SOC 2 Compliance

SOC 2 Type II Compliance Centre

Pravakta.ai is independently audited and certified to the AICPA SOC 2 Type II standard across Security, Availability, and Confidentiality. This page provides an overview of our SOC 2 programme and audit results.

Effective: Audit Period: 2024–2025
Last Updated: 1 March 2025
Version AICPA TSC
1

What Is SOC 2 Type II?

SOC 2 (Service Organisation Control 2) is a framework developed by the AICPA for evaluating a service organisation's controls relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy — known as the Trust Service Criteria (TSC).

Pravakta holds SOC 2 Type II certification — the more rigorous standard that assesses controls over a period of time (typically 12 months) rather than just a moment.

It provides enterprise customers with independent assurance that Pravakta's security controls are not just implemented — they are proven to operate continuously.

2

Audit Scope & Trust Services

Trust Service CriteriaIn Scope?Summary
Security (CC)✓ YesSystem protected against unauthorised access/damage
Availability (A)✓ YesSystem available for operation as committed
Confidentiality (C)✓ YesConfidential information is protected as committed

Current audit period: 1 April 2024 – 31 March 2025. Audits are conducted annually by an AICPA-accredited CPA firm.

3

Our Control Environment

Built on the COSO framework, our environment includes:

  1. Control Environment — commitment to security as a core value.
  2. Risk Assessment — annual formal process with threat monitoring.
  3. Control Activities — specific policies and technical safeguards.
  4. Information & Communication — security training and incident procedures.
  5. Monitoring — continuous technical monitoring and annual audit.
4

Architecture & SOC 2 Advantage

🏛️
The SOC 2 Significance of Zero-Egress: Because customer call data is processed exclusively on the customer's infrastructure, it is architecturally out of scope for Pravakta's SOC 2 audit — reducing complexity and risk for the customer.

Pravakta's SOC 2 scope is focused on its corporate systems and the Platform software supply chain — where we genuinely have control.

5

Security Trust Service Criteria (CC)

Control AreaKey Controls Implemented
Access ControlMFA; RBAC; Hardware keys for privileged access; Quarterly reviews
OperationsIDS/IPS; SIEM monitoring; Patch management SLAs
Change ManagementPeer code review; Automated test gates; Staging approvals
6

Availability Trust Service Criteria (A)

  • Capacity Management: Monthly reviews and tested autoscaling.
  • Environmental Protections: Redundant corporate infra; multi-AZ deployments.
  • Recovery: Documented and tested RTO/RPO; backup integrity verification.
⚠️
Availability for customer-deployed Platform instances depends on customer infrastructure. Our SOC 2 covers the base software and corporate systems.
7

Confidentiality Trust Service Criteria (C)

  • Identification: Data classification (Public/Internal/Confidential/Restricted).
  • Protection: AES-256 at rest; TLS 1.3 in transit; DLP monitoring.
  • Disposal: Secure deletion (NIST 800-88 compliant).
8

Subservice Organisations

Uses certain providers whose controls are relevant to our scope (e.g., AWS). We monitor their compliance status annually.

9

Obtaining the SOC 2 Report

📄
The full report is available to enterprise customers under NDA. Email legal@pravakta.ai with "SOC 2 Report Request".
10

Continuous Compliance

We use a GRC platform for year-round compliance, automated monitoring, and annual penetration testing.

11

Contact & Questions

For report requests or security walkthroughs, contact security@pravakta.ai.