Platform · Security & SOC 2

The security posture enterprise procurement asks for.

SOC 2 Type II, GDPR-ready, custom DPA, pen-tested annually, encrypted at rest + in transit, data residency in US / EU / UK. The boring-but-required stuff, done right.

Security questionnaires used to be a four-week sprint. With ScendCore, you point procurement at our trust center, attach our SOC 2 report + DPA, and move on. Most enterprise reviews close in under a week.

Visit trust centerBook a security review
Continuously attested
SOC 2 Type II · refreshed annually
In this explainer
  1. 01SOC 2 Type II
  2. 02Encryption
  3. 03Pen Testing
  4. 04DPA + GDPR
  5. 05Incident Response
Phase 01

SOC 2 Type II · Continuous compliance

Type II report refreshed annually by an independent Big-4 auditor. Continuous monitoring via Drata between audits — we don't wait for the auditor to find drift.

Latest report available under NDA in the trust center; bridge letters for the gap period included.

Specification
  • 1.1SOC 2 Type II — refreshed annually
  • 1.2Continuous compliance monitoring (Drata)
  • 1.3Bridge letters between audit periods
  • 1.4ISO 27001 on roadmap (target 2027)
Phase 02

Encryption · AES-256 + TLS 1.3

At rest: AES-256 on every database + object store. In transit: TLS 1.3 on every connection. Key management via AWS KMS with rotation. Customer-managed keys available on Enterprise.

Specification
  • 2.1AES-256 at rest · TLS 1.3 in transit
  • 2.2AWS KMS-managed keys with annual rotation
  • 2.3Customer-managed keys (CMK) on Enterprise
  • 2.4Encrypted backups + air-gapped DR copies
Phase 03

Pen Testing · Annual + on-release

Annual full external + internal pen test by an accredited firm. Additional targeted tests on major releases. Findings tracked in our security tracker; high/critical resolved before deploy.

Latest pen test summary available under NDA.

Specification
  • 3.1Annual full pen test (external + internal)
  • 3.2Targeted pen test on major releases
  • 3.3Bug bounty program (private, invite-only)
  • 3.4All high/critical findings resolved pre-deploy
Phase 04

DPA + GDPR · Custom + standard

Standard DPA available for self-serve sign-up. Custom DPA + sub-processor list negotiable on Enterprise. EU representative + UK representative on file.

Specification
  • 4.1Standard DPA included in ToS
  • 4.2Custom DPA with redlines on Enterprise
  • 4.3EU + UK representatives on file
  • 4.4Sub-processor list published + 30d change notice
Phase 05

Incident Response · <15min triage

Documented incident response plan. PagerDuty rotation 24/7. Customer notification within 24h of confirmed security incident. Post-mortem published for all severity 1 + 2 incidents.

Specification
  • 5.1Documented IR plan + runbooks
  • 5.224/7 on-call rotation
  • 5.3Customer notification <24h of confirmed incident
  • 5.4Public post-mortem for sev-1 + sev-2 incidents
FAQs

Frequently asked

Procurement says yes faster.

SOC 2 + DPA + pen test + encryption + data residency. The full posture, ready to attach.

Visit trust centerBook a security review
Related
Trust + controlsAudit + governanceThe BrainSee pricing
ScendCore

The AI system that runs your customer-facing work. Find, engage, and qualify prospects. Follow up, convert, and support customers — governed end to end.

Products
ScendCore for SalesScendCore for MarketingScendCore for ReceptionScendCore for Service
Platform
The BrainAI agentsIntegrationsSecurity
Solutions
SalesMarketingCustomer SupportCustomer SuccessRevOpsSee all use cases →
Resources
ManifestoCustomer storiesPricingHelp center
Company
AboutCareersContactBook a demo
© 2026 ScendCore. All rights reserved.Sign inPrivacyTermsDPASOC 2
Security & SOC 2 — Type II, pen-tested, encrypted | ScendCore