Certified

SOC 2 Type II

Citelock is SOC 2 Type II certified. Our controls are independently audited annually by a licensed CPA firm against the AICPA Trust Services Criteria.

What SOC 2 Type II means

A SOC 2 Type II audit is conducted by an independent CPA firm that examines a service organization's controls over an extended period — typically 12 months. Unlike a Type I audit, which is a point-in-time snapshot, a Type II audit evaluates whether the described controls actually operated effectively throughout the audit period.

For customers handling sensitive legal data, litigation records, and employee personal information, SOC 2 Type II certification provides third-party assurance that our security, availability, and confidentiality controls are not just documented — they work in practice, consistently, over time.

Trust Service Criteria covered

Security (CC)
Common Criteria

Logical and physical access controls, change management, risk assessment, vendor management, and incident response. The foundational criteria required in every SOC 2 audit.

Availability (A)
System Availability

Infrastructure monitoring, redundancy, disaster recovery, and backup procedures that support our 99.9% uptime SLA commitment. Critical for legal teams who cannot afford platform downtime during active matters.

Confidentiality (C)
Data Confidentiality

Controls governing how confidential information — including matter records, hold notices, and custodian data — is identified, protected, and restricted throughout its lifecycle.

Controls in scope

Our audit covers controls across the following domains:

  • Encryption at rest (AES-256) and in transit (TLS 1.3) for all Customer Data
  • Role-based access controls and the principle of least privilege for production systems
  • Multi-factor authentication required for all personnel with privileged access
  • Annual third-party penetration testing with findings tracked to remediation
  • Continuous vulnerability scanning and automated dependency auditing
  • Background checks and security awareness training for all employees
  • Vendor risk management and sub-processor due diligence
  • Incident response procedures with documented detection, containment, and recovery steps
  • Change management controls governing deployments to production
  • Backup testing and disaster recovery drills conducted at least annually

Request the full report

The full SOC 2 Type II report is available to qualified prospects and existing customers under NDA. Enterprise customers can access it through their account representative.

Request via email Talk to sales

Typically fulfilled within 1 business day for prospects with a signed NDA.