SOC 2 Quarterly Snapshot — Q1 2026

First quarterly compliance snapshot for PayCal's SOC 2 readiness program. This page is an immutable period report covering control mapping, enforcement, and evidence posture at Q1 close.

Published: 2026-04-15 · Coverage: January 1 – March 31, 2026 (Q1) · Snapshot frozen: 2026-04-15 · Next quarter: Q2 2026

1. Overview

PayCal operated a SOC 2-oriented security program focused on verifiable enforcement and traceable evidence, subject to independent auditor validation.

Controls in scope: CC1-CC9
Artifacts in current bundle: 37
Control-to-artifact mappings: 26
Evidence freshness window: 35 days
Quarterly posture at close: Readiness in progress; all mapped controls had active evidence links

2. Control Coverage (CC1-CC9)

All SOC 2 Common Criteria controls in scope (CC1 through CC9) were mapped to retained evidence in the monthly bundle.

This mapping supported direct traceability from control objective to concrete artifacts used for review.

3. How Controls Were Enforced

PayCal treated enforcement as a system property. Controls were programmatically enforced, not just documented.

Authentication: Passkey-capable authentication flow to strengthen phishing resistance.
Runtime integrity: Runtime integrity monitoring with operational state handling.
Output hardening: Guardian sanitization controls for sensitive DOM/output paths.
Quality gate: Automated full-suite PHPUnit gate before bundle evidence was accepted.

4. Change Management & Testing

Change governance was aligned to CC8 with tracked changes, approvals, and test evidence.

Change records: 12
Approval records: 10
Test results: 1,528 tests, 8,351 assertions (pass)
Test-control trace: 5 suites, 5 passed, 8 linked test files

5. Audit Trail & Evidence Integrity

Administrative and security-relevant runtime events were exported with immutable-ledger validation for integrity checks.

Ledger integrity status at Q1 close: PASS.

6. Continuous Monitoring & Freshness

Evidence exports ran continuously and were validated against a deterministic freshness policy.

Freshness result at Q1 close: all mapped artifacts were within the 35-day audit window.

7. Status at Q1 Close

Status: SOC 2 readiness in progress, with continuous control hardening and deterministic evidence updates.

PayCal did not claim SOC 2 certification or auditor opinion on this page. Formal report access remained NDA-gated.

Quarterly Report Series

SOC 2 Program Overview Evergreen program page with links to all quarterly snapshots.
Q2 2026 Quarterly Snapshot Second quarterly snapshot (April–June 2026).
PayCal SOC 2 Summary Status, metrics, and NDA access for formal report review.