Turtini's path to SOC 2, CMMC, and FedRAMP
"Turtini grade" is the brand bar — every shipped feature is held to it. The third-party-attested side of that bar is on a deliberate roadmap rather than a vapor-checkbox: SOC 2 first, CMMC Level 2 next, FedRAMP Li-SaaS after that. Here's where each one stands today and what unlocks at each milestone.
Where we are today:
• **Internal controls already operating** — hash-chained audit log on every financial action, signed outbound event stream for SIEM ingest, ed25519-signed audit class events, per-org KMS scoping, per-action authorization checks, image moderation pipeline, automated KYB on every counterparty.
• **Stripe Connect KYB** — every paying org clears Stripe's KYB pipeline as a baseline counterparty check.
• **Public AUP + DPA** — Acceptable Use Policy is attested per-org; DPA is downloadable per-org.
• **Pay-as-you-go transparency** — every metered cost is itemized and shown in Settings → Usage.
Tier 1 — SOC 2 Type II (target):
SOC 2 is the universal "we operate the way an auditor would expect" attestation. We're operating controls to SOC 2 standards now and aim to clear the Type II observation window with a top-tier auditor. Unlocks at SOC 2:
• Mid-market enterprise commercial diligence (Procurement / Vendor Risk teams accept SOC 2 as a baseline)
• Faster pen-test review cycles with prospective customers
Tier 2 — CMMC Level 2:
The Cybersecurity Maturity Model Certification (CMMC) Level 2 is the federal-contracting baseline for any contractor handling Controlled Unclassified Information (CUI). It maps to NIST SP 800-171's 110 practices. We're already operating against the CMMC controls catalogue; certification follows SOC 2.
Tier 3 — FedRAMP Li-SaaS:
The Low Impact SaaS authorization path is the lowest FedRAMP tier and the right starting point for a SaaS that doesn't yet need FedRAMP Moderate / High. Combined with Wally Sovereignty BYO endpoints (Bedrock GovCloud) and air-gap mode, Turtini deployments can satisfy a CO's posture requirements without the customer running FedRAMP infrastructure themselves.
The honest timeline:
This is a roughly 18–24 month roadmap at the platform's current solo-team build cadence — SOC 2 first, then CMMC, then FedRAMP. We move in that order specifically because each prior tier's controls catalog substantially overlaps the next, so the work compounds rather than parallels.
Why we don't claim what we haven't earned:
There are platforms that paint "SOC 2 compliant" on the marketing page when they mean "we filled out a self-assessment workbook." We don't. The line on the Trust Score and on /about/security is the actual state of each attestation. When a tier is in progress, we say "in progress." When it's complete, we link to the report.
If your procurement diligence asks for an attestation we don't yet have:
• Ask your account team for the current detailed posture (we share controls, control owners, evidence cadence, gap analysis under NDA).
• Ask for the Trust Score breakdown for Turtini's own platform org — same KYB / verification fields we expose for every org are populated for ours.
• Ask for a security questionnaire response (CAIQ / SIG / your own) — we maintain a current answer set and route updates through legal.
The bar is moving up over time, not down.