Compliance Roadmap, 18 Months
Last reviewed: 2026-05-24.
Update cadence: Quarterly, plus on any milestone hit or missed.
Owner: David McHale (commercial commitments and technical commitments combined; see key-person-succession.md §1).
Audience: US Enterprise procurement reviewers (primary), enterprise security architects, Latin American (LGPD/BACEN) reviewers, and contract administrators who want to understand what is in flight and on what timeline.
Purpose: State HailBytes’ compliance roadmap with real dates and named vendors. HailBytes is a US-headquartered vendor; the roadmap leads with the North American attestation US Enterprise procurement requires (SOC 2 Type 2 direct), followed by Latin American (LGPD encarregado publication) and global (ISO 27001 evaluation) milestones. This document signals operational maturity precisely because it admits what isn’t done yet and commits to dates.
Recent course correction (May 2026): the roadmap previously sequenced SOC 2 Type 1 first, then Type 2. Enterprise customer procurement feedback during the May 2026 evaluation cycle indicated Type 1 does not clear the procurement bar for Fortune-50-class buyers; Type 2 is the required attestation. HailBytes has transitioned to a Type 2 direct path (omitting Type 1) with Jack Moore Group as audit firm. The prior shortlist (ecFirst, Sensiba) is closed.
1. Roadmap at a glance
| Initiative | Selected vendor or approach | Kickoff | Target completion |
|---|---|---|---|
| SOC 2 Type 2 direct (Security TSC) | Auditor: Jack Moore Group; control documentation: self-prepared in-house | Engagement signature imminent (late-stage contracting as of 2026-05-24) | Target attestation: 2026-H2 to 2027-Q1, contingent on completion of the 6-month minimum observation window from engagement execution |
| First third-party penetration test | Astra Pentest (getastra.com), selected vendor, engagement not yet booked | 2026-Q4 (booking target) | 2027-Q1 (report) |
| ISO 27001 evaluation | n/a (not pursuing 2026–2027) | n/a | Re-evaluated 2027-Q2 |
| LGPD encarregado designated (David McHale) | n/a | Designated 2026-Q2 | Public-page publication 2026-Q3 |
| GDPR DPO designated (David McHale) | n/a | Designated 2026-Q2 | Public-page publication 2026-Q3 |
DPA published at hailbytes.com/legal/dpa | Live | 2026-Q2 | Live as of 2026-05-11 |
| Business Owners Policy bound ($1M GL + property) | Hiscox | 2026-05-21 | Bound effective 2026-05-21 |
| Cyber Liability bound ($250K + Media Liability rider) | Hiscox | 2026-05-21 | Bound effective 2026-05-21 |
| Tech E&O standalone endorsement | Hiscox or complementary carrier | Evaluation in progress | Available on procurement-floor demand (per-customer endorsement) |
| Cyber limits upgrade pathway | Hiscox (upgrade on bound policy) | n/a | Available on procurement-floor demand, ~1-week lead time |
| SAT container-image signing (Cosign parity with ASM) | n/a | 2026-Q3 | 2026-Q3 |
| BCP/DR first tabletop exercise | Exercise authored, see bcp-dr-tabletop-exercise.md; run with full participant set | 2026-Q3 | 2026-Q3 |
| Subprocessor list, publish DPA URL referenced in §3 | n/a | 2026-Q2 | 2026-Q3 |
Public Trust Center page at hailbytes.com/trust/ | Built, see hugo-site/content/pages/trust.html | Built 2026-Q2 | Live on next deploy |
2. SOC 2 Type 2 (Direct Path)
Scope: Security trust services criterion only, for HailBytes ASM and HailBytes SAT.
Why Security TSC only: HailBytes does not operate the data plane (see byoc-architecture.md), so Availability, Processing Integrity, Confidentiality, and Privacy TSCs largely map to controls that live in the customer’s tenant, where the customer’s auditor would assess them. Adding additional TSCs to HailBytes’ own scope adds cost without adding evidence relevance for enterprise customers. Reviewed annually with auditor input.
Why Type 2 direct (no Type 1 intermediate): during the May 2026 enterprise procurement evaluation cycle, a Fortune-50-class customer indicated that Type 1 attestation does not clear their procurement floor; Type 2 is the required deliverable. HailBytes adjusted course: the Type 1 milestone has been removed and the audit engagement has shifted to a Type 2 direct path. Type 2 is also the more frequently requested attestation across HailBytes’ broader enterprise pipeline, so the path change adds breadth as well as depth.
Auditor: Jack Moore Group. Selection is complete; engagement is in late-stage contracting as of 2026-05-24 with signature imminent. The prior shortlist (ecFirst, Sensiba) was closed when the path changed to Type 2 direct. Jack Moore Group is an AICPA-affiliated CPA firm engaged for the audit engagement.
Approach to readiness documentation: self-prepared. HailBytes prepares all control documentation in-house. The readiness owner has previously run SOC 2 Type 1 and Type 2 cycles in a CISO capacity at prior organizations and is the named encarregado/DPO and Security lead at HailBytes. HailBytes is not using a compliance-automation platform (Vanta, Drata, Secureframe); those platforms are useful when in-house compliance capacity is the bottleneck.
Trade-off acknowledged: without a compliance-automation platform, HailBytes does not get the “trust portal” widget those platforms ship. The functional equivalent is the public Trust Center page at hailbytes.com/trust/ plus this trust package as the document corpus. Procurement reviewers asking specifically for a Vanta or Drata trust portal can be redirected to the public Trust Center.
