Last updated · April 2026
SOC 2 Type II

Our trust posture, in detail.

We are mid-audit. Below is the scope, the controls mapped, the audit firm engaged, and the timeline to certification. Anything else, ask us directly.

Status · In Progress · Expected Q3 2026

Scope of audit

The audit covers all production systems that process or store client data, including the marketing attribution platform, the staffing operations console, and every internal tool we ship to clients.

Specifically in scope: production application servers, the data warehouse, identity and access management, change-management workflows, vendor-management procedures, and the on-call incident response process. Out of scope: corporate marketing properties (this site), recruiting databases, and the financial back office, which are handled under separate controls.

The audit period covers a continuous 12-month operating window. Type II means controls are tested for design and for operating effectiveness over time, not just at a point in time.

Controls mapped

Three Trust Services Criteria apply: Security, Availability, and Confidentiality. Privacy and Processing Integrity are deferred to a future audit cycle once two more enterprise client requirements come into scope.

  • SecurityLogical access controls, encryption at rest and in transit, least-privilege role design, MFA enforced on every production surface.
  • AvailabilityMulti-zone deployment, documented RTO and RPO, quarterly disaster-recovery tabletop, monitored uptime targets.
  • ConfidentialityData classification policy, NDA-first vendor onboarding, segregation of client tenancies, audit logging on all confidential data access.

Audit firm and methodology

We engaged a regionally recognized AICPA-licensed firm with a portfolio focused on growth-stage operators. The name is shared on request, under NDA.

Methodology follows AICPA SSAE 18. Evidence collection runs continuously through the audit period, not in a single end-of-period sweep. Sample testing covers control populations of every size, with stratified sampling for higher-frequency controls.

Quarterly readiness checkpoints are held with the auditor. Findings, if any, are remediated inside the same audit period whenever feasible.

Readiness letter

A formal readiness letter, on auditor letterhead, is available to enterprise prospects under NDA. The letter confirms scope, the period of testing, the criteria covered, and the expected report-issuance window.

The readiness letter is the document your security review team needs while the final report is in motion.

Request via the link at the bottom of this page. Turnaround is 48 hours from NDA execution.

Timeline to certification

Final report issuance is expected in the third quarter of 2026.

  • Q4 2025Scoping, gap analysis, control design hardening, vendor selection.
  • Q1 2026Audit period begins. Continuous evidence collection.
  • Q2 2026Mid-period readiness review. Auditor checkpoint.
  • Q3 2026Audit period closes. Final report issuance expected.

What changes for clients on certification

Most controls are already in production. The audit confirms what is already operating; it does not introduce changes to client workflows.

What does change: enterprise security reviews shorten substantially. Most procurement teams will accept the SOC 2 Type II report in lieu of a custom security questionnaire, removing two to four weeks from the procurement cycle for new engagements.

Existing clients receive the final report at no additional cost. New engagements signed before issuance are amended to reference the report once available.

Questions and contact

Questions on scope, methodology, or report distribution should go to the trust team directly.

Email trust@famaash.com or use the contact form. Responses are returned within one business day.

Want the readiness letter?

Available NDA-first.

Request the readiness letter