perathos

// audit readiness

A realistic path from startup controls to future SOC readiness.

Perathos does not claim formal audit certification today. This roadmap shows the defensive controls, evidence, and operating cadence required before a formal SOC engagement makes sense.

pt-br

Um caminho realista de controles de startup para futura preparacao SOC.

A Perathos nao declara certificacao formal de auditoria hoje. Este roadmap mostra controles defensivos, evidencias e cadencia operacional necessarios antes de um SOC formal fazer sentido.

Critical

  • Prove tenant isolation with middleware, tests, and audit logs.
  • Enforce API key hashing, expiration, revocation, scopes, and last-used tracking.
  • Make secrets write-only after creation with rotation and deletion events.

High

  • Operationalize data retention and deletion requests.
  • Stabilize audit event schema for admin, API key, secret, job, and run events.
  • Add API abuse controls with workspace and API-key rate limits.

Medium

  • Collect founder-led operating evidence monthly.
  • Add AI governance evidence to pull requests and runtime logs.
  • Run quarterly incident and restore exercises.

implementation pack

Internal implementation documents

These are repository documents for engineering and founder operations. They are not certifications and should be shared externally only when appropriate.

Scorecard

docs/audit-readiness/scorecard.md

48-hour fixes

docs/audit-readiness/48-hour-fixes.md

Identity/access implementation

docs/audit-readiness/identity-access-implementation.md

Application security implementation

docs/audit-readiness/application-security-implementation.md

AWS baseline

docs/audit-readiness/aws-baseline.md

Procurement answers

docs/audit-readiness/procurement-answer-pack.md

procurement language

Current SOC answer

Perathos does not currently hold a SOC 1 or SOC 2 report. We are operating a lean security program and building the evidence base needed for future formal audit readiness. For pilots, we provide compensating evidence such as architecture summary, product control walkthrough, access model, incident response summary, subprocessors list, and security questionnaire answers.