Compliance Roadmap — 18 Months
Last reviewed: 2026-05-11.
Update cadence: Quarterly, plus on any milestone hit or missed.
Owner: David McHale (commercial commitments and technical commitments combined; see key-person-succession.md §1).
Audience: Procurement reviewers, enterprise security architects, and contract administrators who want to understand what is in flight and on what timeline.
Purpose: State HailBytes’ compliance roadmap with real dates and named vendors. Where a vendor is not yet selected, the selection is in progress and tracked internally. This document signals operational maturity precisely because it admits what isn’t done yet and commits to dates.
1. Roadmap at a glance
| Initiative | Selected vendor or approach | Kickoff | Target completion |
|---|---|---|---|
| SOC 2 Type 1 (Security TSC) | Auditor: quotes pending from ecFirst and Sensiba; control documentation: self-prepared in-house | 2026-Q4 | Attestation issued 2027-02-14 |
| SOC 2 Type 2 (Security TSC) | Same auditor | 2027-Q1 (observation window starts on Type 1 issuance) | 2027-Q4 (report issued) |
| First third-party penetration test | Astra Pentest (getastra.com) — selected vendor, engagement not yet booked | 2026-Q4 (booking target) | 2027-Q1 (report) |
| ISO 27001 evaluation | n/a (not pursuing 2026–2027) | n/a | Re-evaluated 2027-Q2 |
| LGPD encarregado designated (David McHale) | n/a | Designated 2026-Q2 | Public-page publication 2026-Q3 |
| GDPR DPO designated (David McHale) | n/a | Designated 2026-Q2 | Public-page publication 2026-Q3 |
DPA published at hailbytes.com/legal/dpa | Live | 2026-Q2 | Live as of 2026-05-11 |
| General Liability bound ($1M) | Vouch (application submitted 2026-05-11) | 2026-05-11 (applied) | Target effective 2026-05-15 |
| Tech E&O bound ($1M) | Vouch (same application) | 2026-05-11 (applied) | Target effective 2026-05-15 |
| Cyber Liability bound ($1M) | Vouch (same application) | 2026-05-11 (applied) | Target effective 2026-05-15 |
| SAT container-image signing (Cosign parity with ASM) | n/a | 2026-Q3 | 2026-Q3 |
| BCP/DR first tabletop exercise | Exercise authored — see bcp-dr-tabletop-exercise.md; run with full participant set | 2026-Q3 | 2026-Q3 |
| Subprocessor list — publish DPA URL referenced in §3 | n/a | 2026-Q2 | 2026-Q3 |
Public Trust Center page at hailbytes.com/trust/ | Built — see hugo-site/content/pages/trust.html | Built 2026-Q2 | Live on next deploy |
2. SOC 2 Type 1
Scope: Security trust services criterion only, for HailBytes ASM and HailBytes SAT.
Why Security TSC only initially: HailBytes does not operate the data plane (see byoc-architecture.md), so Availability, Processing Integrity, Confidentiality, and Privacy TSCs largely map to controls that live in the customer’s tenant, where the customer’s auditor would assess them. Adding additional TSCs to HailBytes’ own scope adds cost without adding evidence relevance for enterprise customers. Reviewed annually with auditor input.
Approach to readiness documentation: self-prepared. HailBytes is preparing all control documentation in-house. The readiness owner has previously run SOC 2 Type 1 and Type 2 cycles in a CISO capacity at prior organizations and is the named encarregado/DPO and Security lead at HailBytes. HailBytes is not currently using a compliance-automation platform (Vanta, Drata, Secureframe); those platforms are useful when in-house compliance capacity is the bottleneck.
Trade-off acknowledged: without a compliance-automation platform, HailBytes does not get the “trust portal” widget those platforms ship. The functional equivalent is the public Trust Center page built at hailbytes.com/trust/ (see hugo-site/content/pages/trust.html) plus this trust package as the document corpus. Procurement reviewers asking specifically for a Vanta or Drata trust portal can be redirected to the public Trust Center.
Auditor short list — quotes pending. Two firms are currently quoting on the Type 1 engagement; selection will follow when both quotes return:
- ecFirst (US; HIPAA/SOC 2/PCI specialist with a long compliance-audit track record; relevant to David McHale’s prior healthcare-CISO context).
- Sensiba (US mid-tier with startup-friendly tiers; long-standing AICPA-affiliated CPA firm).
