Who this is for
Procurement, IT, and compliance teams often ask for the same bundle: SOC 2 (or equivalent assurance), recent penetration testing, and a current subprocessor list. This page states what we publish publicly, what we share under NDA, and how to request artifacts for diligence.
SOC 2 and assurance
We do not host a public SOC 2 Type II report on this site. Depending on engagement stage, we share our security control posture, roadmap, and — when applicable — auditor reports or comparable assurance materials under a mutual non-disclosure agreement for qualified opportunities.
If your questionnaire asks for a specific framework (SOC 2, ISO 27001, HIPAA-aligned controls), reference your timeline when you email us so we can match the right packet.
Penetration testing
We run third-party penetration tests on environments that handle customer workloads as part of our security program. Executive summaries, scope, and remediation status for material findings are available under NDA; we do not publish full reports on the public web.
Subprocessors
Deliveries typically involve cloud hosting, model APIs, telephony or SMS, email, and integrations with your existing SaaS. We maintain a dated subprocessor list with roles, purposes, and (where relevant) region notes for active customers and diligence — provided under NDA when it includes vendor-specific detail beyond high-level categories.
High-level categories (without a per-vendor schedule) are also covered in our Data handling & security overview.
Questionnaires and DPAs
We complete SIG Lite / CAIQ-style questionnaires and architecture reviews under NDA. Data Processing Agreements (DPAs) and, where required, Business Associate Agreements (BAAs) are provided when your engagement and regulatory posture require them — not replaced by this page.
Related documents
- Data handling & security — RAG, PII, retention, encryption, incidents
- Privacy Policy
- Terms of Service