Security Roadmap
SOC 2 Roadmap
Moneyball does not have a SOC 2 report yet. Getting one is a journey — a road trip, if you will.
This is where we show the route we plan to take, the checkpoints along the way, and where we are on the map right now.
Last Updated: June 17, 2026
-
Checkpoint I
Checkpoint I
Complete
Trust Center Created
Timing: Available now
Every security review starts with the basics: how the product works, what data is involved, who is responsible for what, and where the official documents live.
Moneyball’s Trust Center puts those answers in one place, so reviewers are not piecing together the story from sales decks, email threads, and hopeful assumptions.
-
Checkpoint II
Checkpoint II
Complete
Private Moneyball Run Available
Timing: Available by request
Some teams want to see what Moneyball can find before they are ready to approve a live CRM connection.
Private Moneyball Run gives them an airgapped-style evaluation path: a temporary private instance, an approved export, no live CRM OAuth, and no ongoing sync.
-
Current Checkpoint
Checkpoint III
In Progress
Salesforce AppExchange Security Review
Timing: In review · Target: Q3 2026
Moneyball is going through Salesforce’s AppExchange security review so it can become an approved Salesforce partner/integration.
For Salesforce teams, that is a meaningful vote of confidence. For everyone else, it is still useful third-party scrutiny while the broader SOC 2 journey continues.
-
Checkpoint IV
Checkpoint IV
Next Up
SOC 2 Readiness & Scope
Timing: Target: H2 2026
Before a SOC 2 audit can begin, Moneyball has to define what system is being reviewed and which controls are supposed to protect it.
Readiness work turns “we are working toward SOC 2” into a real plan: scope, risks, controls, gaps, and the work needed before audit.
-
Checkpoint V
Checkpoint V
Planned
Independent Auditor Selected
Timing: Target: H1 2027
SOC 2 is not Moneyball grading its own homework. An independent CPA firm has to perform the examination.
Auditor selection makes the audit path official: who is examining the controls, what they are examining, and when the work begins.
-
Checkpoint VI
Checkpoint VI
Planned
Controls Operating & Evidence Collection
Timing: Target: H1 2027
A SOC 2 report is not built from promises. Moneyball has to show that its security processes are actually being followed.
Evidence answers the practical questions: who had access, what changed, what was reviewed, what was tested, and what happened when something needed attention.
-
Checkpoint VII
Checkpoint VII
Planned
SOC 2 Type I Report
Timing: Target: H2 2027
A Type I report is the auditor saying the controls are suitably designed as of a specific date.
It is the first formal SOC 2 report milestone: a point-in-time review that helps buyers understand whether the security program is designed properly.
-
Checkpoint VIII
Checkpoint VIII
Planned
SOC 2 Type II Observation Period
Timing: Target: H2 2027
Type II goes beyond design. It asks whether Moneyball kept those controls operating over time.
The observation period is where the auditor watches the evidence accumulate instead of merely inspecting the blueprint.
-
Destination
Checkpoint IX
Destination
SOC 2 Type II Report Available
Timing: Target: Late 2027 / Early 2028
A Type II report is the stronger trust artifact many security teams ultimately want to review.
Once issued, it shows that Moneyball’s controls were tested over time and can be shared with qualified customers and prospects under NDA.
The Airgapped Interim Solution
Evaluate Moneyball Before The SOC 2 Report
If your organization cannot approve a live SaaS connection yet, you can still evaluate Moneyball without connecting your CRM. The Private Moneyball Run uses approved exports, a temporary private instance, no live CRM OAuth, and no ongoing CRM sync.