SOC 2 Compliance
Enterprise-grade security and data protection
Our Commitment to SOC 2 Compliance
9two5.work is committed to maintaining compliance with SOC 2 (System and Organization Controls) standards developed by the American Institute of Certified Public Accountants (AICPA). We follow SOC 2 principles to ensure the security, availability, processing integrity, confidentiality, and privacy of customer data.
Note: 9two5.work maintains compliance with SOC 2 Trust Service Criteria through continuous implementation of security controls and best practices. This page describes our compliance framework and security measures.
SOC 2 Trust Service Criteria
Our compliance framework addresses all five Trust Service Criteria:
Security
Protection of system resources against unauthorized access, use, disclosure, disruption, modification, or destruction.
- Multi-factor authentication (MFA) for all team members
- Role-based access control (RBAC) with principle of least privilege
- Encryption at rest and in transit (TLS 1.3, AES-256)
- Regular security assessments and penetration testing
- Automated vulnerability scanning and patch management
- Intrusion detection and prevention systems (IDS/IPS)
- Security awareness training for all employees
Availability
The system is available for operation and use as committed or agreed.
- 99.9% uptime SLA with redundant infrastructure
- Load balancing and auto-scaling capabilities
- 24/7 monitoring and alerting systems
- Disaster recovery and business continuity plans
- Regular backup procedures with point-in-time recovery
- Geographic redundancy across multiple data centers
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized.
- Input validation and data integrity checks
- Error handling and logging mechanisms
- Transaction monitoring and audit trails
- Quality assurance and testing procedures
- Change management controls for system updates
- Data reconciliation and verification processes
Confidentiality
Information designated as confidential is protected as committed or agreed.
- Data classification and handling procedures
- Non-disclosure agreements (NDAs) with all team members
- Secure data storage with encryption at rest
- Secure data transmission protocols (TLS/SSL)
- Access controls limiting data exposure
- Secure disposal procedures for confidential data
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments and applicable regulations.
- Transparent privacy policies and notices
- User consent mechanisms for data collection
- Data subject rights (access, rectification, deletion)
- Privacy by design in system development
- Data retention and disposal policies
- Compliance with GDPR, CCPA, and other privacy regulations
Additional Security Measures
Incident Response
24/7 security operations center (SOC) with documented incident response procedures and escalation protocols
Vendor Management
Thorough vetting of third-party vendors with security assessments and contractual security requirements
Access Logging
Comprehensive logging of all system access and administrative actions with regular review
Background Checks
Background screening for all employees with access to customer data
Physical Security
Data centers with 24/7 surveillance, biometric access, and environmental controls
Code Reviews
Mandatory security-focused code reviews and static analysis before production deployment
Infrastructure & Operations
Cloud Infrastructure
Our infrastructure is hosted on enterprise-grade cloud platforms with SOC 2 Type II attestations:
- • Secure, isolated virtual private clouds (VPCs)
- • Network segmentation and firewall protection
- • DDoS protection and web application firewall (WAF)
- • Regular infrastructure security assessments
Operational Excellence
We maintain rigorous operational procedures:
- • Documented policies and procedures for all security processes
- • Regular internal audits and compliance reviews
- • Continuous monitoring and improvement of security controls
- • Annual security and privacy training for all employees
Compliance Documentation
For enterprise customers and partners requiring detailed compliance documentation:
- • Security questionnaires and assessments
- • Compliance documentation and evidence
- • Data processing agreements (DPAs)
- • Business associate agreements (BAAs) where applicable
Please contact our compliance team at [email protected] for more information.
Questions About Our Compliance?
Security & Compliance Team
Email: [email protected]
For security questionnaires, compliance documentation, and audit requests
Chief Information Security Officer (CISO)
Email: [email protected]
For executive-level security discussions and strategic partnerships
Security Vulnerability Reporting
Email: [email protected]
For responsible disclosure of security vulnerabilities
Response Time: We aim to respond to all compliance inquiries within 2 business days. Security vulnerability reports are reviewed immediately upon receipt.