SOC 2 Type II (In Progress)

Overview

Rendum is actively pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria as defined by the American Institute of Certified Public Accountants (AICPA). Our controls are designed and implemented against these criteria today, and we maintain a current controls self-assessment.

We expect to engage an independent auditor for the formal observation period in 2027. A SOC 2 Type II report evaluates whether controls are not only designed appropriately but also operate effectively over a sustained observation period; until that audit is complete, the controls below describe our implemented security posture in preparation for it. Prospective customers can request our current security controls documentation and self-assessment under NDA.

Trust Service Criteria

The following controls are implemented today in preparation for our SOC 2 Type II audit, organized by trust service criteria.

Security (Common Criteria)

The Security criteria evaluate whether the system is protected against unauthorized access. Rendum's controls include:

• CC1 - Control Environment: Established organizational structure, security policies, and management oversight. Annual security awareness training for all employees.
• CC2 - Communication and Information: Documented security policies, incident response procedures, and regular communication of security expectations to all personnel.
• CC3 - Risk Assessment: Annual risk assessments covering infrastructure, application, and operational risks. Quarterly vulnerability scanning and annual penetration testing.
• CC4 - Monitoring Activities: Continuous monitoring via Azure Monitor and Azure Sentinel. Real-time alerting for anomalous activity. Monthly control effectiveness reviews.
• CC5 - Control Activities: Role-based access control, multi-factor authentication, encryption at rest and in transit, network segmentation, and automated patch management.
• CC6 - Logical and Physical Access: Unique user identification, least-privilege access model, quarterly access reviews, and secure deprovisioning. Azure data center physical controls.
• CC7 - System Operations: Change management procedures, code review requirements, staging/production environment separation, and automated deployment pipelines.
• CC8 - Change Management: All changes require peer review, automated testing, and approval before production deployment. Emergency change procedures with post-incident review.
• CC9 - Risk Mitigation: Vendor risk assessments, insurance coverage, and business continuity planning. All subprocessors undergo security review.

Availability

The Availability criteria evaluate whether the system is available for operation and use as committed. Rendum's controls include:

• Performance Monitoring: Real-time monitoring of application performance, database response times, and infrastructure metrics with automated alerting.
• Capacity Planning: Monthly capacity reviews with auto-scaling configured for compute and database resources.
• Disaster Recovery: Multi-region deployment with automatic failover. Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour.
• Business Continuity: Documented business continuity plan tested annually. Geographic redundancy across Azure US East and US West regions.
• Incident Management: Tiered incident response with escalation paths. Status page for real-time incident communication.

Confidentiality

The Confidentiality criteria evaluate whether information designated as confidential is protected as committed. Rendum's controls include:

• Data Classification: Four-tier classification system (Public, Internal, Confidential, Restricted). PHI is classified as Restricted with the most stringent controls.
• Encryption: AES-256 encryption at rest for all data stores. TLS 1.2+ for all data in transit. Azure Key Vault for key management with automatic rotation.
• Access Restrictions: Access to confidential data requires role-based authorization, MFA, and is logged in immutable audit trails.
• Data Disposal: Secure deletion procedures for all media. Azure manages physical media destruction per NIST 800-88 guidelines.
• Confidentiality Agreements: All employees and contractors sign confidentiality agreements. NDAs required for all vendor relationships involving sensitive data access.

Security Documentation

Security documentation including our controls self-assessment and infrastructure architecture overview is available to qualified prospects under NDA. To request access:

• Email security@rendum.io
• Or submit a request via the demo request form and note "security documentation" in the comments

Contact

For security and compliance inquiries:

Rendum, Inc.
Attn: Security Team
Email: security@rendum.io