# Compliance Readiness

## Public claim

Cithorum is **SOC 2 operationally compliant**. The public language should use that exact phrase for SOC 2 and avoid substituting hedged variants.

## Safe wording

- SOC 2 operationally compliant.
- ISO 27001 framework operational via continuous control monitoring.
- FIPS-140/2 compliant. FIPS-140/3 CMVP submission Q3 2026; expected completion Q3 2027.
- DPDP Act 2023-ready residency and access-control posture.
- CERT-In incident logging and response workflow planned into operating controls.
- PCI-DSS, HIPAA, RBI, and other regulated patterns supported by deployment design where applicable.

## Avoid

- "SOC 2 compliant"
- "SOC 2 control-readiness in progress"
- "ISO 27001 operationally compliant"
- "FIPS-140/3 certified"
- "production-ready for classified environments"

## Buyer posture

For tenders and enterprise diligence, use the detailed control matrix and legal working documents in the served library. Keep legal/entity placeholders clearly marked as drafts; do not let draft control language read as a formal attestation.
