Delphi Cloud

SOC 2 Type II Attestation

AICPA Service Organization Control Compliance

Overview of SOC 2

SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates the internal controls and processes of service organizations relevant to security, availability, processing integrity, confidentiality, and privacy of customer data.

Delphi Cloud's SOC 2 Type II Attestation

Delphi Cloud maintains SOC 2 Type II attestation, the most rigorous level of SOC 2 compliance, demonstrating that our controls are not only appropriately designed (Type I) but also operating effectively over a sustained period of time (Type II). Our attestation is renewed annually through independent third-party audits.

Type II vs. Type I

SOC 2 Type I reports provide an assessment of the design and suitability of controls at a single point in time. SOC 2 Type II reports go further by evaluating the operating effectiveness of those controls over a minimum period of six months, providing greater assurance about the consistent application of security measures.

Trust Services Criteria

Our SOC 2 Type II attestation covers all five Trust Services Criteria (TSC), demonstrating comprehensive security and operational excellence:

Security (Common Criteria)

The foundation of SOC 2 compliance, covering the protection of system resources against unauthorized access:

  • Access Controls: Multi-factor authentication, role-based access control, and principle of least privilege
  • Network Security: Firewall configurations, intrusion detection/prevention systems, and network segmentation
  • Logical Security: Encryption at rest and in transit, secure key management, and cryptographic controls
  • Physical Security: Data center access controls, surveillance, and environmental safeguards
  • System Operations: Change management, configuration management, and system monitoring
  • Security Monitoring: SIEM implementation, continuous monitoring, and automated alerting

Availability

Ensuring system uptime and operational availability as committed in SLAs:

  • Infrastructure Redundancy: Geographic distribution across multiple availability zones
  • Disaster Recovery: Documented DR procedures with regular testing and validation
  • Backup Systems: Automated backup processes with defined recovery objectives (RTO/RPO)
  • Capacity Management: Proactive monitoring and scaling to prevent service degradation
  • Incident Management: 24/7 NOC operations with defined escalation procedures

Processing Integrity

System processing completeness, validity, accuracy, timeliness, and authorization:

  • Data Validation: Input validation and data integrity checks
  • Error Handling: Comprehensive error detection and resolution procedures
  • Quality Assurance: Testing and validation of system changes
  • Transaction Processing: Accurate and complete processing of customer workloads
  • Monitoring Controls: Automated monitoring of processing accuracy and completeness

Confidentiality

Protection of confidential information designated as such throughout its lifecycle:

  • Data Classification: Identification and labeling of confidential data
  • Encryption: Strong encryption for confidential data at rest and in transit
  • Access Restrictions: Need-to-know access controls for confidential information
  • Secure Disposal: Secure data destruction and media sanitization procedures
  • Confidentiality Agreements: NDAs with employees, contractors, and third parties

Privacy

Personal information collection, use, retention, disclosure, and disposal aligned with privacy principles:

  • Notice: Clear privacy notices and data processing disclosures
  • Choice and Consent: Mechanisms for data subject consent and preference management
  • Collection: Collection limited to specified, legitimate purposes
  • Use and Retention: Data usage limited to stated purposes with defined retention periods
  • Access: Data subject rights to access and request corrections
  • Disclosure: Controls over third-party data sharing
  • Security: Technical and organizational measures to protect personal data
  • Quality: Data accuracy and completeness maintenance
  • Monitoring: Ongoing privacy program monitoring and compliance assessment

Audit Process

Our SOC 2 Type II attestation is conducted by an independent licensed CPA firm over a minimum observation period of six months:

  1. Planning Phase: Scope definition and control identification
  2. Evaluation Period: Minimum 6-month period of continuous control operation monitoring
  3. Testing Phase: Independent testing of control design and operating effectiveness
  4. Evidence Collection: Comprehensive documentation review and verification
  5. Attestation Report: CPA opinion on control effectiveness
  6. Annual Renewal: Continuous compliance verification through annual re-audits

Report Availability

Our SOC 2 Type II report is available to customers and qualified prospects under NDA. The report includes:

  • Independent auditor's opinion
  • Management's assertion regarding controls
  • Detailed description of our system and control environment
  • Specific controls tested and test results
  • Any identified exceptions or complementary user entity controls

Continuous Compliance

SOC 2 compliance is not a one-time achievement but an ongoing commitment. Delphi Cloud maintains continuous compliance through:

  • Quarterly internal control assessments
  • Continuous monitoring of security controls
  • Regular control effectiveness reviews
  • Prompt remediation of any identified control gaps
  • Annual third-party audits for renewed attestation

Complementary User Entity Controls

While Delphi Cloud maintains comprehensive controls, certain aspects of security require customer implementation of complementary controls, including:

  • Strong customer IAM policies and procedures
  • Appropriate security configurations for customer workloads
  • Customer data classification and handling procedures
  • Timely review of access logs and monitoring alerts

Request SOC 2 Report

To request access to our current SOC 2 Type II report, please contact our compliance team. Reports are provided to existing customers and qualified prospects under standard NDA terms. For general questions about our SOC 2 compliance, visit our security and compliance page.