Observation window. SOC 2 Type 2 requires a minimum 6-month observation period during which controls are exercised and evidence is collected. The observation window begins on Jack Moore Group engagement execution (imminent). HailBytes targets at least 6 months of observation; the audit firm may recommend a longer window if it improves evidence quality.
Timeline. Engagement execution is imminent; observation begins on execution; minimum-6-month window completes ~late 2026. Audit fieldwork and report drafting typically span an additional 1 to 3 months. Target attestation issuance: 2026-H2 to 2027-Q1, exact date contingent on observation-window completion and report-drafting timeline negotiated with Jack Moore Group. The next quarterly update of this document will report the firmed-up date once engagement is executed.
Bridge-letter posture: a CPA bridge letter covering the gap between contract execution and attestation issuance can be requested from Jack Moore Group at procurement-floor demand once engagement is executed. The bridge letter is the parallel-track unblock for mid-stage rollouts that need contractual evidence before formal attestation lands.
3. ISO 27001
Status: not pursuing in the 2026–2027 window.
Rationale: For an English-speaking US/EU customer base, SOC 2 is the more frequently requested attestation. HailBytes’ resourcing is better spent achieving SOC 2 Type 2 before opening a second framework. ISO 27001 will be re-evaluated in 2027-Q2 with attention to whether enterprise EU customers are gated on it.
4. Penetration testing
Selected vendor: Astra Pentest (getastra.com).
Rationale: CREST-certified, hybrid automated + manual VAPT, publicly verifiable certificate, reports map to SOC 2 / ISO 27001 / GDPR / PCI-DSS. ASM and SAT engaged as two separate targets. The publicly verifiable certificate is useful for the public Trust Center at hailbytes.com/trust/.
Timeline: engagement to be booked in 2026-Q4; first report targeted for 2027-Q1. Annual cadence thereafter, with each year’s report referenced from the Trust Center and attached to this trust package.
Future-engagement considerations: for a 2027 or 2028 cycle once the SOC 2 Type 2 attestation is in hand, HailBytes may add a boutique-firm engagement on a 2-year cadence alongside the annual Astra cycle for additional rigor. Decision deferred until 2027-Q4 budget cycle.
5. Insurance
See insurance-coverage.md for the working detail. Summary status as of 2026-05-21:
- Business Owners Policy bound with Hiscox, $1M occurrence / $1M aggregate (GL + property), $0 deductible, blanket additional insured endorsement included.
- Cyber Liability bound with Hiscox, $250K occurrence / $250K aggregate, $10K deductible, with Media Liability rider.
- Standalone Technology E&O under evaluation as a separate endorsement; available on procurement-floor demand.
- Cyber limits upgrade pathway available on the bound Hiscox policy with approximately one-week lead time for procurement floors above the baseline.
- Per-customer endorsement option remains in place for higher named limits (commonly $2M Tech E&O / $5M Cyber for IBM-class enterprises); premium delta is passed through transparently in the contract.
Carrier history: HailBytes initially pursued a $1M / $1M / $1M package through Vouch in May 2026 with target effective date 2026-05-15. Vouch’s response cycle was slower than required for the enterprise pipeline; HailBytes bound through Hiscox on 2026-05-21 at the limits stated above.
6. LGPD and GDPR readiness
See lgpd-compliance.md for the working detail. Summary commitments here:
- LGPD encarregado: David McHale (designated;
[email protected]alias is live; public-page publication targeted 2026-Q3). - GDPR DPO: David McHale (same appointee, designated 2026-Q2, public-page publication 2026-Q3).
- DPA published at
hailbytes.com/legal/dpaby 2026-Q3, with LGPD and GDPR schedules.
7. Per-release supply-chain hardening
See security-evidence-package.md. Commitments for the roadmap window:
- SAT image signing parity with ASM (Cosign keyless via GitHub OIDC): 2026-Q3.
- Customer-side
cosign verifydocumentation expansion (clarify the verification gate as the primary supply-chain detection control; the Sigstore Rekor log remains available as a public forensic resource for post-incident queries, but HailBytes does not commit to building proactive Rekor reconciliation): ongoing. - Formal SLSA Level 2 declaration: 2026-Q4.
8. Hiring milestones that reduce key-person concentration
See key-person-succession.md §1. Current concentration: David McHale holds three of four primary roles, with John Shedd (commercial successor) and Boden McHale (technical successor) as the designated backups. Hiring commitments:
- Dedicated Security lead (separated from CTO function) by 2027-Q2.
- Additional engineering capacity (separated from contractor relationship) by 2027-Q1.
- Dedicated customer-support primary by 2026-Q4.
9. What changes between this document and the next quarterly update
Each quarterly update reviews:
- Did the dated commitments in §2 through §8 land on schedule? If not, name the new date and the reason.
- Are there new commitments to add (new vendor selections, new attestation paths)?
- Are there commitments to remove (re-scoped initiatives, deferred ISO 27001 evaluation, etc.)?
- Has the SOC 2 Type 2 observation window completed or been extended? On observation completion, capture the audit fieldwork and report-drafting timeline negotiated with Jack Moore Group and firm up the §2 target attestation date.
Cross-references: caiq-lite.md for the control-by-control mapping where “Partial” answers point to this document; byoc-architecture.md for the scoping argument behind §2 and §3; insurance-coverage.md for §5 detail; key-person succession plan for §8 detail (available on request to [email protected]); bcp-dr-tabletop-exercise.md for the §1 tabletop entry.