Skip to main content
Trust & Compliance

Security at InsightAgent

Our controls over security, access, and incident response are independently attested under SOC 2 Type II by Decrypt Compliance — with zero exceptions.

SOC 2 Type II — InsightAgent Inc., attested by Decrypt Compliance

Audit snapshot

Report
SOC 2 Type II
Auditor
Decrypt Compliance
Period
Nov 2025 – Jan 2026
Trust criteria
Security (TSP section 100)
Opinion
Unqualified · Zero exceptions
Hosting
AWS (SOC 2 carved-out subservice)

The report covers the Security Trust Services Criterion. AWS is a carved-out subservice organization for cloud hosting — its own SOC 2 report is available directly from AWS and should be reviewed alongside ours.

Controls we operate

A selection of the controls tested during the examination period. The full control matrix is available in the report.

Encryption at rest & in transit

AES 256-bit encryption for customer data at rest. TLS 1.2+ in transit. AWS-managed keys rotated annually.

Two-factor authentication

Enforced on the production console, source control, identity management, and backup alteration. No exceptions.

Least-privilege access

Role-based access control across all production systems. Access requests are approved and logged prior to provisioning.

Annual penetration testing

Independent external pentest of the web application every year. Critical and High findings are remediated on a defined SLA.

Segregated environments

Production, staging, and development are fully segregated to enforce confidentiality and privacy of customer data.

Endpoint hardening

Employee devices enforce hard-disk encryption, auto-patching, device sign-in, and automatic screen-lock via centralized MDM.

Incident response

Documented incident response and contingency playbooks, maintained and updated based on lessons learned from past events.

People & training

Pre-employment background checks, signed acceptable-use agreements, and annual security awareness training for all employees.

How we handle your data

  • Your data never trains our models. Customer content is never used to train AI models — yours or anyone else's.
  • Least-privilege access. Only authorized personnel can access production. Every access path requires 2FA.
  • Documented sub-processors. Enterprise customers with a DPA receive 30 days' notice before we engage a new sub-processor. See the full list on our sub-processors page.
  • Public status page. Real-time uptime and incident history at status.insightagent.io.

Request the full SOC 2 Type II report

The full report — including the auditor's opinion, control matrix, and test results — is available to prospects and customers under NDA.

Request report