Trust, audited and on a timeline.
Thabit sells to regulated industries (defense, aerospace, and critical-infrastructure engineers. Compliance isn't a marketing badge) it's a precondition. This page shows every framework we're pursuing, what it unlocks, and when we expect to achieve it. Dates are aggressive but honest.
Compliance Roadmap
| Framework | Status | Target | What it unlocks |
|---|---|---|---|
| SOC 2 Type I | IN PROGRESS | Q3 2026 | Baseline security attestation, unblocks most Team-tier procurements. |
| SOC 2 Type II | ROADMAP | Q4 2026 | 12-month observation period; required by most Enterprise buyers. |
| CMMC Level 2 (self) | ROADMAP | Q1 2027 | Required for subcontractors handling CUI under DFARS 252.204-7012. |
| CMMC Level 2 (C3PAO) | ROADMAP | Q3 2027 | Third-party certification for contracts above $1M. |
| FedRAMP 20x Moderate | ROADMAP | Q4 2027 | Federal-agency direct sales via automated continuous authorization. |
| FedRAMP High / DoD IL-4 | ROADMAP | 2028 | Higher-impact federal systems including DoD CUI. |
| DoD IL-5 | ROADMAP | 2028+ | Non-public national-security data; sponsor-program-specific. |
Current Security Practices
Every item below is in production today. For the architectural explanation of each, see the Security Overview.
| Category | Practice |
|---|---|
| Encryption | TLS 1.3 in transit; AES-256 at rest on database, object storage, and backups. |
| Access | Role-based access with row-level tenant isolation; MFA for all admin access. |
| Secrets | Managed secret store; no secrets in source control; quarterly rotation schedule. |
| Logging | Structured application logs + cloud audit logs, 1-year retention, append-only. |
| Monitoring | Real-time error tracking with PII scrubbing; anomaly alerting on auth events. |
| SDLC | Peer review on every merge; automated dependency scanning; secrets scanning; static analysis. |
| Backups | Automated backups with 30-day point-in-time recovery; semi-annual DR drill. |
| People | Background checks for production access; annual security awareness training. |
Documents Available on Request
- Security questionnaire responses, SIG Lite, CAIQ, and custom questionnaires within 5 business days.
- Penetration test summary, annual third-party engagement, available under NDA.
- Business Continuity and Disaster Recovery Plan, summary version available under NDA.
- Data Processing Addendum (DPA), public template, executable with enterprise customers.
- SOC 2 Type I report, available upon issuance (Q3 2026) under NDA.
Request any of the above by emailing security@thabit.ai.
How We Stay Honest
- Vanta continuous monitoring auto-collects evidence for every control, continuously, no annual scramble.
- Incident response runbook is exercised quarterly (tabletop) and annually (full drill).
- Quarterly access reviews on all production systems.
- Public subprocessor list at /legal/subprocessors, updated before any change takes effect.
- Responsible disclosure program with safe-harbor commitments, details here.
Regulatory Handling Guidance
Thabit’s Services are not yet authorized for: classified data (any level), Controlled Unclassified Information (CUI) subject to DFARS 252.204-7012, ITAR-controlled data, PHI subject to HIPAA, or PCI cardholder data. Our roadmap above sets the dates each category becomes permissible. Customers are responsible for verifying authorization status before uploading regulated content; see the AUP for the full restricted-content policy.