Feature: SOC2 Type 2

Compliance.

Overview

SOC 2 Type 2 is the discipline of operating real security controls and producing auditor-tested evidence over a sustained window (typically 6 to 12 months). Type 2 differs from Type 1 in that it tests operation rather than design alone, which is what makes it the meaningful credential for enterprise procurement. Nova's SOC 2 program is currently in progress, with controls operating and evidence accumulating toward the first Type 2 audit window.

• Operating effectiveness over a window. Auditor tests that controls actually run, not just that they exist on paper. Evidence accumulates over months.
• Trust Service Criteria covered. Security at minimum; Availability and Confidentiality typically added for B2B SaaS. Each TSC carries its own controls and evidence requirements.
• Annual renewal cadence. Continuous compliance posture rather than a one-time achievement. Each renewal tightens the posture.
• Customer evidence under NDA. Report shareable via the Trust Center to qualified prospects. Procurement gets the artefact it actually needs.

The approach

Real technical controls first, continuous evidence collection, annual audit with a stable auditor, customer-shareable reporting, per-control documentation. The discipline is treating compliance as an output of good operations rather than a parallel project that only matters in audit windows.

• Real technical controls. Encryption at rest and in transit, access logs, MFA on every console, vulnerability management. Real protection that the audit happens to confirm.
• Continuous evidence platform. Drata, Vanta, or equivalent captures evidence year-round. Audit burden drops from months to weeks.
• Stable annual auditor. Same firm year-over-year. Continuity reduces re-explanation cost on every renewal.
• Customer-shareable report plus per-control documentation. Trust Center distributes the report under NDA; per-control implementation notes support both audit and operations.

Why this compounds

Each renewal tightens the posture and adds another year of operating evidence. The team's compliance muscle grows from "panic before audit" to "evidence collected as we ship," and customer trust grows with each annual report. By year three the program runs as a normal operational rhythm.

• Customer trust. Type 2 evidence is the credential enterprise procurement asks for. Sales conversations get unblocked.
• Real security posture. Sustained controls reduce real risk, not just audit findings. Protection that holds up under contact.
• Operational maturity. Continuous evidence shapes engineering discipline. Compliance becomes an output of how the team already works.
• Year-one investment, year-two habit. First audit is investment-heavy; subsequent renewals are routine.