Scorable is in the business of helping companies build more reliable AI automations. For that, we of course need to be reliable and trustworthy ourselves. Our latest demonstration of that commitment is that we are SOC 2 Type II compliant.
The Journey
From the very early stages of the company, we recognized that compliance requirements would be important to our customers. That's why secure operations was a priority for us from the get-go.
This foundation made adopting SOC 2 relatively straightforward. We already had many of the necessary controls in place before beginning the certification journey. We're fortunate to employ industry veterans who have implemented security frameworks many times before.
We chose Vanta to be the tool to centralize compliance docs, security workflows, audits, and risk monitoring. It proved to be an excellent decision. It transformed what could have been a very tedious exercise of parsing the criteria requirements from AICPA into something tangible—a manageable ticket list.
Platform and Engineering
On the platform side, we had most requirements already somewhat satisfied but still needed some security hardening. This included adding more audit logs, adding a few extra monitoring alerts, and strengthening access controls. The relatively simple architecture of our platform made this rather easy. Besides, with AWS integrated to Vanta, it produced an actionable task list for us to follow.
We use extensively LLMs throughout our development workflow, from writing specifications to code review. Since SOC 2 requires that all code be reviewed, we had to carefully document how our AI-assisted review process maintains the same reliability and trustworthiness as traditional human review. This required detailed explanations in our change management documentation to satisfy the auditors.
Policies and Procedures
The non-technical side required documenting a bunch of policies and procedures. Many of these were already part of our informal practices, but for SOC 2, of course, they needed to be explicit.
Vendor management involved its own set of requirements. We needed to collect SOC 2 reports from our external providers, which was relatively straightforward since many startups use similar compliance tools like Vanta. However, this still required coordination and follow-up communications.
We also developed custom risk scenarios for each vendor, analyzing potential impacts and mitigation strategies. For example, we documented what would happen if a key model provider experienced downtime and outlined our contingency plans for such situations.
Trust Center
Check out our trust center to access our security documentation, including our SOC 2 Type II report.