1. How We Think About Compliance
Procurement teams ask for compliance reports as a proxy for "is this vendor safe to plug in?" We answer that question directly. Where a framework genuinely improves security or genuinely changes a buyer's risk model, we map to it and produce evidence. Where a framework is purely a procurement checkbox, we make the actual controls visible enough that an informed reviewer can answer the underlying question without the badge.
The honest snapshot below shows what we map to today, what we provide on request, and what is explicitly out of scope for now.
2. Framework Posture
| Framework | Posture | Evidence available |
|---|---|---|
| SOC 2 Type II | Not pursuing a formal audit at this time | SlashLogixx provides the underlying control evidence directly: pen test report, trust-center policy set, completed CAIQ-Lite and SIG-Lite questionnaires, DPA, and cyber-insurance certificate. See Section 4. |
| ISO 27001 | Not pursuing a formal certification at this time | Trust-center policies map directly to the Annex A control families relevant to a hosted SaaS. Evidence available on request. |
| HIPAA | Eligible on signed BAA | Customers handling PHI through Spark Cloud or Spark Connect may execute a BAA. Standard template available on request. |
| PCI DSS | Not in scope (no card data stored) | Card data is processed by our payment processor; SlashLogixx systems do not store primary account numbers. PCI scope is constrained to the processor's environment. |
| GDPR / UK GDPR | Operating posture | Privacy policy, DPA template, and the lawful-bases statement in the Privacy policy. |
| CCPA / CPRA | Operating posture | Rights-request workflow described in the Privacy policy. Contact privacy@slashlogixx.com. |
| Annual Pen Test | Live | Most recent report available under NDA on request. |
| Cyber Insurance | Live | $1M–$3M policy. Certificate of insurance available on request. |
3. Why No SOC 2 Today
A SOC 2 Type II audit is a structured representation that we are running a designed control set over a defined audit window. It is useful at a certain stage of company maturity and a certain price point. At SlashLogixx's current stage, the audit fee plus annual surveillance is not the most efficient way to give a procurement team confidence in our security posture.
Rather than route money to an auditor, we route it to the controls themselves: a working pen test, a publicly readable policy set, a complete and honest subprocessor list, a cyber-insurance policy, a DPA, and pre-filled industry-standard questionnaires. This package gives most enterprise procurement teams more verifiable information than a SOC 2 cover page, faster, and at a lower implied cost to the buyer.
4. The SOC 2 Equivalent Packet
The following bundle is available to any prospect or customer with a signed mutual NDA in place. We will turn it around within five (5) business days of request:
- Most recent annual penetration test report.
- Completed Consensus Assessment Initiative Questionnaire (CAIQ-Lite).
- Completed Standardized Information Gathering questionnaire (SIG-Lite).
- Trust-center policy set (this site, also delivered as a versioned PDF).
- Subprocessor list with breach-notification commitments.
- Data Processing Addendum / Business Associate Agreement template.
- Certificate of cyber insurance.
- Architecture overview and data-flow diagram.
5. Customer-Side Compliance (Spark Studio & OnPrem)
6. Evidence Requests
To request any document referenced above, or to ask whether a specific control or framework is in scope for your evaluation: security@slashlogixx.com.