Point11

SOC 2 Type II compliance

Point11's approach to SOC 2 Type II compliance, covering the five Trust Services Criteria, the audit process, and what it means for enterprise customers.

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. For AI infrastructure companies like Point11 that process enterprise PII across voice agents, chat agents, and MCP servers, SOC 2 Type II is the baseline compliance requirement expected by enterprise procurement teams.

The Five Trust Services Criteria

SOC 2 is built on five Trust Services Criteria (TSC), defined by AICPA:

Security (Common Criteria)

Security is the only mandatory criterion and is included in every SOC 2 audit. It covers protection of information and systems against unauthorized access, unauthorized disclosure, and damage. For Point11, this includes encryption (AES-256 at rest, TLS 1.3 in transit), access controls (RBAC), network segmentation, intrusion detection, and vulnerability management.

Availability

Availability addresses whether the system is operational and accessible as committed. Point11 maintains a 99.9% uptime SLA backed by multi-region deployments across AWS, Google Cloud, and Azure. This criterion covers disaster recovery, failover procedures, capacity planning, and incident response.

Processing Integrity

Processing integrity ensures that system processing is complete, valid, accurate, timely, and authorized. For an AI platform, this means that voice agent conversations are transcribed accurately, MCP server tool invocations return correct data, and no data is lost or corrupted during processing.

Confidentiality

Confidentiality covers protection of information designated as confidential. Point11 classifies data into four tiers: Public, Internal, Confidential, and Restricted. Each tier has specific handling requirements for storage, transmission, access, and disposal. Enterprise customer data is classified as Confidential or Restricted by default.

Privacy

Privacy addresses the collection, use, retention, disclosure, and disposal of personal information. This criterion aligns with GDPR, CCPA, and other privacy regulations. Point11's privacy controls include data minimization, purpose limitation, consent management, and data subject rights fulfillment.

Type I vs Type II

SOC 2 has two report types:

  • Type I: evaluates the design of controls at a single point in time. It answers: "Are the right controls in place?" A Type I audit is a snapshot.
  • Type II: evaluates the operating effectiveness of controls over a period of time, typically 6 to 12 months. It answers: "Do the controls actually work consistently?" A Type II audit is a sustained examination.

Enterprise customers require Type II because it demonstrates that security controls are not just designed but consistently enforced over time. A Type I report is often a stepping stone but is insufficient for enterprise procurement.

The Audit Process

Phase 1: Readiness Assessment (1-3 months)

A gap analysis identifies where current controls fall short of SOC 2 requirements. This phase produces a remediation roadmap covering policy documentation, technical controls, and process improvements.

Phase 2: Control Implementation (2-6 months)

The organization implements required controls, including access management policies, incident response procedures, change management workflows, vendor risk assessments, and employee security training. For AI-specific controls, this includes prompt injection protections, model output validation, and data isolation mechanisms.

Phase 3: Observation Period (6-12 months)

For Type II, the auditor observes controls operating over a sustained period. During this window, the organization must demonstrate consistent adherence to its policies. Every access review, incident response, change approval, and vulnerability scan is evidence.

Phase 4: Audit and Report (1-2 months)

The CPA firm examines evidence, interviews staff, tests controls, and produces the SOC 2 Type II report. The report includes a description of the system, the auditor's opinion, management's assertion, and detailed testing results for each control.

The total timeline from initiation to first SOC 2 Type II report is typically 9 to 18 months. Organizations with mature security programs can achieve this faster; those starting from scratch should plan for the longer end.

Annual Renewal

SOC 2 Type II is not a one-time certification. The audit must be renewed annually with a new observation period and fresh evidence. Each renewal cycle covers the period since the last report, ensuring continuous compliance without gaps.

Point11 undergoes annual SOC 2 Type II audits and makes the report available to customers and prospects under NDA. Point11's voice infrastructure provider, ElevenLabs, has completed SOC 2 Type II certification with zero exceptions, providing additional assurance across the voice processing pipeline.

What This Means for Enterprise Customers

When you deploy Point11's AI agents and MCP servers, your data is processed within a SOC 2 Type II audited environment. This means:

  • Your procurement and security teams can review Point11's SOC 2 report during vendor assessment.
  • Every control protecting your data has been independently tested by a licensed CPA firm.
  • Continuous compliance is maintained through annual renewal, not a one-time snapshot.

Sources

Security architecture overviewData processing agreement

Need help implementing this?

Our team can walk you through the setup.

Talk to Sales