Admin · Compliance Posture
Compliance Posture · SOC2 + sub-vendor risk
How CMG handles owner data, staff access, vendor data flows, and audit-grade evidence. Mapped to SOC2 Trust Services Criteria. Annual SOC2 Type II expected Q4 2026; today's posture supports it.
94%Controls passing
3Action items · Q2
22Sub-processors tracked
$0Privacy incidents YTD
Q4 '26SOC2 Type II target
Framework alignment
SOC2 Trust Services
94%42 of 45 controls passing
FL Stat §718.111(12)
100%Records-request workflow + audit-log
NIST CSF
88%Identify · Protect · Detect · Respond · Recover
HIPAA-adjacent
n/aNot in scope · ADA medical letters limited
PCI-DSS
SAQ-ANo card data stored · payment processor
FL §501.171 (data breach)
awareCompliant · breach response in BCP
CCPA / GDPR
n/aTallahassee operations · honor requests if asked
TCPA · 10DLC
100%Twilio brand registered · STOP honored
SOC2 control inventory
ID
Control
Evidence source
Last test
Status
CC1.1
Code of conduct & ethics · staff acknowledgments captured annually
Employee handbook · e-sign center
Apr 2026
pass
CC2.1
Communications · roles + responsibilities · documented & live
Skill matrix · Coaching · Wiki
Apr 2026
pass
CC5.2
Risk assessment · annual · including sub-vendor risk
Strategic plan risk register
Mar 2026
pass
CC6.1
Logical access · least privilege + review
Cloudflare Access SSO + quarterly access review
Apr 2026
pass
CC6.2
User access provisioned + removed · move-out auto-revoke proven
Access mgmt module · audit log
Apr 2026
pass
CC6.3
Multi-factor auth · all staff · hardware keys
YubiKey + Cloudflare Access
Apr 2026
pass
CC6.7
Encryption in transit + at rest
TLS 1.3 · AES-256 S3 · Cloudflare
Continuous
pass
CC7.2
Detection of anomalies · DQ monitor + Drive audit + tip line
AppFolio DQ · Drive activity
Continuous
pass
CC7.3
Incident response procedures · need formal IR exercise this quarter
BCP · Emergency tree · Tip line
Sep 2025
due Q3 '26
CC8.1
Change management · platform deploys logged
Wrangler logs · Drive audit
Continuous
pass
CC9.1
Business continuity / DR plan · annual drill
BCP module · drill log
Mar 2026
pass
CC9.2
Vendor risk management · sub-processor inventory + DPAs
Sub-vendor inventory below
Apr 2026
3 DPAs to refresh
A1.1
Availability monitoring · uptime + alerting
Cloudflare Analytics · status page
Continuous
pass
C1.1
Confidential info protection · DLP + Drive guardrails
Drive activity audit · DLP rules
Continuous
pass
P1.1
Privacy notice + consent · owner-portal disclosure refresh
Welcome packet · portal terms
Mar 2025
refresh due Q3
Sub-processor inventory · 22 vendors with data flow
Vendor
Purpose
Data type
DPA
SOC2
Risk
AppFolio
Property mgmt system of record
Owner PII · ledger
✓ 2024
✓ Type II
low
Cloudflare
Hosting · Access SSO · Stream
All
✓ 2024
✓ Type II
low
AWS S3
Backup + redaction storage
All
✓ 2023
✓ Type II
low
Twilio
SMS · 10DLC brand
Phone numbers · message body
✓ 2024
✓ Type II
low
Resend
Transactional email
Email · message body
✓ 2024
✓ Type II
low
Plaid
Bank reconciliation
Bank metadata (no creds)
✓ 2024
✓ Type II
low
Carr Riggs & Ingram (CPA)
Annual audit · tax
Financial · staff PII
✓ engagement letter
—
low
Anderson Givens & Fredericks (AGF)
Legal counsel
Owner · case · personnel
✓ engagement
—
low
Sterling Insurance
Broker · cyber endorsement
Property · insurance metadata
✓ 2025
—
low
Page-per-Page
Mailing service
Owner addresses · letter content
✓ 2024
—
med
Luxer One
Package locker (PT)
Resident name · package metadata
✓ 2023
✓ Type II
low
HID Origo
Access control
Credential metadata · access events
✓ 2025
✓ Type II
low
Anderson Linguistics
Translation services
Document content (no PII normally)
refresh
—
refresh DPA
Tran Linguistics
Vietnamese translation
Document content
refresh
—
refresh DPA
Whitestone PLLC (closing attorneys)
Estoppel coordination · outside counsel
Owner · closing
refresh
—
refresh DPA
+ 7 lower-risk vendors
Various
Limited or no PII
✓ all current
varies
low
Q2 action items
CC7.3 · Incident response live exercise
Last tabletop was Sep 2025; Q3 needs a live IR exercise (simulated phishing or credential stuff). Schedule for week of Aug 11.
CC9.2 · Refresh 3 DPAs
Anderson + Tran Linguistics · Whitestone PLLC. New CMG standard DPA template; annual refresh cycle aligned to engagement-letter renewal.
P1.1 · Privacy notice refresh
Owner-portal terms last updated Mar 2025 — predates several new modules (livestream watermark · package locker · social monitor). Q3 refresh.
Why this exists
Property management is a quiet B2B services business until something goes wrong. When boards, auditors, DBPR, or insurance carriers ask "show us your controls," we have evidence. The SOC2 Type II push isn't because owners ask — it's because better-governed associations attract better-governed boards.
References
AICPA SOC2 Trust Services Criteria · NIST Cybersecurity Framework · FL §501.171 data breach · TCPA + 10DLC · Anderson Givens & Fredericks engagement.
