Last updated:
Compliance Roadmap
Projan is on a structured path toward SOC 2 Type II and ISO 27001 certification. This page provides full transparency on our current compliance posture, what we've already implemented, and what's coming next.
SOC 2 Type II
In ProgressISO 27001
In ProgressWhat's Already in Place
Projan's technical security controls are mature. The primary gaps are in governance documentation and formal processes - not in the underlying implementation.
Encryption — AES-256-GCM at rest, TLS 1.2+ in transit
Authentication & RBAC — Managed identity provider, secure API key storage, role-based access
Infrastructure Isolation — Ephemeral compute, private network subnets, no remote shell access
Data Residency — All data in EU (London, UK)
GDPR Compliance — Privacy policy, data retention, right to erasure
PCI DSS — Fully delegated to Stripe, no card data on our servers
Automated Backups — Daily backups, 7-day point-in-time recovery
CI/CD Security — PR reviews, automated tests, dependency scanning
SOC 2 Control Coverage
Progress across the SOC 2 Trust Services Criteria. Controls marked documented are covered in our public security documentation. In progress means the technical implementation exists but formal policy documentation is being finalised.
| Category | Documented | In Progress | Planned |
|---|---|---|---|
| CC1: Control Environment | 0 | 0 | 5 |
| CC2: Communication & Information | 0 | 1 | 2 |
| CC3: Risk Assessment | 0 | 0 | 4 |
| CC4: Monitoring Activities | 0 | 1 | 1 |
| CC5: Control Activities | 1 | 1 | 1 |
| CC6: Logical & Physical Access | 5 | 2 | 0 |
| CC7: System Operations | 0 | 5 | 0 |
| CC8: Change Management | 0 | 0 | 1 |
| CC9: Risk Mitigation | 0 | 2 | 0 |
| Privacy Criteria (P1-P8) | 6 | 1 | 1 |
| Total (40 controls) | 12 | 13 | 15 |
ISO 27001 Control Coverage
Progress against ISO 27001:2022 Annex A controls.
| Category | Documented | In Progress | Planned |
|---|---|---|---|
| A.5: Security Policies | 0 | 1 | 0 |
| A.6: Organisation of Security | 0 | 0 | 2 |
| A.7: HR Security | 0 | 0 | 3 |
| A.8: Asset Management | 0 | 3 | 0 |
| A.9: Access Control | 4 | 0 | 0 |
| A.10: Cryptography | 1 | 0 | 0 |
| A.11: Physical Security | 0 | 1 | 1 |
| A.12: Operations Security | 1 | 4 | 1 |
| A.13: Communications Security | 2 | 0 | 0 |
| A.14: System Development | 0 | 0 | 3 |
| A.15: Supplier Relationships | 0 | 1 | 1 |
| A.16: Incident Management | 0 | 1 | 0 |
| A.17: Business Continuity | 0 | 1 | 1 |
| A.18: Compliance | 1 | 0 | 1 |
| Total (34 controls) | 9 | 12 | 13 |
Certification Timeline
Our four-phase roadmap toward audit readiness, followed by formal certification engagements.
Foundation
Core governance framework: ISMS policy, risk assessment, incident response plan, change management, and governance structure.
Operations
Operational control documentation: monitoring, vulnerability management, access controls, secure SDLC, and business continuity planning.
Supply Chain & Assets
Vendor risk management, asset inventory, information classification, HR security framework, and endpoint security policies.
Testing & Audit Prep
External penetration testing, disaster recovery exercises, internal self-assessment, and remaining policy refinements.
Audit & Certification
Vendor Compliance Status
Our critical infrastructure providers maintain their own certifications.
| Vendor | Role | SOC 2 | ISO 27001 | Data Location |
|---|---|---|---|---|
| AWS | Infrastructure, authentication | Yes | Yes | EU (London) |
| MongoDB Atlas | Database | Yes | Yes | EU (London) |
| Stripe | Payments | Yes | Yes | US/EU |
| OpenRouter | AI Inference | No | No | US (transient only) |
| Resend | No | No | US |
Note on OpenRouter: Conversation content is processed transiently and not stored by the provider. We maintain a contractual DPA and review alternatives quarterly.
Enterprise Acceleration
We understand that enterprise procurement timelines and compliance requirements don't always align with our roadmap. If your organisation needs specific certifications or documentation on an accelerated timeline, we want to work with you.
What we can provide today:- Detailed security questionnaire responses (SIG Lite, CAIQ, custom)
- Architecture and data flow diagrams
- Encryption and access control documentation
- Sub-processor and data processing agreements (DPA)
- Penetration test reports (available from Q3 2026)
- Priority certification: Enterprise commitments can accelerate our audit timeline - if SOC 2 Type II is a blocker for your procurement, let us know and we'll prioritise accordingly.
- Custom DPAs: We can execute data processing agreements tailored to your jurisdiction and requirements.
- Security reviews: We welcome third-party security assessments and can provide access to our security team for technical deep-dives.
- Compliance bridging: We can provide interim letters of attestation covering our current controls while formal certification is underway.
To discuss your compliance requirements, contact us at security@projan.ai.
This roadmap is reviewed quarterly. Last reviewed: May 2026.