SOC 2 Readiness for AI Agent Deployments
Last updated: May 16, 2026
Overview
Cyndra is committed to achieving SOC 2 Type II compliance and follows the AICPA's Trust Services Criteria today across all production systems. We're actively working toward formal certification, with the audit window opening in late 2026. In the interim, we operate against the same controls a Type II audit would test, and we'll share our Type I report with prospects under NDA.
This page is meant to give procurement, security, and compliance teams enough detail to clear Cyndra through a typical vendor review. If you need a specific control mapping, a sub-processor list, a signed DPA, or our incident-response runbook, email security@cyndra.ai.
Trust Service Criteria, mapped to AI agents
AI agents introduce a few risk categories that don't show up in a traditional SOC 2 scope (tool invocation, prompt injection, autonomous action). Here's how we treat each criterion in the context of agent deployments:
Security
Encryption in transit (TLS 1.3) and at rest (AES-256). SSO + SAML for enterprise. Role-based access with principle of least privilege. Automated vulnerability scanning, regular penetration testing, and bug bounty intake.
Availability
99.95% uptime SLA on enterprise contracts. Redundant infrastructure across availability zones. Documented disaster recovery plan with RTO/RPO targets per workload tier.
Confidentiality
Data classified and protected based on sensitivity. Organization-level access isolation. Customer data segregated by tenant ID. Sub-processors bound by DPAs that mirror our customer obligations.
Processing Integrity
Every AI agent action is logged with input, output, tools invoked, and the user who triggered it. High-stakes actions route to human approval before execution. Replayable audit trail for compliance review.
Privacy
PII is minimized by default. AI agents operate on scoped tool credentials, never on raw customer data dumps. Customer data is not used to train shared models without explicit opt-in.
Security Measures
Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Customer secrets stored in HashiCorp Vault with per-tenant encryption keys.
Access Control
Role-based access with principle of least privilege. SSO + SAML for enterprise. Audit log of every privileged access event. Annual access reviews.
Monitoring
24/7 security monitoring with automated alerting. Anomalous-access detection on credential vaults. Daily review of failed-authentication patterns.
Audit Logging
Immutable audit trails for all agent actions, tool calls, and admin operations. Logs retained 12 months by default, longer on enterprise plans.
Vulnerability Management
Quarterly penetration testing by an independent firm. Automated CVE scanning of all dependencies. SLAs on critical CVEs measured in hours.
Incident Response
Documented incident response plan with defined escalation procedures. Customers notified within 72 hours of any confirmed data incident.
Vendor Management
All sub-processors vetted for SOC 2 / ISO 27001 compliance. DPAs signed with every sub-processor. Sub-processor list available on request.
Business Continuity
Redundant infrastructure across availability zones. Daily encrypted backups. Quarterly DR tabletop exercises and at least one full failover drill per year.
Human-in-the-Loop Controls
Cyndra agents operate with scoped, least-privilege credentials. High-stakes actions, anything that sends external communication, moves money, or changes production records, route to a named human approver inside the channel (Slack, Teams, email) before they execute. Approval thresholds are configurable per agent and per tool, and the audit log captures the approver, the timestamp, and the resulting tool call.
Sub-processors
Cyndra uses a small set of vetted sub-processors for hosting, telemetry, communications, and model inference. Every sub-processor is bound by a DPA that mirrors our customer obligations. The complete list is available on request to enterprise prospects under NDA.
Compliance Status
We're working toward SOC 2 Type II certification with an audit partner. Type I is targeted for mid-2026; Type II requires a 6 to 12 month observation window. For prospects requiring formal attestation now, we maintain a controls matrix mapping to SOC 2, ISO 27001, and HIPAA Security Rule equivalents that we can share under NDA.
Contact
Security questions, DPA requests, sub-processor list, controls matrix: security@cyndra.ai. Vulnerability reports are routed to the same address and acknowledged within 24 hours.