Procurement Bridge
Procurement teams bound by internal red tape will reject any vendor without a SOC 2 Type 2 report on file. The Procurement Bridge is the documented, defensible path to deploying COVENANT today on the strength of the architecture, with the SOC 2 Type 2 audit on a published Q2 2027 calendar.
A formal interim security packet (this page plus the linked documents) plus a signed risk-waiver template the fund's CIO or CISO countersigns. The packet substitutes for the SOC 2 Type 2 report during the bridge period; the waiver retires automatically when the Q2 2027 Big-4 audit completes.
SOC 2 controls were designed for cloud vendors that hold the customer's data. COVENANT does not hold the customer's data; the appliance lives on fund-owned hardware behind the fund's firewall. Most SOC 2 controls (multi-tenant isolation, vendor-employee access reviews, subprocessor flow-down) are structurally inapplicable to this deployment model.
That structural difference is why a substitution is defensible. The substitution is not "we skipped the audit." The substitution is "the audit is sized to the actual risk surface, which is materially smaller than the cloud-vendor surface."
Full architectural mapping: COVENANT SOC 2 Equivalence Document / CISO Fast-Track Bridge (request via the contact box at the bottom of this page).
The packet bundles the documents your CIO and CISO need to satisfy a procurement-committee review without a SOC 2 report:
No Human Nearby commits to engaging a Big-4 audit firm for a SOC 2 Type 2 audit, with completion targeted for Q2 2027. Audit-firm selection is in progress; the named firm is published on the public commitment calendar inside the procurement packet once the engagement letter is signed.
The audit is funded out of founder-tier subscription revenue, not new capital, which is why the timeline is real and dated rather than aspirational. The waiver below retires automatically the day the Type 2 report ships.
Procurement teams cannot waive a SOC 2 requirement informally. The template below is the language a CIO or CISO countersigns to document the risk decision in the fund's vendor-management record. Hand it to vendor management; vendor management hands it to the Audit Committee at the next quarterly review.
Risk-Waiver Template (Excerpt)
WHEREAS the Vendor (No Human Nearby, Inc.) has published a Q2 2027 commitment to a Big-4 SOC 2 Type 2 audit, and has provided the Fund with the Interim Security Packet documenting (i) the SOC 2 control-by-control architectural equivalence under a local-inference deployment model, (ii) the Iron Mountain / NCC Group source-code escrow with named release triggers, (iii) the Hardware EOL Strategy with flex policy, and (iv) the Acquisition Continuity Covenant binding any future owner of the Vendor's intellectual property,
AND WHEREAS the Fund's CISO has independently reviewed the architectural mapping and confirms that the standard SOC 2 control set (CC6.1 through CC9.2) is satisfied by the local-inference deployment model with control gaps documented in the Equivalence Document,
AND WHEREAS the deployment of COVENANT involves no transmission of borrower data outside the Fund's network perimeter,
THE FUND HEREBY WAIVES the standard SOC 2 Type 2 vendor pre-condition for this Vendor for the period running from the date of this waiver through the earlier of (a) thirty days after publication of the Vendor's SOC 2 Type 2 report, or (b) any material breach of the architectural commitments documented in the Interim Security Packet.
Signed: ______________________ (CISO)
Counter-signed: ______________________ (CIO)
Date: __________
Full counsel-reviewed waiver document is part of the Interim Security Packet. The fund's outside counsel can edit any clause; the template is a starting point, not a take-it-or-leave-it.
To prevent confusion later: the Procurement Bridge is not a substitute for the audit. It is the documented path to deployment during the audit period. The audit is the audit. The bridge retires.
The bridge also does not waive the fund's existing controls (data classification, access management, change-control). It substitutes specifically for the SOC 2 Type 2 vendor pre-condition; everything else the fund's vendor-management framework requires still applies.
Our procurement policy hard-blocks any vendor without SOC 2 Type 2 on file. Can we still deploy?
Most procurement policies allow CIO or CISO sign-off on a documented risk waiver for vendors whose deployment model materially changes the SOC 2 risk surface. The waiver template above is designed to fit that exception. Where it does not, we work with the fund's vendor management on a custom path.
Will the Q2 2027 audit cover the version we deploy in 2026?
Yes. The audit covers the deployed product line, not a specific version snapshot. Customers running COVENANT before the report ships are inside the audit scope on day one of audit publication.
What if the Q2 2027 commitment slips?
Slippage is documented on the public commitment calendar. The waiver above retires on Type 2 report publication; if that publication slips past Q2 2027, the fund can either (a) extend the waiver in a documented amendment, or (b) terminate the contract under the Q2 2027 milestone exit clause in the standard MSA. Customers do not absorb timeline risk silently.
Can we audit the architectural claims independently before signing the waiver?
Yes. NHN provides a 30-minute architectural briefing call between the fund's CISO, the fund's vendor-management lead, and NHN's technical team. The briefing covers the SOC 2 control-by-control mapping, the deployment model, and the escrow / continuity stack. The call is at no cost and does not require contract execution.
Send a single email and the Interim Security Packet, the SOC 2 Equivalence Document, and the risk-waiver template arrive within one business day:
Email: [email protected]
Subject line: "COVENANT Procurement Bridge Packet Request"