- A description of what the company claims to do
- A statement that the description is complete and accurate
- Auditor's testing procedure for verifying the company's claims
- The results of the testing
- The auditor's overall conclusion as to whether the company meets the bar for SOC2.
Trust Report seems to only cover the first point.
What is your experience with cryptographic engineering, in particular avoiding common implementation pitfalls that bite first-time implementers of cryptographic primitives?
Are the primitives tested against Wycheproof vectors, and proofed against the common implementation mistakes they document?