Transparent, dated progress on every security certification, compliance milestone, and control implementation. Built for procurement teams who need to plan ahead, not just see where we stand today.
14
Milestones Complete
6
In Progress
12
Planned Ahead
Last updated: May 2026 — reviewed monthly
All user data encrypted at rest via Supabase (AWS us-east-1). Database, storage, and backups encrypted with AES-256.
All client-server communication enforces TLS 1.3. Older TLS versions (1.0, 1.1) rejected at the edge.
Supabase RLS policies deployed across all database tables. Users can only access their own records.
Append-only audit_log table covering auth events, data access, admin actions, document lifecycle, and payments.
TOTP and SMS MFA available for all users. Required for all specialist and admin accounts.
Role-based access control with 6 distinct roles: super_admin, admin, enterprise_user, ai_specialist, human_specialist, end_user.
Inactive sessions automatically locked after 15 minutes. Configurable per portal type. NIST AC-11 compliant.
31 NIST SP 800-53 Rev. 5 control implementation statements, FIPS 199 assessment, authorization boundary, and POA&M published.
NIST SP 800-207 ZTA implemented: verify explicitly, least privilege, assume breach, device/identity validation, encrypt everywhere, continuous monitoring.
California Consumer Privacy Act, COPPA youth account protections, and GLBA Safeguards Rule aligned. All user rights exercisable.
Full breach notification policy covering CCPA 72hr, GDPR 72hr, NIS2 24hr, GLBA 30-day, US-CERT deadlines and 7-step subscriber procedure.
NIST SP 800-61 aligned IRP with 6 phases, 6 IRT role definitions, 6 incident type runbooks, and full escalation matrix.
3-tier VRM policy with assessments of all 8 critical vendors (Supabase, Stripe, Plaid, Twilio, OpenAI, AWS, Shopify, Google Analytics).
6 core AI principles, prohibited uses, guardrails for Nova/Tundra/Vex/Echo/Aegis/Cipher, user rights, and AI governance structure.
Independent CPA firm engaged for SOC 2 Type II audit. Observation period begins Q3 2026. Trust Services Criteria: Security, Availability, Confidentiality.
Independent third-party penetration testing firm engaged. Scope: web application, API layer, authentication, and Edge Function security.
Verify and document FIPS 140-2 compliance path via AWS KMS + Supabase infrastructure layer. Required for FedRAMP Moderate authorization.
Scheduled first annual PIA review. Update information type inventory, risk ratings, and retention schedules based on Q2 2026 platform additions.
Semi-annual tabletop exercise with IRT. Scenario: P1 data exfiltration event. Validate response procedures and escalation chain from IRP.
Formal assessment of Psychnex AI advisors under EU AI Act prohibited/high-risk/limited-risk categories. Legal counsel review of AI Act Article 6 applicability.
SOC 2 Type II report expected Q4 2026 upon completion of audit observation period. Report will be available to enterprise clients under NDA.
Mobile Device Management (MDM) enrollment for all Psychnex-managed devices. Device health check required before accessing production systems. Closes CISA ZTA "Devices" pillar gap.
Engage a C3PAO (Third-Party Assessment Organization) for a pre-assessment review before formal CMMC Level 2 certification. Gap analysis and remediation plan delivered.
Implement FedRAMP-aligned continuous monitoring: monthly vulnerability scanning, quarterly control reviews, annual penetration testing, and POA&M tracking.
Annual security awareness training program for all Psychnex employees. Covers phishing, social engineering, data handling, and incident reporting. NIST AT-2 compliant.
Standardized Data Processing Agreement templates for enterprise clients. GDPR Article 28 compliant, CCPA service provider terms, sub-processor schedule, and breach notification clauses.
Submit FedRAMP Moderate Authorization To Operate (ATO) package to sponsoring agency. Achieve formal FedRAMP Moderate ATO. Enables government agency procurement.
Complete formal CMMC Level 2 certification via C3PAO assessment. Enables DoD contractor and subcontractor use of Psychnex platform.
Engage UKAS/IAF-accredited certification body for ISO 27001:2022 certification. Covers ISMS scope, risk assessment, and control implementation.
Transition cryptographic module compliance from FIPS 140-2 to FIPS 140-3 (NIST standard updated 2019, enforcement timeline per agency requirements).
Execute Business Associate Agreement (BAA) for the Healthcare Portal. Enables full HIPAA-covered entity use cases for healthcare professional financial data.
Complete EU AI Act compliance registration for high-risk AI systems (if applicable after Q3 2026 classification). Register with EU AI database per Article 49.
Roadmap Notice: This roadmap reflects Psychnex's current planning and is subject to change. Target dates are estimates based on current resource allocation and vendor timelines. Certification milestones depend on third-party auditor and assessment organization availability. Formal certifications (SOC 2 Type II, FedRAMP ATO, CMMC Level 2, ISO 27001) are not claimed until issued by the relevant certifying authority. Contact security@psychnex.com for current status on any milestone.
Contact our security team to get a current-state briefing, request milestone documentation, or ask about accelerated certification timelines.
Privacy & Consent