ScyAITRUST CENTER

TRUST CENTER · LAST UPDATED 2026-05-12

Security as a board-level concern. Engineered to the SOC 2 Type II bar by default, not retroactively.

ScyAI builds the world's leading risk intelligence software. We work with customers in the most secure and highly-regulated industries and build software for their most sensitive data.

ScyAI cares deeply about the security outcomes of our customers, and we're committed to transparency about our security practices and program. We stand resolute in continuously improving our security, data protection, and privacy controls to give you the most effective means of protecting your data possible.

Every claim here is grounded in version-controlled policy under docs/soc2/, infrastructure-as-code under infra/, or an operational runbook under docs/runbooks/.

LIVE POSTURE · 2026-05-14

Every technical control listed below is live in production.

The remaining gap to formal certification is the audit observation window itself — not remediation.

SOC 2 Type 1Audit-readyCONTROLS OPERATING
SOC 2 Type 2In flightOBSERVATION
Pen testScheduled · pre-audit
Risk registerReviewed quarterly
Incident commanderMike Atherton, Tech Lead
SOC 2 TYPE 1
Audit-readycontrols operating
TYPE 2 WINDOW
Q3 2026observation only
FORMAL POLICIES
16signed · CEO
AUDIT LOG RETENTION
365days, immutable
DATA RESIDENCY
europe-west2london, GCP
§ 01 COMPLIANCE & FRAMEWORKS
SOC 2 Type 1
AUDIT-READY · Q3 2026
SOC 2 Type 2
WINDOW SCHEDULED
GDPR
EU DATA RESIDENCY
ISO 27001
INHERITED FROM GCP
HIPAA
INHERITED FROM GCP
§ 02 CONTROLS

Eight families of technical control.
Each live in production today.

Architecture and code are the source of truth — every category below maps to versioned policy, Terraform, and a runbook. Click any card to read the underlying mechanism.

§ 03 POLICIES & DOCUMENTS

Sixteen formal policies. Signed by the CEO. Version-controlled.

All policies live under docs/soc2/ and are mirrored to Notion. The codebase is the source of truth; Notion is the collaboration and auditor-access surface. Sensitive documents are released under NDA.

All policies on a 6-monthly review cycle. Pentest report, SOC 2 audit drafts, and the full vendor register are released under NDA.

§ 04 RECENT INVESTMENTS

Seven security investments shipped in the last quarter.

We treat security as engineered scope, not a project that ends. Below is what shipped recently — each tied to a specific failure mode we wanted to remove from the system.

01 / 07Centralised GCS bucket creation with mandatory soft-delete + versioningPrevents accidental deletion of customer data across the entire platform.SHIPPED
02 / 07Security response headers + tightened CORSCloses browser-side attack surface; CSP, HSTS, Permissions-Policy enforced.SHIPPED
03 / 07WIF attribute-condition hardening (branch / ref type / namespace)CI cannot mint deployer credentials from a tag or feature branch.SHIPPED
04 / 07Alert forwarder OIDC authenticationPush subscriptions verify identity end-to-end.SHIPPED
05 / 07Cross-tenant admin access hardeningDual-attribution audit, MFA gate, per-request authorisation for cross-tenant operations.SHIPPED
06 / 07Automated Codex code review on every MRSecond opinion before human review; catches identity-collapse and audit gaps.SHIPPED
07 / 07Quarterly access review automationScheduled calendar events; review evidence captured per cycle.SHIPPED
§ 05 HONEST DISCLOSURE

Outstanding items. We'd rather name them now than answer them later.

A SOC 2 review will surface gaps. These are the items we know about, and our plan for each.

SCHEDULED

DR / business continuity tabletop

Scheduled. Recovery procedures documented in runbook; live exercise pending the start of the audit observation window.

ROADMAP

Customer-Managed Encryption Keys (CMEK)

On roadmap. Inherited Google-managed encryption meets the SOC 2 bar; CMEK is for customers with stricter key-control requirements.

SCHEDULED

Independent penetration test

Scheduled before audit engagement. Internal threat-model and code review ongoing.

IN PROGRESS

Auditor engagement

Scope drafted. Shortlist of three auditors under evaluation; engagement targeted this quarter.

§ 06 SUBPROCESSORS

Vendors and AI providers. Tracked, classified, reviewed.

All AI providers operate under zero-data-retention contracts. The full vendor register, with criticality ratings and data-handling classification, is available on request.

Google Cloud Platform

Primary infrastructure — Firestore, GCS, Cloud Run, BigQuery, Secret Manager, Identity Platform.

EU / LONDON

OpenAI

LLM inference for agent workloads. Zero-data-retention.

US / ZDR

Anthropic

LLM inference for agent workloads. Zero-data-retention.

US / ZDR

Google (Gemini)

LLM inference. Zero-data-retention.

EU / ZDR

GitLab

Source control + CI runner. No customer data.

EU

Mapbox

Geospatial tiles + geocoding. Aggregate request data only.

US

Cityweft

Specialised geo-risk lookup. TLS only.

EU

E2B

Code execution sandbox for agent tasks. Ephemeral.

US

Resend

Transactional email for security@scyai.com enquiries. No customer data.

US
§ 07 UPDATES

What's changed.

Material changes to our security posture, posted as they ship.

2026-05-12COMPLIANCE

SOC 2 Type 1 — auditor shortlist finalised, engagement targeted this quarter.

Sixteen formal policies are signed by the CEO and on a six-monthly review cycle. Every technical control listed in this Trust Center is live in production today; the remaining gap to formal certification is the audit observation window itself.

2026-04-28ENGINEERING

Cross-tenant administrator access hardened with dual-attribution audit and per-request MFA.

Platform administrators authenticate through a dedicated scyai-internal Firebase tenant — separate from any customer tenant. Cross-tenant operations now require a per-request opt-in via signed headers and pass an MFA + active-membership check at the middleware layer. Every event is logged at warn level with actor user id, target tenant, target user, request path, and request id.

2026-03-15ENGINEERING

Workload Identity Federation attribute conditions tightened across all environments.

The WIF provider's attribute condition now enforces four invariants before issuing a token: project, ref equals main, ref type is branch (not tag), and namespace is scyai-prod. Feature-branch and tag pipelines cannot obtain deployer credentials.

2026-02-02COMPLIANCE

365-day immutable audit log retention now live across all environments.

An organisation-level GCP log sink streams every audit, Cloud Run, and HTTP load balancer log line to a dedicated central-logging GCP project. The log bucket has retention lock — logs cannot be deleted before expiry. Logs are streamed into a BigQuery dataset with SQL access for forensics, compliance evidence, and dashboards.

§ 08 FREQUENTLY ASKED

What customers and auditors ask first.

The questions our customers and their auditors ask most — answered the way our engineers would explain them, not the way marketing would.

We are SOC 2 Type 1 audit-ready now. Sixteen formal policies are signed, all controls are operating in production, and evidence is assembled. Auditor selection is in progress and engagement is targeted within the current quarter. SOC 2 Type 2 follows directly — the observation window opens the day Type 1 closes. Because every technical control is already live, the Type 2 window is observation, not remediation.