Selection criterion: defensible AICPA-licensed CPA firm credentials, reasonable working time-zone overlap, total fee, and the auditor’s working pattern with self-prepared documentation. Both firms in the short list are US-based; the previously-considered non-US AICPA-affiliated alternative is parked unless both short-list quotes come back materially over budget.
Timeline: kickoff with the selected auditor is targeted for end-of-year 2026 (2026-Q4). Attestation issuance is targeted for 2027-02-14. Roughly three months from kickoff to issued report is achievable on the self-prepared documentation track given the readiness owner’s prior SOC 2 cycle experience.
3. SOC 2 Type 2
Begins observation immediately after Type 1 issuance (2027-Q1). The Type 2 observation window covers a minimum of 6 months; HailBytes targets a 9-month observation. Target Type 2 report issuance: 2027-Q4.
Same auditor as Type 1 (continuity reduces fee and onboarding overhead).
4. ISO 27001
Status: not pursuing in the 2026–2027 window.
Rationale: For an English-speaking US/EU customer base, SOC 2 is the more frequently requested attestation. HailBytes’ resourcing is better spent achieving SOC 2 Type 2 before opening a second framework. ISO 27001 will be re-evaluated in 2027-Q2 with attention to whether enterprise EU customers are gated on it.
5. Penetration testing
Selected vendor: Astra Pentest (getastra.com).
Rationale: CREST-certified, hybrid automated + manual VAPT, publicly verifiable certificate, reports map to SOC 2 / ISO 27001 / GDPR / PCI-DSS. ASM and SAT engaged as two separate targets. The publicly verifiable certificate is useful for the public Trust Center at hailbytes.com/trust/.
Timeline: engagement to be booked in 2026-Q4; first report targeted for 2027-Q1. Annual cadence thereafter, with each year’s report referenced from the Trust Center and attached to this trust package.
Future-engagement considerations: for a 2027 or 2028 cycle once the SOC 2 attestations are in hand, HailBytes may add a boutique-firm engagement on a 2-year cadence alongside the annual Astra cycle for additional rigor. Decision deferred until 2027-Q4 budget cycle.
6. Insurance
See insurance-coverage.md for the working detail. Summary commitments here:
- Tech E&O ($1M minimal baseline) bound by 2026-Q3.
- Cyber Liability ($1M minimal baseline) bound by 2026-Q3.
- Per-customer endorsement available where procurement floors require higher limits.
- Primary broker: Vouch (application submitted 2026-05-11); Coalition and Embroker on standby.
7. LGPD and GDPR readiness
See lgpd-compliance.md for the working detail. Summary commitments here:
- LGPD encarregado: David McHale (designated;
dpo@hailbytes.comalias to be activated alongside public-page publication 2026-Q3). - GDPR DPO: David McHale (same appointee, designated 2026-Q2, public-page publication 2026-Q3).
- DPA published at
hailbytes.com/legal/dpaby 2026-Q3, with LGPD and GDPR schedules.
8. Per-release supply-chain hardening
See security-evidence-package.md. Commitments for the roadmap window:
- SAT image signing parity with ASM (Cosign keyless via GitHub OIDC): 2026-Q3.
- Customer-side
cosign verifydocumentation expansion (clarify the verification gate as the primary supply-chain detection control; the Sigstore Rekor log remains available as a public forensic resource for post-incident queries, but HailBytes does not commit to building proactive Rekor reconciliation): ongoing. - Formal SLSA Level 2 declaration: 2026-Q4.
9. Hiring milestones that reduce key-person concentration
See key-person-succession.md §1. Current concentration: David McHale holds three of four primary roles, with John Shedd (commercial successor) and Boden McHale (technical successor) as the designated backups. Hiring commitments:
- Dedicated Security lead (separated from CTO function) by 2027-Q2.
- Additional engineering capacity (separated from contractor relationship) by 2027-Q1.
- Dedicated customer-support primary by 2026-Q4.
10. What changes between this document and the next quarterly update
Each quarterly update reviews:
- Did the dated commitments in §2 through §9 land on schedule? If not, name the new date and the reason.
- Are there new commitments to add (new vendor selections, new attestation paths)?
- Are there commitments to remove (re-scoped initiatives, deferred ISO 27001 evaluation, etc.)?
Cross-references: caiq-lite.md for the control-by-control mapping where “Partial” answers point to this document; byoc-architecture.md for the scoping argument behind §2 and §4; insurance-coverage.md for §6 detail; key-person succession plan for §9 detail (available on request to security@hailbytes.com); bcp-dr-tabletop-exercise.md for the §1 tabletop entry.