OmegaEngine

Compliance Report

SOC 2 Type II · Trust Service Criteria Assessment

Report Date

June 28, 2026

Report ID

OMG-CR-20260628-LBUA5Q

Organization

OmegaEngine (Jesse Mahoney, a sole proprietor)

Scope

All production systems

CLASSIFICATION: PUBLIC SUMMARY

Self-assessed · unsigned summary

Overall Compliance Posture

Across all assessed frameworks and trust service criteria

100%

COMPLIANT

Framework	Score	Controls	Gaps	Status
SOC 2 Type II	100%	21/21	0	Pass
NIST AI RMF	93%	17/19	2	Pass
ISO 42001	97%	10/12	2	Pass
EU AI Act	85%	10/12	2	Partial

Executive Summary

This is a self-assessment, not an independent audit. OmegaEngine has evaluated its OWN controls against the AICPA SOC 2 Type II Trust Service Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. OmegaEngine is not SOC 2 certified and has not undergone an independent third-party audit; this report summarizes our self-assessed posture as of June 28, 2026.

Of the 21 controls assessed, 21 (100%) are fully implemented with auditable evidence. The platform demonstrates a mature security posture with defense-in-depth controls spanning the application, infrastructure, and organizational layers.

8,674+

Test Coverage

automated tests

CI Pipelines

zero-trust workflows

Safety Layers

3,736 lines of code

AES-256

Encryption

TLS 1.3 in transit

Common Criteria (Security)

Trust Service Category: CC

11/11

Controls Passing

CC1.1Control Environment

Entity demonstrates commitment to integrity and ethical values

Pass

Evidence:

RESPONSIBLE_AI.md
TERMS_OF_SERVICE.md
Code of Conduct

CC2.1Communication & Information

Entity obtains and uses relevant quality information

Pass

Evidence:

Structured logger (lib/logger.ts)
Request tracing (x-request-id)
Sentry telemetry

CC3.1Risk Assessment

Entity identifies and assesses risks to achieve objectives

Pass

Evidence:

docs/threat-model.md
docs/RISK_REGISTER.md
lib/safety.ts
lib/policyEngine.ts

CC3.2Risk Register

Entity maintains a formal risk register with treatment plans

Pass

Evidence:

docs/RISK_REGISTER.md
docs/ACCEPTED_RISKS.md

CC5.1Control Activities

Entity selects and develops control activities to mitigate risks

Pass

Evidence:

proxy.ts (access gate)
lib/auth/guards.ts
lib/rateLimit.ts
lib/idempotency/idempotencyGuard.ts

CC6.1Logical Access Controls

Entity restricts logical access to systems

Pass

Evidence:

RBAC (lib/auth/rbac.ts)
IP Guard (lib/proxy/ipGuard.ts)
Security headers (HSTS, CSP)
Auth guards

CC6.2Change Management

Entity authorizes, designs, develops, configures, tests, and implements changes

Pass

Evidence:

CI/CD pipeline (.github/workflows/ci.yml)
8,674+ automated tests (538 files)
Branch protection (BRANCH_PROTECTION.md)

CC7.1Security Monitoring

Entity detects and responds to security events

Pass

Evidence:

Sentry (client + server + edge)
SLO signal monitoring
Request tracing

CC7.2Incident Management

Entity manages security incidents to resolution

Pass

Evidence:

docs/INCIDENT_RUNBOOK.md
Kill switch (gracefulShutdown.ts)
CTO Protection Plan

CC8.1Vendor Management

Entity manages risk from third-party service providers

Pass

Evidence:

Circuit breaker (modelRouting/circuitBreaker.ts)
Fallback chain
Cost guards

CC9.1Risk Mitigation

Entity identifies and manages risks from business disruption

Pass

Evidence:

Safety pipeline (12 layers, 3,736 LOC)
Policy engine
Graceful shutdown

Availability

Trust Service Category: A

3/3

Controls Passing

A1.1Availability Commitments

System meets availability objectives

Pass

Evidence:

Health endpoints (/api/health, /api/ping)
SLA documentation
Runtime guarantees

A1.2Disaster Recovery

System can recover from disruptions

Pass

Evidence:

docs/DR_RPO_RTO.md
docs/DR_DRILL_LOG.md
scripts/dr-backup-verify.cjs

A1.3Recovery Testing

Entity tests recovery plan procedures

Pass

Evidence:

docs/DR_DRILL_LOG.md
scripts/dr-backup-verify.cjs
CI DR verification step

Processing Integrity

Trust Service Category: PI

2/2

Controls Passing

PI1.1Processing Integrity

System processing is complete, valid, accurate and authorized

Pass

Evidence:

