SOC 2 Readiness

SOC 2 readiness for AI agent deployments.

Cyndra is committed to achieving SOC 2 Type II compliance and follows the AICPA's Trust Services Criteria today across all production systems. We're actively working toward formal certification, with the audit window opening in late 2026. In the interim, we operate against the same controls a Type II audit would test, and we can share our current controls matrix with prospects under NDA.

Talk to our security teamTrust Center

This page is meant to give procurement, security, and compliance teams enough detail to clear Cyndra through a typical vendor review. If you need a specific control mapping, a sub-processor list, a signed DPA, or our incident-response runbook, email security@cyndra.ai.

Trust Service Criteria

Trust Service Criteria, mapped to AI agents

AI agents introduce a few risk categories that don't show up in a traditional SOC 2 scope (tool invocation, prompt injection, autonomous action). Here's how we treat each criterion in the context of agent deployments:

Security

Encryption in transit (TLS 1.3) and at rest (AES-256). SSO + SAML for enterprise. Role-based access with principle of least privilege. Automated vulnerability scanning, regular penetration testing, and bug bounty intake.

Availability

99.95% uptime SLA on enterprise contracts. Redundant infrastructure across availability zones. Documented disaster recovery plan with RTO/RPO targets per workload tier.

Confidentiality

Data classified and protected based on sensitivity. Organization-level access isolation. Customer data segregated by tenant ID. Sub-processors bound by DPAs that mirror our customer obligations.

Processing Integrity

Every AI agent action is logged with input, output, tools invoked, and the user who triggered it. High-stakes actions route to human approval before execution. Replayable audit trail for compliance review.

Privacy

PII is minimized by default. AI agents operate on scoped tool credentials, never on raw customer data dumps. Customer data is not used to train shared models without explicit opt-in.

Security Measures

The controls we operate against today.

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Customer secrets stored in HashiCorp Vault with per-tenant encryption keys.

Access Control

Role-based access with principle of least privilege. SSO + SAML for enterprise. Audit log of every privileged access event. Annual access reviews.

Monitoring

24/7 security monitoring with automated alerting. Anomalous-access detection on credential vaults. Daily review of failed-authentication patterns.

Audit Logging

Immutable audit trails for all agent actions, tool calls, and admin operations. Logs retained 12 months by default, longer on enterprise plans.

Vulnerability Management

Quarterly penetration testing by an independent firm. Automated CVE scanning of all dependencies. SLAs on critical CVEs measured in hours.

Incident Response

Documented incident response plan with defined escalation procedures. Customers notified within 72 hours of any confirmed data incident.

Vendor Management

All sub-processors vetted for SOC 2 / ISO 27001 compliance. DPAs signed with every sub-processor. Sub-processor list available on request.

Business Continuity

Redundant infrastructure across availability zones. Daily encrypted backups. Quarterly DR tabletop exercises and at least one full failover drill per year.

Governance

How agent risk is governed.

Human-in-the-Loop Controls

Cyndra agents operate with scoped, least-privilege credentials. High-stakes actions, anything that sends external communication, moves money, or changes production records, route to a named human approver inside the channel (Slack, Teams, email) before they execute. Approval thresholds are configurable per agent and per tool, and the audit log captures the approver, the timestamp, and the resulting tool call.

Sub-processors

Cyndra uses a small set of vetted sub-processors for hosting, telemetry, communications, and model inference. Every sub-processor is bound by a DPA that mirrors our customer obligations. The complete list is available on request to enterprise prospects under NDA.

Compliance Status

We're working toward SOC 2 Type II certification with an audit partner. Type I is targeted for mid-2026; Type II requires a 6 to 12 month observation window. For prospects requiring formal attestation now, we maintain a controls matrix mapping to SOC 2, ISO 27001, and HIPAA Security Rule equivalents that we can share under NDA.

Contact

Security questions, DPA requests, sub-processor list, controls matrix: security@cyndra.ai. Vulnerability reports are routed to the same address and acknowledged within 24 hours.

Security Review

Need a control mapping
or a signed DPA?

Email security@cyndra.ai for our current controls matrix, sub-processor list, or incident-response runbook. We can usually clear a vendor review in 30 minutes.

Talk to our security teamTrust Center
Controls matrix under NDA 24h vuln response