SOC 2 Readiness.
How TurnkeyDoor structures security and operational controls to be audit-ready since pre-launch. This is a posture statement, not a SOC 2 certification claim.
TurnkeyDoor is not SOC 2 Type II certified. We are pre-launch (October 2026 target) and a hypothetical Type II audit window would not start until Q3 2027, requiring ~14 months of operating evidence.
We make a different commitment: structuring our controls today so that path remains open. Policies dated launch-day, not retrofit. Time-series evidence captured from quarter one. Inventory and retention schedules in force before data is collected at scale.
What we map our controls against.
The AICPA defines five Trust Services Criteria for SOC 2. TurnkeyDoor maps internal controls against all five today, not just the minimum.
Common Criteria
Logical & physical access, system operations, change management, risk mitigation. The mandatory baseline for any SOC 2.
Availability
Capacity planning, environmental protections, backup & recovery, recovery testing.
Processing Integrity
Input validation, processing accuracy, output completeness — relevant where the platform processes financially or legally consequential transactions.
Confidentiality
Identification, classification, retention, and disposal of confidential data.
Privacy
Notice, choice & consent, collection, use & retention, access, disclosure, quality, monitoring & enforcement.
Reference framework: AICPA TSP Section 100, 2017 Trust Services Criteria with Revised Points of Focus (2022); SSAE 18 (AT-C 105 / AT-C 205); AICPA DC 200 (2018).
What we document today, not later.
These ten controls produce time-series evidence or gate downstream controls. Producing them after launch is technically possible but evidentially weaker. We treat them as launch-day prerequisites.
Information Security Policy + Code of Conduct + Roles & Responsibilities
Foundational. Auditors expect these in force on day-1 of evidence period. Drafting after launch means later controls inherit a late policy-in-force date.
Quarterly User Access Review
Time-series control. Auditors want ≥ 4 quarterly reviews on file. Starting May 2026 yields 5 reviews captured by hypothetical Q3 2027 audit window.
Vendor Management Policy + Vendor Inventory + SOC 2 Report Collection
Vendor SOC 2 reports must be effective during TKD's evidence window. Some require MNDA — collection takes weeks.
Incident Response Plan + tabletop exercise
Auditors want at least one exercised IRP during the window. Drafting + tabletop scheduling lead-time is non-trivial.
Backup Restore Test
Time-series. Hypothetical 14-month evidence window requires ≥ 2 test runs; 3 by audit if started May 2026.
SDLC / Change Management Policy
Every prod deploy throughout the window will be auditor-sampled. Policy must predate the first sampled change.
Asset Inventory + Data Classification
Gates almost every CC6 / C1 / P-series control. Without classified assets you cannot demonstrate confidential-data has stronger controls.
Risk Register + Annual Risk Assessment
Time-series. Auditors expect documented re-assessment cadence; absence of micro-reviews looks like the register was authored once and forgotten.
Data Retention & Disposal Schedule
Schedule must exist BEFORE data is collected at scale. NJ statutes (lease retention), FCRA (screening), Stripe (payment) all impose minimums.
Privacy Notice + ToS + Sub-processor List + executed DPAs
Public-facing artifacts must predate first user signup. Some DPAs (Cloudinary / RentPrep / Boom) require negotiation turnaround.
- Public: TSC framework; the 10 controls TKD treats as launch-day commitments; refresh cadence.
- Internal: full 99-control inventory (CC1.1–P8.1) with TKD posture / gap / effort / owner; vendor sub-service attestation collection; auditor shortlist; tooling comparison. Available under MNDA via partnerships@turnkeydoor.com.
- Not asserted: that TKD is SOC 2 Type II certified, in active examination, or under audit. We are pre-launch.
The ten controls above correspond to proposedconstitutional amendments (C-NEW-S42-1 through C-NEW-S42-10) tracked in our open repo. They are not auto-locked — locking is a deliberate founder decision tied to demand signals from enterprise buyers post-launch.