HMAC audit trail signing (lib/audit/auditIntegrity.ts)
Cryptographic proof chain
Idempotency guard

PI1.2Processing Accuracy

Entity detects and corrects processing errors

Pass

Evidence:

Input validation (Zod schemas)
Safety engine (injection detection)
Output verification

Confidentiality

Trust Service Category: C

1/1

Controls Passing

C1.1Confidentiality

Entity protects confidential information

Pass

Evidence:

HSTS + CSP headers
AES-256 encryption at rest (PostgreSQL)
TLS 1.3 in transit (Vercel Edge)

Privacy

Trust Service Category: P

4/4

Controls Passing

P1.1Privacy Notice

Entity provides notice about its privacy practices

Pass

Evidence:

docs/PRIVACY_POLICY.md
docs/TERMS_OF_SERVICE.md

P1.2Data Protection Officer

Entity designates a DPO and communicates privacy responsibilities

Pass

Evidence:

DPO: Jesse Mahoney
dpo@omegaengine.ai
PRIVACY_POLICY.md §14

P1.3Data Processing Agreements

Entity maintains DPA with data processors per GDPR Art. 28

Pass

Evidence:

docs/DATA_PROCESSING_AGREEMENT.md
8 sub-processors documented

P1.4Data Retention & Disposal

Entity disposes of data according to retention policies

Pass

Evidence:

lib/audit/retention.ts
Automated daily purge (vercel.json cron)
Configurable per-tenant windows

Attestation & Integrity

Report Integrity

Report IDOMG-CR-20260628-LBUA5Q

Generated At2026-06-28T21:11:02.240Z

Assessment Date2026-06-28T21:11:02.240Z

Report TypeSelf-assessment · unsigned summary

Cryptographic ProofNot signed — verify signed attestations at /verify

Data Sourcelib/compliance/complianceRegistry.ts (live assessment)

This report was generated from live compliance data and reflects the current state of OmegaEngine's security controls.

For the full audit package including detailed evidence, proof chains, and penetration test results, contact security@omegaengine.ai.

Report ID: OMG-CR-20260628-LBUA5Q • Generated: 2026-06-28T21:11:02.240Z

Back to Trust Center

OmegaEngine

Compliance Report

SOC 2 Type II · Trust Service Criteria Assessment

Report Date

June 28, 2026

Report ID

OMG-CR-20260628-LBUA5Q

Organization

OmegaEngine (Jesse Mahoney, a sole proprietor)

Scope

All production systems

CLASSIFICATION: PUBLIC SUMMARY

Self-assessed · unsigned summary

Overall Compliance Posture

Across all assessed frameworks and trust service criteria

100%

COMPLIANT

Framework	Score	Controls	Gaps	Status
SOC 2 Type II	100%	21/21	0	Pass
NIST AI RMF	93%	17/19	2	Pass
ISO 42001	97%	10/12	2	Pass
EU AI Act	85%	10/12	2	Partial

Executive Summary

8,674+

Test Coverage

automated tests

CI Pipelines

zero-trust workflows

Safety Layers

3,736 lines of code

AES-256

Encryption

TLS 1.3 in transit

Common Criteria (Security)

Trust Service Category: CC

11/11

Controls Passing

CC1.1Control Environment

Entity demonstrates commitment to integrity and ethical values

Pass

Evidence:

RESPONSIBLE_AI.md
TERMS_OF_SERVICE.md
Code of Conduct

CC2.1Communication & Information

Entity obtains and uses relevant quality information

Pass

Evidence:

Structured logger (lib/logger.ts)
Request tracing (x-request-id)
Sentry telemetry

CC3.1Risk Assessment

Entity identifies and assesses risks to achieve objectives

Pass

Evidence:

docs/threat-model.md
docs/RISK_REGISTER.md
lib/safety.ts
lib/policyEngine.ts

CC3.2Risk Register

Entity maintains a formal risk register with treatment plans

Pass

Evidence:

docs/RISK_REGISTER.md
docs/ACCEPTED_RISKS.md

CC5.1Control Activities

Entity selects and develops control activities to mitigate risks

Pass

Evidence:

proxy.ts (access gate)
lib/auth/guards.ts
lib/rateLimit.ts
lib/idempotency/idempotencyGuard.ts

