Current status
| Item | Status |
|---|---|
| Statement of Applicability (Annex A) | Draft (sequenced after SOC 2 Type I) |
| ISMS scope definition | In progress |
| Risk assessment + treatment plan | Drafted |
| Internal audit | Not yet scheduled |
| External certification body | Not yet engaged |
Adjacencies
- The SOC 2 page covers Trust Services Criteria evidence collection. Most of those artifacts feed both certifications.
- HIPAA / GDPR / state-privacy compliance (data minimisation, breach notification, data-subject rights) is handled in the contract layer; see the DPA at
/legal/dpa(control-plane domain).
Contact
compliance@gavai.io for vendor-risk questionnaires or audit-evidence requests.