SOC 2 Compliance
UltimateIntel maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy through independently verified controls that operate effectively over time. This page provides details on our SOC 2 program and what it means for your data.
Trust Service Criteria Our SOC 2 Type II certification covers all five Trust Service Criteria defined by the American Institute of CPAs (AICPA).
Security: We implement comprehensive access controls including JWT authentication, role-based permissions, and row-level security at the database level. Encryption protects data at rest (AES-256) and in transit (TLS 1.3). Continuous monitoring with automated alerting detects and responds to security events in real time. Vulnerability management includes regular scanning and patch management with defined SLAs for remediation.
Availability: We maintain a 99.9 percent uptime SLA with redundant infrastructure across multiple Google Cloud availability zones. Auto-scaling on Cloud Run ensures capacity meets demand. Health checks and circuit breakers prevent cascading failures. Disaster recovery procedures are documented and tested quarterly with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Processing Integrity: Data validation occurs at every stage of the processing pipeline. Input validation using Zod schemas ensures data conforms to expected formats. Reconciliation checks verify data completeness after sync operations. Idempotent processing prevents duplicate operations. Comprehensive audit trails track every data transformation from ingestion to delivery.
Confidentiality: Tenant isolation is enforced at every layer including network (VPC), application (middleware), and database (RLS). Encryption keys are managed per-tenant with access restricted to authorized services. Data classification policies define handling requirements for each data category. Access to production systems requires multi-factor authentication and is logged.
Privacy: GDPR-compliant data handling with automated DSAR processing ensures privacy obligations are met. PII filtering removes sensitive data before AI processing. Data retention policies are enforced automatically. Crypto-shredding provides verifiable permanent deletion. Privacy Impact Assessments are conducted before introducing new processing activities.
Control Categories Our SOC 2 control framework is organized into the following categories. Access Control: 23 controls governing authentication, authorization, and access management. Change Management: 15 controls covering code review, testing, and deployment procedures. Risk Assessment: 12 controls for identifying, evaluating, and mitigating risks. Monitoring: 18 controls for logging, alerting, and incident detection. Incident Response: 10 controls defining response procedures and escalation paths. Vendor Management: 8 controls governing sub-processor selection and oversight.
Evidence Collection We maintain continuous evidence collection rather than periodic document gathering. Automated tooling captures control evidence including access reviews, configuration snapshots, deployment records, vulnerability scan results, and incident response timelines. This approach reduces audit preparation burden and ensures evidence is always current.
Continuous Monitoring Rather than point-in-time compliance assessments, we maintain continuous monitoring across all control objectives. Real-time dashboards track control effectiveness. Automated tests verify security configurations daily. Deviations trigger immediate alerts to our compliance team. This approach ensures we maintain compliance at all times, not just during audit windows.
Audit Frequency We undergo annual SOC 2 Type II audits conducted by qualified independent auditors. The audit period covers a full 12-month observation window. Interim assessments may be conducted for material changes to our infrastructure or control environment. SOC 2 Type II audit reports are available to Enterprise and Strategic plan customers under NDA. Contact us through our support form to request access.