SOC 2 Type II: what it means and why we did it

If you're evaluating a software vendor and your security team hands you a questionnaire to send back, one of the first questions will be: "Are you SOC 2 Type II certified?" If the answer is no, the conversation usually stops there.

SOC 2 Type II is the most widely-recognized security standard for software-as-a-service companies. When a SaaS vendor says they're SOC 2 compliant, it means an independent auditor has spent months examining how the company handles customer data — and has issued a report confirming the controls work as described.

What SOC 2 actually is

SOC 2 stands for Service Organization Control 2. It's a framework created by the American Institute of Certified Public Accountants (AICPA) in 2010 to standardize how service organizations report on the controls they have in place to protect customer data.

SOC 2 evaluates five "Trust Services Criteria":

• Security — how we protect systems and data from unauthorized access, disclosure, or tampering

• Availability — how we make sure the platform is up and usable when you need it

• Processing Integrity — how we make sure the system processes data completely and accurately

• Confidentiality — how we protect information that's been designated as confidential

• Privacy — how we handle personal information throughout its lifecycle

We are audited against all five criteria. Some vendors only include Security (the minimum); we chose to include every criterion because voice AI touches all of them.

Type I vs Type II — why the distinction matters

There are two kinds of SOC 2 reports.

A Type I report is a point-in-time snapshot. The auditor looks at your controls on a single day and says, "yes, these controls appear to be designed appropriately." It's better than nothing but it's not very meaningful — you could have written the controls the day before the audit.

A Type II report is an observation over time. The auditor watches how your controls actually operate across a period of at least six months, tests them with real evidence, and confirms they worked continuously during the observation window.

Type II is the report that actually demonstrates you run a real, ongoing security program. That's the one we have.

What our audit covers

Our SOC 2 Type II audit covers every system and process that touches customer data, including:

• How we provision and de-provision employee access to production systems

• How we encrypt call recordings, transcripts, and customer data both at rest and in transit

• How we monitor for unauthorized access attempts and respond to security incidents

• How we back up your data and test our ability to recover it

• How our vendors (including our carriers and AI model providers) are vetted and monitored

• How we train our engineers to build and deploy code securely

• How we handle vulnerability disclosures and security patches

The full report runs dozens of pages and describes the specific tests the auditor performed, along with the results. Your security team will probably want to read it end-to-end during a vendor review.

Why an AI voice platform specifically needs this

Voice AI is an unusual category. Our platform is simultaneously a telecommunications service, a cloud software application, a data processor, and a machine learning system. Customer data moves through all four layers in every single call.

A rigorous SOC 2 Type II is the baseline that lets us demonstrate to enterprise buyers, procurement teams, and our customers' own customers that every layer is controlled. Without it, we'd be stuck at the starting line of every enterprise sales cycle.

What this means for you

• You can hand our SOC 2 report to your own security team, your customers, your insurance carrier, or anyone who asks whether you've properly vetted your vendors

• You can answer "is your AI vendor SOC 2 certified?" with yes — and provide the evidence

• You know that our controls aren't marketing claims — they've been observed and tested over months

• You benefit from the ongoing nature of the audit — we can't let controls slip because we'd fail our next audit

Requesting our SOC 2 Type II report

Because the report contains detailed information about our security controls, we share it under a standard mutual non-disclosure agreement. This is the same practice followed by every major SaaS company.

Visit our Trust Center at trust.365agents.com and request the report. You'll receive an NDA to sign electronically, and once signed, the current report is delivered to you within minutes. We reissue the report annually after each new audit cycle, so you always have the most recent observation period.

Who performed our audit

Our SOC 2 Type II audit is performed by a licensed, independent CPA firm that specializes in technology company audits. Their name and licensing details are on the cover page of the report. We do not perform our own audit, and we do not use an auditor who has any business relationship with us other than performing the audit.