SOC 2 Compliance at PayCal

PayCal's SOC 2 readiness program maps Security Common Criteria (CC1–CC9) to enforced system behavior and continuously generated evidence. Quarterly snapshots publish immutable period findings; this page is the evergreen program overview.

Published: 2026-04-15 · Last updated: 2026-06-24 · Q1 2026 snapshot (archived)

Program Overview

PayCal operates a SOC 2-oriented security program focused on verifiable enforcement and traceable evidence, subject to independent auditor validation. We do not claim SOC 2 certification on these pages.

Controls in scope: CC1–CC9 (Security)
Evidence model: Deterministic scripts, monthly bundles, test-to-control trace
Freshness policy: 35-day audit window for mapped artifacts
Current posture: Readiness in progress — see latest quarterly snapshot for period status

Latest Quarterly Snapshot

Q2 2026 Quarterly Snapshot — published 2026-06-24, covering April–June 2026.

Quarter-end readiness status (Q2): Remediation in progress — 0 controls met the full quarterly lifecycle threshold, 5 require evidence refresh, and 4 require targeted remediation
Evidence freshness: 14 fresh, 31 stale (45 artifacts)
Test surface: 2,434 PHPUnit tests; 8 of 10 test-control suites passing
Key Q2 wins: Auth hardening, protected work-data boundary, CI/CD governance transparency, ledger alerting

Read full Q2 findings

Quarterly Snapshot Archive

Each quarterly report is an immutable period document. Metrics and control status statements are frozen at quarter close so readers and auditors can compare periods without losing historical context.

Quarter	Published	Coverage	Report
Q2 2026	2026-06-24	Apr 1 – Jun 24, 2026	Current quarter
Q1 2026	2026-04-15	Jan 1 – Mar 31, 2026	Archived snapshot

Next review due: 2026-09-30 (Q3 2026)

How Controls Are Enforced

PayCal treats enforcement as a system property. Controls are programmatically enforced, not just documented.

Authentication: Passkey-capable authentication with phishing-resistant flows.
Runtime integrity: Continuous drift detection with operational state handling.
Output hardening: Guardian sanitization for sensitive DOM/output paths.
Quality gate: Automated PHPUnit and static-analysis gates before evidence acceptance.
Audit trail: Immutable ledger verification with failure alerting.

Status & Formal Report Access

Status: SOC 2 readiness in progress, with continuous control hardening and deterministic evidence updates.

PayCal does not claim SOC 2 certification or auditor opinion on this page. Formal report access remains NDA-gated.

References

Security Trust Hub Sanitized public control summary and security contact path.
PayCal SOC 2 Summary Status, metrics, and NDA access for formal report review.
Request SOC 2 Report (NDA) Gated access for vendor and security due-diligence review.