What is SOC 2?
SOC 2 (System and Organization Controls 2) is a security framework developed by the American Institute of CPAs (AICPA). It defines criteria for managing customer data based on five Trust Service Criteria:| Criteria | Description |
|---|---|
| Security | Protection against unauthorized access |
| Availability | System accessible as agreed |
| Processing Integrity | System processing is complete, accurate, timely |
| Confidentiality | Information designated as confidential is protected |
| Privacy | Personal information is collected, used, retained, and disposed of appropriately |
Bota’s SOC 2 Certification
Type II Certification
Bota has achieved SOC 2 Type II certification, which means:- An independent auditor has examined our controls over an extended period (typically 6-12 months)
- Our controls are not just designed appropriately, but operate effectively over time
- We undergo annual re-certification audits
Request SOC 2 Report
Contact [email protected] to request our SOC 2 Type II report under NDA
Trust Service Criteria Covered
Our SOC 2 report covers:| Criteria | Status |
|---|---|
| Security | Covered |
| Availability | Covered |
| Confidentiality | Covered |
Security Controls
Access Management
| Control | Implementation |
|---|---|
| Identity Management | SSO with MFA required for all employees |
| Least Privilege | Role-based access, quarterly access reviews |
| Privileged Access | Just-in-time access for production systems |
| Offboarding | Automated deprovisioning within 24 hours |
Infrastructure Security
| Control | Implementation |
|---|---|
| Cloud Provider | AWS with SOC 2, ISO 27001 certifications |
| Network Security | VPC isolation, security groups, WAF |
| Vulnerability Management | Automated scanning, 30-day remediation SLA |
| Penetration Testing | Annual third-party pen tests |
Data Protection
| Control | Implementation |
|---|---|
| Encryption in Transit | TLS 1.2+ for all connections |
| Encryption at Rest | AES-256 for all stored data |
| Key Management | AWS KMS with automatic rotation |
| Backup Encryption | Encrypted backups with separate keys |
Monitoring and Logging
| Control | Implementation |
|---|---|
| Audit Logging | All system and user actions logged |
| Log Retention | Minimum 1 year retention |
| SIEM | Centralized security monitoring |
| Alerting | 24/7 security event monitoring |
Incident Response
| Control | Implementation |
|---|---|
| Incident Plan | Documented incident response procedures |
| Response Team | Dedicated security incident response team |
| Communication | Customer notification within 24 hours |
| Post-Incident | Root cause analysis and remediation |
Availability Controls
Infrastructure Reliability
| Control | Implementation |
|---|---|
| Multi-AZ Deployment | Services deployed across multiple availability zones |
| Auto-Scaling | Automatic capacity scaling based on demand |
| Load Balancing | Distributed traffic across healthy instances |
| Database Redundancy | Multi-AZ database with automatic failover |
Disaster Recovery
| Control | Implementation |
|---|---|
| Backup Frequency | Daily backups with point-in-time recovery |
| Backup Testing | Quarterly restoration testing |
| RTO | 4-hour recovery time objective |
| RPO | 1-hour recovery point objective |
Uptime
We target 99.9% uptime for the Bota API. Current status is available at status.bota.dev.Confidentiality Controls
Data Classification
| Classification | Description | Examples |
|---|---|---|
| Confidential | Customer data requiring highest protection | Audio recordings, transcriptions, PHI |
| Internal | Bota operational data | System logs, metrics |
| Public | Publicly available information | Documentation, marketing |
Data Handling
| Control | Implementation |
|---|---|
| Access Logging | All access to confidential data logged |
| Data Minimization | Only collect data necessary for service |
| Retention Limits | Configurable retention with automatic deletion |
| Secure Disposal | Cryptographic erasure for deleted data |
Third-Party Management
| Control | Implementation |
|---|---|
| Vendor Assessment | Security review before onboarding vendors |
| Contractual Controls | Data protection requirements in contracts |
| Annual Reviews | Ongoing vendor security assessments |
Compliance Program
Governance
- Security Team: Dedicated security and compliance team
- Security Officer: Designated CISO responsible for security program
- Board Oversight: Regular security updates to leadership
Policies
We maintain comprehensive security policies covering:- Information Security
- Access Control
- Data Classification
- Incident Response
- Business Continuity
- Acceptable Use
- Vendor Management
Employee Security
| Control | Implementation |
|---|---|
| Background Checks | Pre-employment screening for all employees |
| Security Training | Annual security awareness training |
| Secure Development | OWASP training for engineering team |
| Policy Acknowledgment | Annual policy review and sign-off |
Requesting Our SOC 2 Report
Our SOC 2 Type II report is available to customers and prospects under NDA.1
Submit Request
Email [email protected] with your company name and use case
2
Sign NDA
We’ll send a mutual NDA for signature
3
Receive Report
Once the NDA is executed, we’ll share the full SOC 2 report
- Independent auditor’s opinion
- Description of Bota’s systems
- Trust Service Criteria tested
- Control activities and test results
- Management’s assertion
Other Certifications
| Certification | Status | Details |
|---|---|---|
| SOC 2 Type II | Certified | Annual audit |
| HIPAA | Compliant | BAA available (Learn more) |
| GDPR | Compliant | EU data protection |
Frequently Asked Questions
What's the difference between SOC 2 Type I and Type II?
What's the difference between SOC 2 Type I and Type II?
Type I examines controls at a point in time. Type II examines controls over a period (typically 6-12 months), providing assurance that controls operate effectively. Bota has Type II certification.
How often is Bota audited?
How often is Bota audited?
We undergo annual SOC 2 Type II audits. Our audit period typically runs from January to December, with reports issued in Q1 of the following year.
Can I share the SOC 2 report with my auditors?
Can I share the SOC 2 report with my auditors?
Do you have a SOC 2 bridge letter?
Do you have a SOC 2 bridge letter?
If our current report doesn’t cover your audit period, we can provide a bridge letter confirming no material changes since the last audit. Contact [email protected].
What about SOC 1?
What about SOC 1?
SOC 1 focuses on financial reporting controls. As Bota does not process financial transactions, SOC 2 is the appropriate standard for our services.
Contact
For SOC 2 and security questions: Email: [email protected] Subject: SOC 2 InquiryLast updated: January 15, 2025