Every year, an outside firm spends a few weeks pretending to attack us. They don't actually break things — they read our logs, ask us to produce evidence for controls we claim to have, and write a report at the end. That report is our SOC 2 Type II.
The 2026 audit closed last month. We passed cleanly, but the interesting part isn't the result. It's the three things we changed mid-audit because the auditor noticed before we did.
What the auditor found
- Stale break-glass accounts. We had four root credentials sitting in cold storage that hadn't been rotated since 2024. Policy said annually. Reality said no.
- Inconsistent log retention. Our application logs were retained for 13 months. Our network logs for 24. Our auditor pointed out that an investigation sourced from a network event would dead-end at the 13-month wall.
- Vendor review backlog. We have 47 sub-processors. We were reviewing them on the calendar dates we wrote down — but we'd missed three because the calendar invites had been sent to a person who left the company.
The pattern across all three findings was the same: a control that was perfectly defined on paper, but had a single point of failure in execution.
What we changed
We rebuilt all three on top of automation that doesn't depend on a human remembering to do something.
Break-glass credentials now expire automatically every 90 days. The expiration generates a ticket in our ops queue. If nobody picks it up in seven days, the system pages whoever's on call. Log retention is now uniform — 24 months, application and network. Vendor reviews are tracked in the same system that owns the contracts, so leaving the company can't sever the link.
What we'd do differently
If you're going through your first SOC 2: don't write controls that say annually. Write controls that say every N days, and the system will tell us if it didn't happen. The auditors don't care that you intended to. They care whether you did.
The full report is available under NDA — request it through your account team or sales.