Security · verified
SOC 2 Type II compliant. ISO 27001 in progress.
Audit completed January 2026 covering the SOCPilot SaaS multi-tenant production environment. Stage 2 ISO 27001 audit scheduled August 2026. Annual penetration test conducted by Kestrel Cyber in November 2025.
Compliance posture
- SOC 2 Type II compliantAudit completed January 2026. Scope: SOCPilot SaaS multi-tenant production environment.
- ISO 27001 — in progressStage 2 audit scheduled August 2026.
- Penetration testAnnual test conducted by Kestrel Cyber, November 2025.
Read-only
MFA required
Kill switch
Authority boundaries
What SOCPilot does automatically. What requires a human.
Control 01
Human approval for high-impact actions
SOCPilot automates investigation. Humans authorize impact.
- Automatic: entity correlation, timeline sequencing, evidence collection, brief generation.
- Human approval required: escalating to Critical status.
- Human approval required: updating downstream tickets in Jira / ServiceNow.
- Human approval required: final case closure.
Control 02
Read-only defaults
Every integration begins read-only.
- Write scopes require Tenant Admin opt-in per integration.
- Mode is auditable and reversible.
Control 03
Immutable audit logs
Every Approve / Reject / Edit action recorded.
- Retained 180 days.
- Per-actor and per-role attribution.
- Exportable for auditor review.
Control 04
Least-privilege integrations
Each connector documents and minimizes scope.
- Per-connector permission manifest.
- Rotatable, encrypted credentials.
- One-click revoke at the source system.
Control 05
Evidence-linked reasoning
Every recommendation cites the log line it relied on.
- No black-box verdicts.
- Per-signal confidence weights.
- AI outputs are drafts until a human approves.
Control 06
Role-based access control
Five roles, enforced at the database.
- Platform Admin, Tenant Admin, Security Engineer.
- SOC Analyst (Read / Edit).
- Executive (Read-only).
- SAML 2.0 and OIDC supported.
- MFA mandatory for Admin and Engineer roles.
Cryptography & infrastructure
Verified controls.
TLS 1.3 in transit
AES-256 at rest via AWS KMS
US-East-1 default residency · EU-Central-1 for EMEA
Subprocessors: AWS, Pinecone, Anthropic (private API)
Data retention
Windows are explicit and enforced.
- Raw telemetry
- 30 days
- Investigation narratives
- 90 days
- Executive briefs & compliance packs
- 365 days
- Deletion
- Automated hard delete at retention expiry; manual purge available via API
AI / model policy
Contextual enrichment only, unless a Tenant Admin opts in.
By default, customer telemetry is used for contextual enrichment only and is not used to train underlying LLM/ML models. Training use is opt-in only and requires the Tenant Admin to enable Global Intelligence.
Trust Center
Need our SOC 2 Type II report, DPA, or pen-test summary?
Documents available under NDA. Same-business-day response on security requests.
Request documentation
SOC 2 Type II, DPA, pen-test, subprocessors.
Or report a vulnerability — we run a coordinated disclosure program.
Security inquiry
Request SOC 2 letter, DPA, pen-test summary, or report a vulnerability.
For active vulnerability disclosure, also email security@socpilot.co with details.