Custom CapitalSecurity
Security architecture visualization
Security & Compliance

SOC 2 Type 1
From Day One

Security controls built into the architecture, not bolted on after the fact. Certified before production deployment.

A
Section A

Why SOC 2 From Day One

Strategic value, data sensitivity, and why Custom Capital carries its own certification.

Most off-the-shelf SaaS have their own SOC 2 certification. But that covers their platform, not Custom Capital's specific data handling practices within it. Can they produce a SOC 2 report that covers how Custom Capital processes investor data, manages access, or responds to incidents? No. A custom-built platform with SOC 2 controls means Custom Capital owns its compliance story, not a vendor.

Sensitive Data in Scope

Personal Financial Statements

Net worth, assets, liabilities, income — the most sensitive financial profile an investor can share.

Tax Returns & K-1s

Federal tax returns, Schedule K-1 documents, and supporting schedules with SSN and financial details.

Bank & Brokerage Statements

Account balances, transaction history, and institution details across multiple financial accounts.

Identity Documents

Government-issued IDs, driver's licenses, and other identity verification documents.

Vendor Certification vs. Own Certification

Other Platforms

Relying on Vendor's SOC 2

  • Covers infrastructure (servers, network, physical security)
  • Does not cover the application's data handling
  • Does not cover access control implementation
  • Does not cover incident response procedures
  • Cannot be shared as your own compliance evidence
Custom Capital

Own SOC 2 Type 1 Certification

  • Covers how the application processes investor data
  • Verifies access control at the application level
  • Confirms audit logging and monitoring controls
  • Documents incident response and change management
  • Shareable with investors, lenders, and partners as proof
B
Section B

Type 1 vs. Type 2

Two levels of SOC 2 certification — and why we start with Type 1.

Type 1

Design & ImplementationTarget

Confirms that security controls are properly designed and in place at a specific point in time. An auditor examines the system, reviews the control design, and issues a report.

Achievable within the project timeline

Type 2

Operating EffectivenessPhase 2

Confirms that those same controls have been operating effectively over a sustained period (typically 3–12 months). Requires evidence of consistent operation collected throughout the observation window.

Begins after Type 1, requires 3–6 months of operational evidence
The Path

Type 1 first, then Type 2. Type 1 is the gate to production deployment. Type 2 follows as the platform operates and evidence accumulates over time.

C
Section C

Security Architecture

Five layers of security controls built into the platform from day one.

D
Section D

Compliance Timeline

SOC 2 controls are built in parallel with product development — not as a separate workstream after the fact.

Month 1–2

Controls Design

Security foundations in place — encryption, access control, and audit logging designed and implemented alongside core product architecture.

Month 2–4

Controls Implementation

Authentication, session management, and API security hardened. Compliance automation platform connected for continuous evidence collection.

Month 4–5

Pre-Audit Preparation

Internal readiness assessment complete. Policy documentation finalized. Third-party penetration test conducted and findings remediated.

Month 5–6

Type 1 Audit

SOC 2 auditor engaged. Control design and implementation examined. Type 1 report issued. Production deployment upon successful certification.

Production deployment is gated on successful Type 1 certification.

Custom Capital can present a certified, audited platform from the first day investors interact with it.

E
Section E

Security Deliverables

Tangible outputs from the security and compliance workstream.

1

Security Policies & Procedures

Comprehensive documentation covering access control, data handling, incident response, change management, and vendor management policies.

2

Compliance Automation Platform

Vanta or Drata integration for continuous monitoring, automated evidence collection, and real-time compliance posture visibility.

3

Penetration Test Report

Third-party penetration test covering the web portal, mobile app, and API surface. Findings remediated before audit.

4

SOC 2 Type 1 Report

Formal auditor report confirming that security controls are properly designed and implemented. Shareable with investors, lenders, and partners.

5

Audit-Ready Architecture

Every technical control (encryption, RBAC, audit logging, MFA) built into the platform from day one — not bolted on after the fact.

Explicitly Not in Scope
  • SOC 2 Type 2 certification (requires 3–6 months of operational evidence post-Type 1)
  • HIPAA compliance (not applicable to financial services)
  • PCI DSS compliance (no credit card processing in the platform)
  • ISO 27001 certification (can be pursued later as a complementary framework)