LMbox
Book a demo
Compliance

SOC 2 Type 1 - our roadmap

Many mid-market clients ask for SOC 2 during evaluation. Here's exactly where we stand, no bullshit.

Statut actuel · Certification engagement started · Q3 2026 · partner: Vanta
Roadmap

Quarterly milestones

Q3 2026
Vanta kickoff + scoping
Vanta account creation. Scope definition (LMbox-web + on-premise Box). Inventory of controls to implement.
In progress
Q4 2026
Control implementation
Implementation of missing technical controls: logging, access management, MFA, incident management, team training.
Planned
Q1 2027
Type 1 Audit
Independent point-in-time audit. AICPA-licensed auditor. SOC 2 Type 1 report issued upon completion.
Planned
Q2 2027
Observation Period
Start of the 6-month observation period required for Type 2 (continuous evidence of control operation).
Planned
Q3 2027
Type 2 Audit
Independent audit over the period. SOC 2 Type 2 report available before end of Q3 2027.
Planned
Trust Service Criteria

Coverage of the 5 Criteria

The AICPA defines 5 auditable criteria. Here are the ones we address.

🔒
Security (CC1-CC9)
Mandatory criterion. Covers access control, identity management, system protection. Our on-prem architecture facilitates compliance.
Availability (A1)
Criterion covered. Contractual SLA on LMbox managed (99.9%). On LMbox on-premise: under your responsibility.
🤐
Confidentiality (C1)
Core criterion for LMbox. On-prem architecture + encryption at-rest and in-transit + audit logs.
Processing Integrity (PI1)
Criterion covered for data flows between LMbox components. Input validation, automated controls.
🪪
Privacy (P1-P8)
More extensive criterion (covers GDPR-like requirements). Our on-prem architecture addresses it natively. Privacy by Design documentation provided.
In the Meantime

What We Provide Today

Without formal SOC 2 certification, we provide all documentation so a CISO or auditor can assess our security posture.

  • Security Architecture Documentation
    Comprehensive technical document (50+ pages): data flows, encryption, secrets management, audit logs, incident management.
  • Detailed audit logs
    All LMbox events are auditable. SIEM-compatible format (Splunk, Elastic, Sumo Logic). Compliant with AICPA CC2 requirements.
  • DPA + documented subprocessing
    GDPR data processing agreement template. Exhaustive list of technical subprocessors. Compatible with standard IT questionnaires.
  • Annual independent pentest
    Pentest conducted by an ANSSI-certified firm. Public-friendly report provided on request, under NDA.

CISO question?

Our security team is used to lengthy questionnaires. Send us your RFP and we'll complete it in under 5 days.

Start a security assessment