield competitors. AI operates the workflow. Source systems prove the facts. Humans make every regulated decision.
1. Why SOC 2
SOC 2 is the de-facto trust posture procurement teams ask for at every healthcare buyer above the small-CAH tier. Without it, deals stall at GC review, especially at mid-size hospital systems, IDNs, and payer accounts.
Rōvn pursues SOC 2 not because regulation requires it (it does not; HIPAA does, separately). Rather, SOC 2 is the procurement-language credential that lets the GC sign and lets the CIO security review pass. Combined with HIPAA-alignedHIPAA posture06.2 HIPAA Posture Memo · canonical procurement-safe phrasing (not 'compliant' / not 'certified') posture + BAA execution, SOC 2 closes the procurement door open to the rail.
We do not represent as SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation until the audit completes and the report is issued. Current state: SOC 2 Type II is in progress, control implementation underway on a documented Drata-managed trajectory.
2. Trajectory: SOC 2 Type II in progress
Rōvn is pursuing SOC 2 Type II directly with Drata. The roadmap below is the operating sequence; we do not represent an interim SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation attestation as part of the standard claim.
Phase 1: Control Implementation (now → Q3 2026)
- Drata onboarded as continuous control monitoring + evidence collection platform.
- Platform engineering partner (BAA executed; named under NDA to investors on request) provides control implementation muscle on the engineering chassis.
- Trust Services Criteria mapped to specific Rōvn controls.
- Evidence collection automation wired (AWS Config rules, CloudTrail, CloudWatch, GuardDuty, Sentry, GitHub branch protection, on-call rotation logs, access reviews, training completion).
- Interim "audit in progress" letter from Drata-paired auditor available to design-partner facilities on request.
Phase 2: SOC 2 Type II observation window (Q3 2026 → Q3 2027)
- Observation period: 12 months, controls operating effectively from Q3 2026 through Q3 2027.
- Scope: Security, Availability, Confidentiality, Processing Integrity, Privacy.
- Auditor: Independent CPA firm (final selection pending; Drata-aligned audit firms shortlisted).
- What Type II proves: Controls operated effectively over the 12-month period.
Phase 3: SOC 2 Type II report (Q3 2027)
- Deliverable: SOC 2 Type II attestation report.
- Distribution: Distributed to design-partner facilities and procurement teams as part of the standard evidence pack.
After the Type II report issues, annual recertification continues at the same auditor with rolling 12-month observation periods.
3. Trust Services Criteria: Scope
SOC 2 Type II scope (Q3 2026 observation window → Q3 2027 report)
| TSC | Coverage |
|---|---|
| Security (Common Criteria) | Required for every SOC 2 report. Covers access controls, change management, risk management, system operations, incident response. |
| Availability | Uptime, capacity, disaster recovery, business continuity. |
| Confidentiality | Data classified as confidential is protected. Includes credential metadata, source receipts, audit artifacts. |
| Processing Integrity | System processing is complete, valid, accurate, timely, authorized. Covers audit-chain integrity, source query orchestration correctness, AI executor output integrity. |
| Privacy | Personal information collected, used, retained, disclosed, disposed per privacy notice. Covers consent management, worker data ownership, time-boxed disclosure controls. |
Processing Integrity and Privacy in the Type II scope strengthen the AI doctrine claim and the worker-owned Passport claim, respectively.
4. Control Framework
Common Criteria (Security)
| CC | Control area | Rōvn implementation |
|---|---|---|
| CC1 | Control environment | Founder-designated Security Officer; written security policy; quarterly board review at advisory cadence |
| CC2 | Communication & information | Security policy distributed to workforce; vendor management program documented |
| CC3 | Risk assessment | Annual risk assessment + ad-hoc; Drata-managed risk register |
| CC4 | Monitoring activities | CloudWatch + Sentry + GuardDuty + Security Hub; SOC alert escalation runbook |
| CC5 | Control activities | Documented in code review + branch protection + deployment approval workflows |
| CC6 | Logical & physical access | Cognito + WorkOS SSO; RBAC; least-privilege IAM; AWS physical safeguards via BAA |
| CC7 | System operations | Change management via PR review + Drata; automated testing + deployment approval |
| CC8 | Change management | All production changes via reviewed PR + audited deploy logs |
| CC9 | Risk mitigation | BCP/DR plan; backup + restore tested quarterly; tabletop incident drills |
Availability
- Multi-AZ infrastructure
- S3 cross-region replication for audit artifacts
- Documented RPO / RTO targets
- Quarterly DR drill
Confidentiality
- Data classification policy
- Encryption at rest (AES-256 KMS) + in transit (TLS 1.3)
- Access logging and review
- S3 Object Lock immutability on audit artifacts
Processing Integrity
- Audit-chain hash integrity (any tampering breaks the chain forward)
- Source query orchestration audit trail
- AI executor
ai_runsledger (input hash, output hash, token cost, latency) - Cached-replay receipt validity-window enforcement
Privacy
- Worker-owned Passport with explicit consent grants
- Time-boxed disclosure controls (worker grants Facility A access; revocable)
- Per-API consent for Verified API reads
- Audit log captures every read; replay-able on demand
5. Platform engineering partner role (under NDA)
The platform engineering partner's role (under NDA) in the SOC 2 trajectory (BAA executed; named under NDA to investors on request):
- Engineering chassis. Pre-built HIPAA-alignedHIPAA posture06.2 HIPAA Posture Memo · canonical procurement-safe phrasing (not 'compliant' / not 'certified') + SOC 2-aligned engineering patterns. Healthcare-SaaS implementation depth, 10-year operating history, 50+ shipped products, 0 HIPAA violations.
