Legal

SOC 2 Type II Compliance

Last updated: March 1, 2025

Overview

Rendum has completed a SOC 2 Type II audit covering the Security, Availability, and Confidentiality trust service criteria as defined by the American Institute of Certified Public Accountants (AICPA). The audit was conducted by an independent third-party auditor and covers a 12-month observation period.

SOC 2 Type II reports provide assurance that an organization's controls are not only designed appropriately but are also operating effectively over a sustained period. Unlike Type I reports (point-in-time), Type II reports evaluate controls over an observation period, providing a more comprehensive assessment.

Trust Service Criteria

Security (Common Criteria)

The Security criteria evaluate whether the system is protected against unauthorized access. Rendum's controls include:

  • CC1 - Control Environment: Established organizational structure, security policies, and management oversight. Annual security awareness training for all employees.
  • CC2 - Communication and Information: Documented security policies, incident response procedures, and regular communication of security expectations to all personnel.
  • CC3 - Risk Assessment: Annual risk assessments covering infrastructure, application, and operational risks. Quarterly vulnerability scanning and annual penetration testing.
  • CC4 - Monitoring Activities: Continuous monitoring via Azure Monitor and Azure Sentinel. Real-time alerting for anomalous activity. Monthly control effectiveness reviews.
  • CC5 - Control Activities: Role-based access control, multi-factor authentication, encryption at rest and in transit, network segmentation, and automated patch management.
  • CC6 - Logical and Physical Access: Unique user identification, least-privilege access model, quarterly access reviews, and secure deprovisioning. Azure data center physical controls.
  • CC7 - System Operations: Change management procedures, code review requirements, staging/production environment separation, and automated deployment pipelines.
  • CC8 - Change Management: All changes require peer review, automated testing, and approval before production deployment. Emergency change procedures with post-incident review.
  • CC9 - Risk Mitigation: Vendor risk assessments, insurance coverage, and business continuity planning. All subprocessors undergo security review.

Availability

The Availability criteria evaluate whether the system is available for operation and use as committed. Rendum's controls include:

  • Performance Monitoring: Real-time monitoring of application performance, database response times, and infrastructure metrics with automated alerting.
  • Capacity Planning: Monthly capacity reviews with auto-scaling configured for compute and database resources.
  • Disaster Recovery: Multi-region deployment with automatic failover. Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour.
  • Business Continuity: Documented business continuity plan tested annually. Geographic redundancy across Azure US East and US West regions.
  • Incident Management: Tiered incident response with escalation paths. Status page for real-time incident communication.

Confidentiality

The Confidentiality criteria evaluate whether information designated as confidential is protected as committed. Rendum's controls include:

  • Data Classification: Four-tier classification system (Public, Internal, Confidential, Restricted). PHI is classified as Restricted with the most stringent controls.
  • Encryption: AES-256 encryption at rest for all data stores. TLS 1.2+ for all data in transit. Azure Key Vault for key management with automatic rotation.
  • Access Restrictions: Access to confidential data requires role-based authorization, MFA, and is logged in immutable audit trails.
  • Data Disposal: Secure deletion procedures for all media. Azure manages physical media destruction per NIST 800-88 guidelines.
  • Confidentiality Agreements: All employees and contractors sign confidentiality agreements. NDAs required for all vendor relationships involving sensitive data access.

Audit Details

Audit Type

SOC 2 Type II

Trust Criteria

Security, Availability, Confidentiality

Observation Period

January 1, 2025 - December 31, 2025

Report Date

February 15, 2025

Auditor Opinion

Unqualified (Clean)

Exceptions Noted

None

Requesting the Full Report

The full SOC 2 Type II report is available to current and prospective customers under NDA. Enterprise plan customers receive access as part of their subscription. To request a copy:

  • Current customers: Contact your account manager or email security@rendum.io
  • Prospective customers: Request via the demo request form and indicate SOC 2 report access in the comments

Contact

For security and compliance inquiries:

Rendum, Inc.
Attn: Security Team
Email: security@rendum.io