CC6.1Logical Access Controls

Entity restricts logical access to systems

Pass

Evidence:

RBAC (lib/auth/rbac.ts)
IP Guard (lib/proxy/ipGuard.ts)
Security headers (HSTS, CSP)
Auth guards

CC6.2Change Management

Entity authorizes, designs, develops, configures, tests, and implements changes

Pass

Evidence:

CI/CD pipeline (.github/workflows/ci.yml)
8,674+ automated tests (538 files)
Branch protection (BRANCH_PROTECTION.md)

CC7.1Security Monitoring

Entity detects and responds to security events

Pass

Evidence:

Sentry (client + server + edge)
SLO signal monitoring
Request tracing

CC7.2Incident Management

Entity manages security incidents to resolution

Pass

Evidence:

docs/INCIDENT_RUNBOOK.md
Kill switch (gracefulShutdown.ts)
CTO Protection Plan

CC8.1Vendor Management

Entity manages risk from third-party service providers

Pass

Evidence:

Circuit breaker (modelRouting/circuitBreaker.ts)
Fallback chain
Cost guards

CC9.1Risk Mitigation

Entity identifies and manages risks from business disruption

Pass

Evidence:

Safety pipeline (12 layers, 3,736 LOC)
Policy engine
Graceful shutdown

Availability

Trust Service Category: A

3/3

Controls Passing

A1.1Availability Commitments

System meets availability objectives

Pass

Evidence:

Health endpoints (/api/health, /api/ping)
SLA documentation
Runtime guarantees

A1.2Disaster Recovery

System can recover from disruptions

Pass

Evidence:

docs/DR_RPO_RTO.md
docs/DR_DRILL_LOG.md
scripts/dr-backup-verify.cjs

A1.3Recovery Testing

Entity tests recovery plan procedures

Pass

Evidence:

docs/DR_DRILL_LOG.md
scripts/dr-backup-verify.cjs
CI DR verification step

Processing Integrity

Trust Service Category: PI

2/2

Controls Passing

PI1.1Processing Integrity

System processing is complete, valid, accurate and authorized

Pass

Evidence:

HMAC audit trail signing (lib/audit/auditIntegrity.ts)
Cryptographic proof chain
Idempotency guard

PI1.2Processing Accuracy

Entity detects and corrects processing errors

Pass

Evidence:

Input validation (Zod schemas)
Safety engine (injection detection)
Output verification

Confidentiality

Trust Service Category: C

1/1

Controls Passing

C1.1Confidentiality

Entity protects confidential information

Pass

Evidence:

HSTS + CSP headers
AES-256 encryption at rest (PostgreSQL)
TLS 1.3 in transit (Vercel Edge)

Privacy

Trust Service Category: P

4/4

Controls Passing

P1.1Privacy Notice

Entity provides notice about its privacy practices

Pass

Evidence:

docs/PRIVACY_POLICY.md
docs/TERMS_OF_SERVICE.md

P1.2Data Protection Officer

Entity designates a DPO and communicates privacy responsibilities

Pass

Evidence:

DPO: Jesse Mahoney
dpo@omegaengine.ai
PRIVACY_POLICY.md §14

P1.3Data Processing Agreements

Entity maintains DPA with data processors per GDPR Art. 28

Pass

Evidence:

docs/DATA_PROCESSING_AGREEMENT.md
8 sub-processors documented

P1.4Data Retention & Disposal

Entity disposes of data according to retention policies

Pass

Evidence:

lib/audit/retention.ts
Automated daily purge (vercel.json cron)
Configurable per-tenant windows

Attestation & Integrity

Report Integrity

Report IDOMG-CR-20260628-LBUA5Q

Generated At2026-06-28T21:11:02.240Z

Assessment Date2026-06-28T21:11:02.240Z

Report TypeSelf-assessment · unsigned summary

Cryptographic ProofNot signed — verify signed attestations at /verify

Data Sourcelib/compliance/complianceRegistry.ts (live assessment)

This report was generated from live compliance data and reflects the current state of OmegaEngine's security controls.

For the full audit package including detailed evidence, proof chains, and penetration test results, contact security@omegaengine.ai.

Report ID: OMG-CR-20260628-LBUA5Q • Generated: 2026-06-28T21:11:02.240Z