Security · SOC 2

Docuplete and SOC 2 Trust Services Criteria.

Docuplete's security controls are designed around SOC 2 Trust Services Criteria (TSC) — the standard used by enterprises and procurement teams to evaluate the security posture of SaaS vendors. This page explains what SOC 2 means, which Trust Services Criteria Docuplete's architecture addresses, and our current audit status.

What is SOC 2?

SOC 2 (Service Organization Control 2) is a framework developed by the AICPA for evaluating the security, availability, processing integrity, confidentiality, and privacy controls of a service organization. A SOC 2 Type II report provides independent auditor attestation that those controls were in place and operating effectively over a defined audit period.

Enterprise and regulated-industry customers increasingly require SOC 2 Type II attestation as part of vendor procurement and ongoing supplier risk management.

Docuplete's current audit status

SOC 2 Type II audit in progress. Docuplete's security architecture and controls are built around the SOC 2 Trust Services Criteria. Our SOC 2 Type II audit is underway. Enterprise customers can request current security documentation by contacting hello@docuplete.com.

Trust Services Criteria addressed by Docuplete's architecture

Security (CC series)

  • Logical access — SAML SSO and SCIM provisioning enable enterprise customers to manage access using their existing identity provider.
  • Multi-tenant isolation — Every database query is scoped to the organization. Cross-tenant data access is enforced at middleware level and tested in automated isolation tests.
  • Encryption in transit — TLS is enforced for all connections between clients, Docuplete servers, and connected integrations.
  • Encryption at rest — Client interview answers are encrypted using AES-256-GCM authenticated encryption on all paid plans.
  • Vulnerability management — Dependencies are monitored and updated. Penetration testing is conducted periodically.

Availability (A series)

  • Infrastructure — Docuplete API server and services are deployed with automatic restarts and health monitoring.
  • Synthetic monitoring — Docuplete's sandbox probe runs end-to-end document generation every 5 minutes in production, detecting regressions before users do.

Confidentiality (C series)

  • Data classification — PHI and sensitive fields are encrypted at rest with AES-256-GCM. Retention controls are available for organizations with defined data retention policies.
  • Third-party subprocessors — Docuplete uses a limited set of subprocessors (Cloudflare R2 for storage, Railway for infrastructure, Resend for email). A list is available on request.

Privacy (P series)

  • Data minimization — Docuplete collects only the interview answers clients provide and the technical metadata required for audit trail generation.
  • GDPR alignment — A Data Processing Agreement (DPA) is available for European customers.

What to ask us during procurement

Enterprise procurement teams commonly request the following from SaaS vendors. We are happy to provide these on request for qualified enterprise opportunities:

  • Information security policy
  • Penetration test executive summary (most recent)
  • Subprocessor list
  • Data Processing Agreement (DPA)
  • Business Associate Agreement (BAA) for HIPAA
  • Risk assessment documentation

Contact hello@docuplete.com with your security questionnaire or procurement requirements.

Security questions for procurement?

We are happy to complete security questionnaires and share documentation for enterprise evaluations.

Start free trial See live demo →

Related

Security OverviewAll security controlsAES-256-GCM EncryptionEncryption at restAudit TrailLogging and audit recordsHIPAA ComplianceHealthcare complianceData Processing AgreementGDPR compliance