ResourcesSecurity & Privacy

SOC 2 Compliance

AgentMail has achieved SOC 2 Type I compliance (July 2025) and is currently working toward Type II certification (target: Q1 2026).

Current Status

Type I Achieved

Completed July 2025 - Controls properly designed and in place

Type II In Progress

Target Q1 2026 - Demonstrating operational effectiveness over time

Compliance Timeline

PhasePeriodStatus
Type I PreparationJune 2025Completed
Type I AssessmentJuly 2025Completed
Type II Observation PeriodAug 2025 - Dec 2025In Progress
Type II CertificationQ1 2026Target

What is SOC 2?

SOC 2 is an attestation standard by AICPA (The American Institute of Certified Public Accountants) evaluating controls over:

  1. Security - Protection against unauthorized access, both physical and logical
  2. Availability - System accessibility and operational performance as committed
  3. Processing Integrity - System processing is complete, valid, accurate, timely, and authorized
  4. Confidentiality - Information designated as confidential is protected
  5. Privacy - Personal information is collected, used, retained, disclosed, and disposed per privacy commitments

Report Types

  • Type I: Verifies that security controls are properly designed at a point in time.
  • Type II: Validates that controls operate effectively over a period (typically 6–12 months).

AgentMail’s SOC 2 Type I report confirms that our security infrastructure is properly designed and implemented.

Security Controls Implemented

The following controls have been audited and verified as part of our SOC 2 Type I compliance:

Access Control

  • Role-based access; least privilege enforced
  • MFA (Multi-Factor Authentication) for administrative access and sensitive operations
  • Quarterly access reviews and revocation upon role change

Encryption & Key Management

  • TLS 1.2+ for all service/API communications
  • Data at rest encrypted using industry-standard ciphers
  • Centralized KMS (Key Management Service) for key generation, rotation, and revocation
  • Encrypted point-in-time backups with 30-day retention

See Security Overview for more details.

Email Authentication & Anti-Abuse

  • SPF, DKIM, DMARC configured across all sending domains
  • Real-time scanning of inbound/outbound messages for malware/phishing
  • IP-based rate limiting and behavioral abuse detection

See Email Protocols for technical details.

Monitoring & Incident Response

  • Centralized logging and anomaly detection with alerting
  • Documented incident response process: detect → triage → contain → eradicate → recover → post-incident review
  • Responsible disclosure channel for external security researchers

Resilience, Backup & Recovery

  • Daily encrypted backups with 30-day retention
  • Regular restore tests to validate RTO/RPO targets
  • Multi-AZ/high-availability architecture for critical components

SOC 2 Control Mapping

Control AreaImplementationSOC 2 Criteria
Access ControlRBAC, MFA, quarterly reviewsCC6.1–CC6.7
Encryption & KMSTLS 1.2+, at-rest encryption, key rotationCC6.8–CC6.9
Email AuthenticationSPF/DKIM/DMARC, anti-abuse filtersCC7.1–CC7.4
Threat MonitoringCentralized logs, alerts, malware scanningCC7.2–CC7.4
Backup & RecoveryDaily backups, 30-day retention, restore testsCC7.3
Incident ResponseRunbooks, post-mortems, disclosure programCC7.4–CC7.5
Workforce SecuritySecurity training, NDAs, background checksCC5.3–CC5.4

The above mappings reflect our audited Type I controls and are maintained during the Type II observation period.

Type II Certification Progress

AgentMail is currently in the Type II observation period (August 2025 - December 2025), during which an independent auditor is testing and validating that our security controls operate effectively over time.

What’s Being Tested

  • Continuous Operation: Controls function consistently without gaps
  • Change Management: Security maintained through system updates and changes
  • Evidence Collection: Logs, tickets, training records, access reviews
  • Incident Handling: Real-world response to security events (if any)

Expected Completion

Q1 2026 - Full SOC 2 Type II certification report from independent CPA firm

Type II certification provides the highest level of assurance that AgentMail’s security controls are not only well-designed but also operate effectively over time.

Accessing SOC 2 Reports

Organizations evaluating AgentMail can request SOC 2 documentation.