SOC 2

Exaba holds a SOC 2 Type I report from an independent auditor, covering the Security trust services criterion. The report is available to qualifying customers and prospects under NDA on request.

What SOC 2 Type I covers

A Type I report attests that, at a defined point in time, Exaba’s controls are designed appropriately to meet the SOC 2 Security criteria. The report covers Exaba’s product engineering, build, and release processes, not customer deployments.

The control set is supported by a regular penetration-testing cadence operated by an internal red team. Findings flow into the SOC 2 evidence pool, so adversarial assurance evidence is current across the audit window rather than collected only at audit boundaries.

What SOC 2 Type II is

Type II additionally tests that the same controls operated effectively over a sustained period (typically 12 months). Exaba does not currently hold a SOC 2 Type II report. A Type II audit is targeted within approximately three months; talk to your account contact for the current timeline.

Customer responsibilities under SOC 2

A SOC 2 report on the product does not transfer to customer deployments. Operators remain responsible for:

  • Their own SOC 2 / ISO 27001 / sector-specific certification scope.
  • Cluster configuration, IAM policies, retention settings, and evidence collection appropriate to their compliance regime.
  • Verification that their deployment matches the assumptions stated in the SOC 2 report (available under NDA).

Exaba supplies the technical building blocks (mTLS-everywhere via Zero Trust Architecture, structured audit logging, FIPS-aware cryptography, and a hardware-rooted KMS) that make those evidence-collection workflows tractable.

Data protection (GDPR, LGPD)

Exaba is software you run on your own infrastructure, so personal data stays in your environment and jurisdiction; Exaba does not host or process your data. For GDPR, LGPD, and similar regimes, Exaba provides the technical controls that support your compliance (encryption at rest and in transit, IAM and access control, audit logging, and immutability), while data residency and processing decisions remain yours. A formal data-protection posture is available under NDA.

Requesting the report

Contact your Exaba account representative or support@exaba.com. An NDA is required before the report is released.