Helios Live
Book a discovery call
Back to Blog
Security Compliance SOC 2

How We Ship SOC 2 Compliant Software

A practical look at the controls, audit processes, and engineering practices that keep every Helios Live software engagement SOC 2 Type II certified year over year.

Daniel Torres ·

SOC 2 Type II certification is table stakes for selling software to enterprise security teams. Getting certified once is one thing; maintaining it continuously — while shipping features and scaling infrastructure — is the harder discipline. Here is how we approach it across every custom software engagement.

What SOC 2 Type II Actually Audits

SOC 2 measures five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type II report covers a six-to-twelve month observation window and provides auditors’ opinion on whether the described controls operated effectively throughout that period. The word “operated” is the hard part — a control that existed on paper but failed in practice will surface in the report.

We work with a Big Four auditor. Our observation period runs January through December, with the report delivered to customers in Q1 of the following year.

Controls That Ship with Every Engagement

Our engineering process treats compliance as a first-class constraint, not a post-shipment checkbox. Every pull request against production infrastructure must pass:

  • Automated secrets scanning via a pre-commit hook and CI step. Credentials, tokens, and API keys that leak into version control are caught before merge.
  • Static analysis for common vulnerability classes (injection, SSRF, insecure deserialisation). Findings at severity HIGH or above block merge.
  • Infrastructure-as-code review by a second engineer for any change touching network ACLs, IAM policies, or storage bucket permissions.

Access Control and Least Privilege

Every system access provisioned for a customer engagement goes through the client’s identity provider with SCIM synchronisation. When an engineer rotates off a project, access is revoked across all production systems within fifteen minutes — auditable via the customer’s SIEM. We enforce MFA on all production access without exception.

Role separation means engineers who write application code do not have unilateral access to production databases. Schema changes require a change-control ticket approved by a second engineer and a member of the infrastructure team.

Encryption at Every Layer

Data at rest is encrypted with AES-256. Data in transit uses TLS 1.3 with certificate pinning on mobile clients. Enterprise customers can bring their own encryption keys (BYOK) managed via AWS KMS, Azure Key Vault, or HashiCorp Vault — Helios Live never holds the plaintext key material.

Continuous Control Monitoring

We run automated control-effectiveness checks nightly. If a check detects, for example, that a storage bucket has become publicly accessible, it pages the on-call engineer, reverts the change, and logs the event to the audit trail — all before a human reviews it in the morning. This continuous monitoring posture means our SOC 2 controls are not just documented — they are tested daily.

SOC 2 Type II is a discipline, not a destination. We treat the annual audit as a forcing function for engineering hygiene, not a bureaucratic hurdle.