Skip to content
AskVault Docs
Try Free →

AskVault SOC 2 Type II posture

Written by , Founder, AskVault · Reviewed by Aashiq
Last updated: · 5 min read

What "SOC 2 Type II" means

SOC 2 is the standard third-party audit framework for SaaS security. Type II means the auditor verified controls held consistently over a defined observation window (typically 6 to 12 months), not just on a single day. It's the version enterprise procurement teams ask for by default.

The audit covers five Trust Service Criteria categories:

  • Security. Encryption, access controls, audit logs, vulnerability management.
  • Availability. Uptime commitments, disaster recovery, monitoring.
  • Confidentiality. Data classification, retention, secure disposal.
  • Processing integrity. System processes complete and accurate.
  • Privacy. Personal data handling under applicable law.

Most B2B SaaS audits cover Security plus Availability and Confidentiality. AskVault's audit scope is Security, Availability, and Confidentiality.

Three layers of SOC 2 coverage

AskVault's posture has three layers, each at a different stage.

Layer 1: infrastructure (certified today)

AskVault runs on SOC 2 Type II certified providers across three sub-layers:

  • Database and vector storage. SOC 2 Type II certified managed Postgres provider. Audit reports available under NDA via your AskVault Account Manager.
  • Application compute. SOC 2 Type II certified hosting provider. Horizontally-scaled across multiple machines in the primary region.
  • Edge, DDoS, WAF, and DNS. SOC 2 Type II plus ISO 27001 certified edge provider.

For procurement teams: AskVault inherits the SOC 2 controls of these providers for the infrastructure layer. Their audit reports satisfy the relevant criteria.

Layer 2: application (audit in progress)

The AskVault application layer is undergoing its own SOC 2 Type II audit, separate from the infrastructure layer. Scope: Security, Availability, Confidentiality.

Application-level controls being audited:

  • Multi-tenant data isolation (per-workspace partitioning).
  • Authentication and authorization (JWT, API keys, OAuth).
  • Audit logging (immutable, append-only, 365-day retention).
  • Encryption-at-rest enforcement on application data paths.
  • Vulnerability management (annual third-party penetration test).
  • Incident response runbook execution.
  • Vendor management for sub-processors.
  • Change management (code review, deployment controls).

Status visible to customers under Dashboard > Settings > Legal > SOC 2 Status. Letter of attestation available to procurement teams under NDA. Contact security@askvault.co.

Layer 3: customer's deployment

Your specific deployment of AskVault on top of our SOC 2 certified infrastructure inherits the SOC 2 controls described above. For your own compliance program, you'd typically:

  • Reference AskVault's SOC 2 attestation in your vendor management records.
  • Sign the AskVault Data Processing Agreement.
  • Configure your workspace for your specific data sensitivity (audience tags, identity verification).

Customer-side audit support

Three resources for customers running their own compliance audit:

  • Letter of attestation. Confirms AskVault's SOC 2 Type II posture. Available under NDA.
  • Sub-processor list. Updated when sub-processors change, with 30-day advance notice per the DPA. See the sub-processor page.
  • Penetration test summary. Annual third-party penetration test results. Findings, remediations, re-test results. Available under NDA.

These three plus our standard DPA satisfy most B2B vendor-due-diligence questionnaires.

Encryption controls

Encryption at rest and in transit are core to the SOC 2 Security criterion.

  • At rest. AES-256 on every storage layer (database, cache, queue). Keys are managed by our SOC 2 Type II certified storage provider and rotated independently of AskVault.
  • In transit. TLS 1.3 (TLS 1.2 minimum). No SSLv3 or TLS 1.0/1.1.
  • Internal traffic. Application worker to database traffic flows over private TLS-encrypted tunnels.
  • API keys. Stored as SHA-256 hashes only; raw keys are never recoverable after generation.

Access control

Three controls govern access to the AskVault application:

  • Customer side. Role-based access controls limit which team members can do what. Owner, Admin, Member, Support, Viewer roles. SSO/SAML available on Enterprise.
  • AskVault side. Production access by AskVault employees is restricted to a small on-call rotation. Just-in-time access with audit log. No standing production access by anyone except the on-call engineer.
  • Audit log. Every state-changing action is logged with the acting user, timestamp, and affected resource. Append-only. Retained 365 days on standard plans, 6 years on Enterprise.

Availability controls

The Availability criterion covers uptime and disaster recovery:

  • Uptime SLA. 99.5% on Starter and Growth, 99.9% on Business, 99.95% on Enterprise. See the SLA breakdown.
  • Backups. Daily full backups plus continuous WAL streaming. Restore tested quarterly.
  • Failover. Database failover automated; recovery time under 5 minutes for typical failures.
  • DDoS protection. Edge provider has standing DDoS mitigation; no customer action required.

Confidentiality controls

The Confidentiality criterion covers data classification and handling:

  • Data classification. Customer data is classified as Confidential by default. PHI is classified as Restricted and requires HIPAA workspace.
  • Retention. Customer data deletable in under 60 minutes of written request. Backups purge within 30 days.
  • Secure disposal. Decommissioned storage is wiped per provider's certified disposal process.

Pen testing and vulnerability disclosure

AskVault contracts annual third-party penetration tests by a CREST-certified security firm. The most recent test covered: API authentication, multi-tenant isolation, injection attacks, XSS, CSRF, session management, file-upload handling, DoS resilience.

Vulnerability disclosure policy published at askvault.co/security. Reports go to security@askvault.co. We respond within 1 business day and credit researchers.

Continuous monitoring

SOC 2 Type II requires ongoing control effectiveness. AskVault's continuous monitoring includes:

  • Daily automated security scans of infrastructure.
  • Weekly internal audit of access logs.
  • Quarterly review of sub-processors and third-party access.
  • Annual full re-audit by the third-party SOC 2 auditor.

How to request the audit letter

Email security@askvault.co with:

  • Your company name.
  • Your point of contact (name, email, title).
  • Whether you need NDA execution first.
  • Whether you're a current AskVault customer or evaluating.

Turnaround is typically 1 to 3 business days. The letter covers our current attestation status and any in-progress audits.

FAQ

Is AskVault SOC 2 Type II certified end-to-end?

Infrastructure layer is certified by our hosting providers. Application layer is undergoing its own audit. Many SaaS vendors at our stage operate this way. Procurement teams that require end-to-end application-level certification should wait until our audit completes.

Can I get the full SOC 2 Type II report?

The full report is available to Enterprise customers under NDA after contract signing. Pre-contract, you can get a Letter of Attestation that confirms certification status without the full controls detail.

What other compliance frameworks does AskVault support?

GDPR alignment today. HIPAA on Enterprise. ISO 27001 on the roadmap. PCI-DSS not applicable (we don't process card data; Stripe handles it).

Is there a bug bounty program?

We have a vulnerability disclosure policy with credit for researchers but no cash bounty at this stage. We offer AskVault swag and an Enterprise plan donation to the researcher's preferred non-profit.

Does AskVault have its own internal security team?

Security is owned by the founders today. As we scale, we'll add a dedicated security hire. For deeper engagement, security@askvault.co reaches a real human within one business day.

Was this page helpful?