Rakenne is built for organizations that care deeply about security and compliance. This page explains where we are today, where we are headed with SOC 2 and ISO/IEC 27001, and how we use Rakenne itself to operate our information security management system (ISMS).
Current Status
Rakenne is an early-stage, security-focused SaaS platform. We are:
- Operating a lean but coherent ISMS aligned with ISO/IEC 27001:2022.
- Designing and running controls that map to SOC 2 Trust Services Criteria for Security and Availability.
- Relying on cloud and identity providers with established SOC 2 and ISO 27001 certifications for infrastructure and core services.
We are not yet SOC 2 or ISO 27001 certified, but our control set and documentation are designed so that formal certification is a natural next step rather than a disruptive project.
Roadmap: SOC 2 & ISO/IEC 27001
We prioritize certifications that matter most to our customers — SMBs in North America, Brazil, and Europe who handle regulated and high-stakes documents.
Near term (0–6 months)
- Maintain and refine our ISO 27001–aligned ISMS scope, risk register, and Statement of Applicability.
- Run regular access reviews, vulnerability management, backup/restore tests, and vendor assessments.
- Perform internal readiness reviews using our own SOC 2 and ISO 27001 skills.
Medium term (6–12+ months)
- Engage with an audit firm to:
- Conduct a SOC 2 Type I or readiness assessment, validating the design of our controls.
- Plan a path to SOC 2 Type II over a defined audit period.
- Prepare for ISO/IEC 27001 certification with a combined or coordinated audit approach where practical.
- Collect and organize control evidence over a full operating period to support a Type II report and ISO 27001 certification.
We will update this page as milestones are reached (for example, when we complete a readiness assessment, receive a SOC 2 report, or obtain ISO 27001 certification).
How We Use Rakenne Internally
We use Rakenne itself to design, document, and review our security and compliance program — the same way our customers use it for their own organizations.
Examples of internal artifacts we generate with Rakenne skills:
- ISO 27001 skills
- ISMS scope statements for the Rakenne platform.
- Risk assessments and treatment plans (
iso27001-risk-assessment). - Statement of Applicability (
iso27001-soa), including justifications for implemented and non-applicable controls. - Management review and internal audit reports.
- SOC 2 skills
- Organization profile and system description for the Rakenne platform.
- SOC 2 risk assessments mapped to Trust Services Criteria.
- Control narratives, policy drafts, and testing plans for our own controls.
By using Rakenne internally, we:
- Ensure our documentation is structured, consistent, and audit-ready.
- Continuously validate that skills and workflows are realistic for real-world SOC 2 and ISO 27001 use cases.
- Shorten the time between control changes and updated documentation.
Shared Certifications & Vendor Reliance
Many of the foundational security and compliance guarantees for Rakenne come from our key infrastructure and identity providers. These providers maintain their own certifications (including SOC 2 and ISO 27001) and provide the building blocks on which we add our own controls.
For a detailed breakdown of which certifications our providers hold and how responsibilities are divided, see our Shared Responsibility Matrix . For subprocessors, their roles, and locations, visit our Subprocessors & Data Processing Overview .
Staying Up to Date
We treat this page as the canonical source for our security and compliance roadmap. When we:
- Complete a SOC 2 or ISO 27001 audit,
- Significantly change our ISMS scope or control set, or
- Add or remove key vendors that affect your risk profile,
we will:
- Update this page to describe the change, and
- Where appropriate, notify affected customers through in-app messages or email.
If you need more detail about our controls, audit plans, or supporting documentation for a security review, contact us at privacy@rakenne.app .