SOC 2 Type II

SOC 2 Type II is an audit framework developed by the AICPA that evaluates whether a service organisation’s controls for security, availability, and related Trust Service Criteria operated effectively over a defined audit period — typically six to twelve months.

VeriProof’s SOC 2 Type II audit is currently in progress. This page describes the controls landscape and scope. Once the audit report is available, customers with an active subscription can request a copy under NDA by contacting compliance@veriproof.app.

Audit Scope

Trust Service Criteria in Scope

TSC	Description	Status
CC — Security	Logical access, change management, risk assessment, incident response	In audit
A — Availability	System availability and performance monitoring	In audit
C — Confidentiality	Protection of confidential information	In audit

Processing integrity (PI) and privacy (P) are not included in the current audit scope. Processing integrity will be assessed in a future audit cycle.

System Boundary

The audit covers the VeriProof SaaS platform — the Ingest API, Customer Portal, Staff Portal, Blockchain Functions, and their underlying Azure infrastructure. Enterprise Federated deployments run in customer-owned Azure subscriptions and are outside the VeriProof audit boundary; enterprise customers seeking SOC 2 coverage for their deployment should engage their own auditor.

Security (CC) Controls Summary

These are the control categories evaluated under the common criteria:

Logical and Physical Access

Multi-factor authentication required for all staff access to production systems
Role-based access enforced via Azure Active Directory
Customer Portal and Staff Portal access maintained on the principle of least privilege
Production database access restricted to named individuals via Managed Identity; no direct database credentials exist

Change Management

All code changes reviewed via pull request with at least one approver required
Automated CI/CD pipeline with build integrity checks
Database schema changes applied through versioned migration scripts
Infrastructure changes managed via Infrastructure-as-Code (Bicep templates)

Risk Assessment

Annual internal risk assessment with identified risks documented and tracked
Third-party penetration testing conducted annually
Vulnerability scanning on a continuous basis via automated tooling

Incident Management

Incident response runbooks maintained and reviewed
Security events logged in Application Insights with alerting on anomalous patterns
Post-incident review process with root cause documentation

Availability Controls Summary

VeriProof targets the following availability objectives:

Metric	Target	Notes
Ingest API uptime	99.9% monthly	Excluding scheduled maintenance windows
Customer Portal uptime	99.9% monthly
Ingest API P99 latency	< 2 seconds	Per-request processing time before queue
Blockchain anchor time	< 60 seconds	Median time from ingest to Solana confirmation

Availability monitoring uses Azure Monitor and Application Insights, with PagerDuty escalation for P1 incidents.

Confidentiality Controls Summary

Confidentiality controls relevant to SOC 2 include:

AES-256-GCM application-layer encryption for all captured session content (see Encryption at Rest)
Azure Key Vault Managed Identity pattern; no encryption keys in configuration files
API key one-way hashing (SHA-256); plaintext never stored
Tenant isolation enforced at both application layer (EF Core) and database layer (PostgreSQL RLS)
Data retention limits with automated deletion at end of retention window

Customer Responsibilities

SOC 2 compliance is a shared responsibility model. VeriProof’s audit covers its own controls. Your organisation is responsible for:

Managing your own API key lifecycle (rotation, revocation)
Configuring appropriate retention periods for your use case and regulatory environment
Ensuring your own SDK integration does not inadvertently send data not intended for VeriProof
Assessing whether VeriProof is an appropriate processor for your specific compliance context