Executive Summary
| Quarter-end readiness status | Remediation in progress — 0 controls met the full quarterly lifecycle threshold, 5 require evidence refresh, and 4 require targeted remediation. |
| Evidence freshness (35-day window) | 14 fresh, 31 stale, 0 missing (45 mapped artifacts) |
| Test-control trace | 10 suites executed; 8 passed, 2 failed (CC7 operations suite and cross-bundle integrity) |
| Full PHPUnit gate | 2,434 tests, 21,234 assertions, 29 skipped — 1 failure (missing integration test file referenced in control trace) |
| Open control exceptions | 1 (EXC-2026-001, CC7 — DR RTO/RPO policy detail improvements) |
| Attestation status | Readiness in progress — no SOC 2 Type I or Type II auditor opinion claimed |
Q2 2026 marked substantial progress in PayCal's SOC 2 readiness program. PayCal strengthened authentication, passkey security, protected work-data boundaries, account recovery, CI/CD governance, Redis integrity, and operational alerting. Automated test coverage expanded from 1,528 to 2,434 tests, while 8 of 10 test-control suites and 39 of 40 SOC 2 invariant tests passed.
The quarter-end review also identified several clearly defined readiness items. These are concentrated in evidence-refresh cadence, test-to-control trace integrity, production access-event evidence, and disaster-recovery policy detail—not an absence of security engineering progress. Each gap has an assigned priority, owner area, and target period for remediation.
PayCal remains in the readiness phase and does not claim a SOC 2 Type I or Type II auditor opinion. Publishing these results reflects a commitment to measurable controls, transparent reporting, and continuous improvement.
Methodology
This snapshot follows PayCal's deterministic SOC 2 evidence pipeline:
- Control map validation (
scripts/soc2-validate-control-map.sh) - Evidence freshness check against a 35-day threshold (
scripts/soc2-evidence-freshness-check.sh) - Per-control lifecycle evaluation (
scripts/soc2-generate-control-status-snapshot.sh) - Test-to-control trace export (
scripts/soc2-export-test-control-trace.sh) - SOC 2 invariant test group (
composer run test:soc2) - Full PHPUnit regression gate
Evidence artifacts live in the private evidence store; this page publishes sanitized outcomes only. Formal auditor packets remain NDA-gated.
Control Status (CC1–CC9)
| Control | Status | Primary finding |
|---|---|---|
| CC1 — Control Environment | WARN | Governance artifacts stale beyond 35-day window (workboard, evidence tracker, system description) |
| CC2 — Communication | WARN | Policy and tracker artifacts stale; automated CC2 communications invariants still pass |
| CC3 — Risk Assessment | WARN | Risk register structural tests pass; supporting policy artifacts need refresh |
| CC4 — Monitoring | FAIL | Stale evidence beyond maximum age threshold; monitoring invariants pass but artifact cadence lapsed |
| CC5 — Control Activities | FAIL | Test-control trace reports suite failure; security invariant tests themselves pass |
| CC6 — Logical Access | FAIL | Runtime access evidence is synthetic-only; no production event capture in review window |
| CC7 — System Operations | FAIL | Missing integration test file in control trace; open DR policy exception EXC-2026-001 |
| CC8 — Change Management | WARN | Change-management invariants pass; supporting governance documents stale |
| CC9 — Vendor Risk | WARN | Vendor risk invariants pass; vendor policy artifacts need quarterly refresh |
Q2 Improvements
- Auth, passkey, and Redis hardening — May 12 internal audit closed 11 findings (transparency article).
- Protected business work-data boundary — Canonical server-side access gate enforced for reads, exports, caches, and audits (transparency article).
- Redis connection index reconciliation — Drift repaired; audit ended at drift=0 (transparency article).
- Account recovery redesign — Readable recovery codes, verification codes, and passkey replacement boundaries (transparency article).
- CI/CD tooling transparency — Local-authoritative gate model documented (transparency article).
- Immutable ledger alerting — Webhook delivery on verification failure (CC4/CC7 operational detect-and-alert path).
- Test surface growth — Full suite expanded from ~1,528 tests at Q1 close to 2,434 tests at Q2 close.
Evidence & Validation Metrics
- Control map validation: PASS
- Evidence freshness: FAIL — 31 of 45 artifacts stale
- Test-control suites passing: 8 of 10 (CC1, CC2, CC3, CC4, CC5, CC6, CC8, CC9)
- Test-control suites failing: CC7 system operations (missing
OrganizationAuditControlTestServiceIntegrationTest.php), CCX bundle integrity (trace references missing file) - SOC 2 invariant group: 39 of 40 tests pass; 1 bundle-integrity failure
- Runtime baseline warnings: 0
- Open exceptions: 1 (CC7 DR tabletop follow-up)
Open Gaps & Follow-Up
| Priority | Gap | Owner area | Target |
|---|---|---|---|
| P0 | Restore or replace missing CC7 integration test referenced in control trace | Engineering | Q3 2026 |
| P0 | Refresh stale governance artifacts (workboard, evidence tracker, system description, policies) | Security Governance | July 2026 |
| P1 | Capture production auth-access runtime evidence (CC6 synthetic-only gap) | Operations | Q3 2026 |
| P1 | Close EXC-2026-001 — DR RTO/RPO policy detail improvements from tabletop | Security Governance | Q3 2026 |
| P1 | Resolve Codex Security scan findings (CSRF on moderation, passkey lifecycle, audit endpoint hardening) | Engineering | Q3 2026 |
| P2 | External immutable evidence storage (GCS WORM bucket) — design absorbed, implementation pending | Operations | Q3–Q4 2026 |
Comparison to Q1 2026
| Metric | Q1 close (Apr 15) | Q2 close (Jun 24) |
|---|---|---|
| Overall lifecycle status | Readiness in progress (freshness PASS) | FAIL (freshness and trace gaps) |
| PHPUnit count | 1,528 tests | 2,434 tests |
| Test-control suites | 5 passed | 8 of 10 passed |
| Evidence freshness | All within 35-day window | 31 of 45 artifacts stale |
| Open exceptions | Not published | 1 open (CC7) |
Q2 delivered more engineering assurance and broader test coverage, but governance artifact refresh cadence did not keep pace — a common readiness-program pattern as technical controls outrun compliance operations packaging.
Quarterly Report Series & References
- SOC 2 Program Overview Evergreen program page.
- Q1 2026 Quarterly Snapshot First quarterly snapshot (frozen April 15, 2026).
- Security Trust Hub Public control summary and security contact path.
- Request SOC 2 Report (NDA) Gated access for vendor due diligence.