Skip to main content
Your SOC 2 report is confidential. The process is designed around that fact. Three parties may see the report: the extraction pipeline, the vetted assessor who verifies the output, and you. Access is limited to the work required to produce the review.

The order of access

1

The extraction pipeline

The automated pipeline reads the report to extract commitments, cadences, and dependencies. The report is encrypted in transit and at rest.
2

A vetted assessor

A practitioner verifies the extracted output before delivery. Assessors work under written confidentiality obligations and receive only the access needed for the review.
3

You

The finished Commitment Review is sent to you. The review belongs to your team.

The controls around it

  • Mutual NDA before upload. The NDA is accepted before upload is enabled. You receive a copy by email with the acceptance timestamp. The text is public at soc2doc.ai/nda.
  • Separate authorization log. Permission for machine and human analysis is recorded separately, with its own timestamp.
  • Private storage. Reports are encrypted in transit and at rest; stored objects are private and are never rendered publicly.
  • Deletion on request. You can request deletion at no cost. If you need guaranteed secure deletion immediately after delivery, with a signed certificate for your own vendor-risk records, that is the $99 option on the pricing page.
Free reviews may be retained and anonymized to improve the service, as stated in the authorization you give at upload. Deletion remains available at no cost; the $99 option adds a signed certificate.