- Control implementation muscle. Partner engineers implement specific controls (e.g. CC7 system operations, CC8 change management) directly into Rōvn's engineering workflow.
- Audit preparation support. Joint audit-readiness reviews ahead of each audit window.
Time-to-posture comparison:
| Vendor | Time to SOC 2 Type II readiness (controls implemented + observation-window start) |
|---|---|
| Greenfield startup, no implementation chassis | 18-24 months |
| With Drata + experienced engineering leadership | 9-12 months |
| With the partnership chassis (10-year operating history, 50+ shipped products, 0 HIPAA violations) | 4-6 months |
This partnership is a defensible moat element in part because of this acceleration.
6. Honest Build State
What is true today
- Drata onboarded. Continuous control monitoring + evidence collection running.
- Control framework mapped. Trust Services Criteria mapped to specific Rōvn controls.
- Evidence automation wired. AWS Config rules, CloudTrail, CloudWatch, GuardDuty, Sentry, GitHub branch protection, on-call rotation logs all feeding Drata.
- Engineering chassis SOC 2-aligned. The partner's pattern library is the foundation.
- BAA registry executed. AWS, Anthropic, Persona, Checkr, WorkOS, Drata, and platform engineering partner (named under NDA).
What we do NOT yet claim
- ❌ SOC 2 certified. Audit has not yet occurred.
- ❌ SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation attested. Rōvn is pursuing SOC 2 Type II directly; an interim Type I attestation is not part of the standard claim.
- ❌ 147 / 152 controls implemented. This is not what we claim. The discredited live-site overclaim has been removed. Honest representation: control implementation is in progress on a documented trajectory; specific control counts will be published in the Type II report.
- ❌ Pentest report available. Pentest scheduled Q4 2026.
The discipline of saying "in progress" rather than overclaiming "certified" is what wins procurement long-term. Hospital GCs trust honesty more than they trust marketing.
7. The Investor Reading
For investors evaluating this plan:
- Realistic timeline. 4-6 month Drata + partner-chassis path to controls-implemented + observation-window start is below industry median because of the chassis acceleration. The 12-month Type II observation window is industry-standard.
- Right scope. All five Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) in the Type II scope. This matches what customers actually ask for.
- Procurement gating. SOC 2 Type II evidence package (with Drata-paired "audit in progress" letter) unlocks Mid-tier accounts (OperatorProduct surface04.3 Facility Workflow Memo · the facility-side AI workforce Operator $20,000/mo · $240K ACV, mid-IDN early Platform). The final SOC 2 Type II report unlocks large IDN Platform tier. Trajectory aligns to GTM expansion.
- Compounding. Once SOC 2 is in place, every subsequent audit cycle is incremental cost, not greenfield. The compliance posture becomes a permanent durable asset.
8. Why This Wins
Three reasons.
-
Partner-chassis cuts time-to-posture by 60-70%. Greenfield competitors absorb 18-24 months that Rōvn does not.
-
Honest representation survives diligence. "SOC 2 in progress with documented trajectory" is defensible. "SOC 2 Type II in progressSOC 2 status06.3 SOC 2 Type II Plan · auditor selected, controls in implementation" without the audit report fails diligence at any serious investor or large enterprise procurement review.
-
Type II Privacy + Processing Integrity scope strengthens the AI doctrine + worker-owned Passport claims. SOC 2 Type II is not just a checkbox, it is independent attestation that the network rail's spine (auditable processing + worker-owned data with consent enforcement) works as described.
"Rōvn turns credentialing from a repeated cost into a reusable network asset."
SOC 2 Type II is what lets that compression scale to enterprise procurement. The trajectory is real, sequenced, and honestly represented.