1. Overview
Xycora maintains SOC 2 Type II certification covering the Security trust services criteria. Annual assessments are conducted by an independent third-party auditor accredited by the American Institute of Certified Public Accountants (AICPA). Unlike a SOC 2 Type I audit — which evaluates control design at a single point in time — a Type II audit evaluates both the design and the operating effectiveness of controls over a sustained observation period. This gives customers and their compliance teams assurance that controls function consistently in practice, not merely on paper.
The current audit period covers Xycora's cloud infrastructure, application deployment pipeline, access control and identity management systems, incident response procedures, data encryption practices, and sub-processor oversight programme.
2. Trust Services Criteria Coverage
- Security (CC series) — Access controls, encryption at rest and in transit, vulnerability management, network segmentation, incident response, and security awareness training. This criterion is included in every Xycora SOC 2 engagement.
- Availability (A series) — Platform uptime monitoring, redundancy and failover architecture, disaster recovery procedures, and recovery time objectives.
- Processing Integrity (PI series) — AI output quality controls, citation-backed outputs, and immutable audit logging of all AI calls to support evidence of processing integrity.
- Confidentiality (C series) — Data classification, need-to-know access enforcement, contractual confidentiality obligations with sub-processors, and the zero-training commitment governing Firm Data.
- Privacy (P series) — Alignment with GDPR and UK GDPR requirements, DPA obligations, data subject rights fulfilment, and data retention and deletion controls.
3. Security Controls
- Encryption — AES-256 at rest; TLS 1.3 minimum in transit. BYO-key available to Firm tier customers via AWS KMS or Azure Key Vault.
- Multi-factor authentication — MFA enforced for all internal Xycora systems with access to production infrastructure. MFA available to all platform users.
- Role-based access control — Least-privilege provisioning across all systems; access reviewed and re-certified quarterly. All access is authenticated and logged.
- Network segmentation — Production, staging, and development environments are network-isolated. Egress filtering is applied to all production systems.
- Secrets management — All credentials and API keys are stored in a secrets manager. No credentials are stored in source code or environment variables in production. Secrets are rotated quarterly.
- Penetration testing — Annual third-party penetration testing of all production infrastructure. Critical findings are remediated within 72 hours of identification; high findings within 30 days.
4. Report Availability
The current SOC 2 Type II report is available to current and prospective customers under a mutual non-disclosure agreement. To request a copy, contact [email protected] with your firm name and evaluation timeline. We will respond within two business days with the NDA for countersignature and, once executed, deliver the report by secure link.
5. Continuous Monitoring
Xycora operates 24/7 infrastructure alerting and automated vulnerability scanning across all production systems. Automated dependency scanning runs on every build; static analysis and secret scanning run in CI. Security posture is reviewed quarterly by the engineering leadership team, and annually against the full SOC 2 criteria in preparation for the annual audit.
This document was last reviewed on April 2026. For redlines against your template, contact [email protected].