SOC 2 Readiness Framework

HookPilot's path to SOC 2 Type II — Trust Service Criteria, controls and timeline.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. HookPilot is on a SOC 2 Type II readiness program. This page documents the framework so prospective enterprise customers, security teams and auditors can see the path. We share the active attestation status under NDA — we will never claim a certification we have not actually completed.

1. Goal

HookPilot Caption Studio LLC is preparing for a SOC 2 Type II report on the AICPA Trust Services Criteria Security, Availability, Confidentiality, with Privacy added in the second year. Processing Integrity is in scope for the AI Workforce Operating System given the platform's role in agent-produced output.

2. Trust Service Criteria

Security (Common Criteria)

CC1 control environment → CC9 risk mitigation. Mapped across all 9 categories.

Availability

Tied to the published SLA, capacity planning, and DR exercises.

Confidentiality

Tenant isolation, encryption, access reviews, vendor obligations.

Processing Integrity

AI governance layer, hallucination self-check, veto audit, framework adherence.

Privacy (Year 2)

GDPR / CCPA / CPRA mapping, DSAR fulfilment, sub-processor notifications.

3. Scope of System

The SOC 2 system description includes: hookpilot.co marketing site, the HookPilot AI Workforce Operating System, the AI Music Video render pipeline, Caption Studio generation, the Agent Marketplace, the Agency tier, public APIs, billing, customer support and the HookPilot Internal Security (-HPS) function. Excluded: internal corporate finance systems with no Customer Content.

4. Control Families

  • Information security policy + acceptable use (this Legal Center).
  • Risk assessment + treatment.
  • Asset management + SBOM.
  • Access control (RBAC, JIT, quarterly reviews; see Internal Security Access Policy).
  • Cryptography (TLS 1.2+, AES-256, key rotation).
  • Physical security (delegated to sub-processors under their own attestations).
  • Operations security (logging, monitoring, vulnerability management, patching).
  • Communications security (network segmentation, edge controls).
  • Acquisitions, development & maintenance (SDLC, code review, dependency scanning).
  • Vendor management (see Vendor Risk).
  • Incident management (see Incident Response).
  • Business continuity (RPO/RTO targets, DR drills).
  • Compliance (GDPR, CCPA, HIPAA-readiness, applicable AI rules).

5. Evidence Engine

HookPilot operates a continuous-evidence engine that captures control evidence from CI/CD, the access-management system, the vulnerability scanner, the SIEM, the access-review tool, training records, and the IR runbook. Evidence is timestamped, hashed, and replayed for the auditor — no last-minute scrambles.

6. Auditor Track

HookPilot engages a qualified CPA firm for SOC 2 attestation. The auditor is independent of the platform-engineering teams; auditor questions and findings are routed through the AI Governance department for cross-checks against agent-controlled processes.

7. Timeline

  • Phase 1 — Readiness. Internal gap analysis; policies and control narratives published (this Legal Center is part of Phase 1).
  • Phase 2 — Type I. Point-in-time auditor attestation that controls are designed appropriately.
  • Phase 3 — Type II. Auditor attestation that controls operated effectively over a defined observation window.
  • Phase 4 — Year 2. Privacy TSC added; continuous-evidence engine fully automated.

8. Customer Access

Active SOC 2 attestation status, the latest auditor report (when issued), and the bridge letter between reports are available to enterprise customers and prospects under NDA — request at security@hookpilot.co.

9. Honesty Clause

HookPilot will not market itself as "SOC 2 certified" before the auditor has issued a report. Until then we describe this program as a readiness framework, share progress under NDA, and welcome auditor-led conversations with prospective Enterprise customers.

10. Contact

Security trust questions: security@hookpilot.co
Enterprise contracting: legal@hookpilot.co