Energent.ai SOC 2 Security Whitepaper

2025-05-27

Version 2.0 - SOC 2 Compliance Framework

  • Authors: Energent.ai Security & Engineering Team
  • Classification: Public
  • Last Updated: 2025-05-27
  • Next Review: 2025-08-27

Executive Summary

Energent.ai delivers an AI-powered virtual desktop agent that automates complex multi-application workflows for enterprise users. This whitepaper provides a comprehensive security analysis of the Energent platform aligned with SOC 2 Trust Service Criteria (TSC). Our security framework achieves a 99.9% uptime SLA with <15 minute incident response times and demonstrates compliance with all five SOC 2 Trust Service Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Key SOC 2 Compliance Metrics:

  • Zero critical security incidents in production (2024)
  • <24 hours critical vulnerability remediation time
  • 256-bit AES encryption for all data at rest and in transit
  • Multi-factor authentication required for 100% of user access
  • Continuous monitoring with 24/7 SOC coverage
  • SOC 2 Type II audit currently under review (ETA Q3 2025)

1 Introduction & Scope

1.1 Purpose & Objectives

This document demonstrates Energent.ai's alignment with SOC 2 Trust Service Criteria and enables security, IT, and compliance teams to evaluate our SOC 2 compliance posture. It provides:

  • SOC 2 Trust Service Criteria mapping with detailed control implementations
  • Evidence documentation for SOC 2 audit requirements
  • Operational security procedures aligned with SOC 2 requirements
  • Continuous monitoring framework for SOC 2 compliance maintenance

1.2 SOC 2 Audit Scope & Boundaries

Deployment ModelSOC 2 ScopeData ProcessingTrust Service Categories
Energent Cloud (SaaS)Primary audit scopeCustomer data processingSecurity, Availability, Confidentiality, Privacy
Private Cloud (VPC)Shared responsibility modelCustomer-controlled processingSecurity, Availability, Processing Integrity
On-Premises (VM)Software delivery onlyCustomer-managed processingSecurity, Processing Integrity

1.3 SOC 2 Compliance Status

Current Status: SOC 2 Type II audit under review Expected Completion: Q3 2025 Audit Firm: Vanta Audit Period: 12 months ending Q3 2025

2 SOC 2 Trust Service Criteria Overview

2.1 Trust Service Categories

2.1.1 Security (CC1.0 - CC8.0)

Objective: Information and systems are protected against unauthorized access, unauthorized disclosure, and damage.

Scope: All Energent systems, applications, and data processing activities.

2.1.2 Availability (A1.1 - A1.3)

Objective: Information and systems are available for operation and use as committed or agreed.

Scope: Energent Cloud SaaS platform with 99.9% uptime commitment.

2.1.3 Processing Integrity (PI1.1 - PI1.3)

Objective: System processing is complete, valid, accurate, timely, and authorized.

Scope: AI workflow processing, data transformation, and automation execution.

2.1.4 Confidentiality (C1.1 - C1.2)

Objective: Information designated as confidential is protected as committed or agreed.

Scope: Customer proprietary data, business logic, and confidential information.

2.1.5 Privacy (P1.1 - P9.1)

Objective: Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments.

Scope: Personal information processed within customer workflows.

3 Security Architecture

3.1 SOC 2 Security Architecture Overview

┌──────────────────────────────────────────────────────────────┐
│                   SOC 2 COMPLIANCE BOUNDARY                  │
│  ┌─────────────────┐  ┌─────────────────┐  ┌──────────────┐  │
│  │   Admin Console │  │  Control Plane  │  │  Data Plane  │  │
│  │                 │  │                 │  │              │  │
│  │ • WAF (CC6.1)   │  │ • Zero Trust    │  │ • Encryption │  │
│  │ • TLS 1.3(CC6.7)│  │ • mTLS (CC6.1)  │  │   (CC6.7)    │  │
│  │ • MFA (CC6.2)   │  │ • JWT (CC6.2)   │  │ • Key Mgmt   │  │
│  └─────────────────┘  └─────────────────┘  └──────────────┘  │
│           │                     │                    │       │
│           └─────────────────────┼────────────────────┘       │
│                                 │                            │
│  ┌─────────────────────────────────────────────────────────┐ │
│  │               AGENT RUNTIME (EDGE VM)                   │ │
│  │                (PI1.1 - Process Integrity)              │ │
│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────────┐  │ │
│  │  │   Sandbox   │  │  RPA Core   │  │  Computer Vision│  │ │
│  │  │ Environment │  │             │  │     Engine      │  │ │
│  │  │  (CC7.1)    │  │  (PI1.3)    │  │    (PI1.2)      │  │ │
│  │  └─────────────┘  └─────────────┘  └─────────────────┘  │ │
│  └─────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────┘

3.2 SOC 2 Trust Service Implementation

3.2.1 Common Criteria (Security) Implementation

Control PointSOC 2 CriteriaImplementationEvidence
Control EnvironmentCC1.1-CC1.5CISO oversight, security policies, organization structureOrg charts, policy docs, training records
Communication & InformationCC2.1-CC2.3Security awareness, incident communication proceduresTraining completion, communication logs
Risk AssessmentCC3.1-CC3.4Quarterly risk assessments, threat modelingRisk registers, threat models, assessment reports
Monitoring ActivitiesCC4.1-CC4.224/7 SOC monitoring, compliance monitoringSIEM logs, monitoring dashboards, alerts
Control ActivitiesCC5.1-CC5.3Automated controls, segregation of dutiesControl test results, access reviews
Logical AccessCC6.1-CC6.8Multi-factor authentication, access provisioningAccess logs, authentication logs, user provisioning
System OperationsCC7.1-CC7.5Change management, system monitoring, data backupChange logs, monitoring reports, backup tests
Change ManagementCC8.1-CC8.2SDLC processes, emergency changesDevelopment procedures, change approvals

4 Security Controls (Common Criteria)

4.1 Control Environment (CC1)

4.1.1 CISO and Security Organization (CC1.1)

Implementation:

  • Chief Information Security Officer (CISO) reports directly to CEO
  • Security team with defined roles and responsibilities
  • Regular board reporting on security posture

Evidence:

  • Organizational charts showing security reporting structure
  • Job descriptions and qualifications for security personnel
  • Board meeting minutes discussing security matters

4.1.2 Security Policies and Procedures (CC1.2)

Implementation:

  • Comprehensive security policy framework covering all SOC 2 areas
  • Annual policy review and approval process
  • Employee acknowledgment and training on policies

Evidence:

  • Security policy documents with approval signatures
  • Policy training completion records
  • Policy exception and approval processes

4.1.3 Security Awareness Training (CC1.3)

Implementation:

  • Mandatory annual security awareness training for all employees
  • Role-specific security training programs
  • Phishing simulation and security testing

Evidence:

  • Training completion records and certificates
  • Training content and curricula
  • Phishing simulation results and remediation

4.2 Logical and Physical Access Controls (CC6)

4.2.1 Multi-Factor Authentication (CC6.2)

ControlImplementationSOC 2 Evidence
User AuthenticationTOTP + Hardware tokens (FIDO2)Authentication logs showing MFA usage
Administrative AccessCertificate-based + time-limitedAdmin access logs with certificate validation
API AuthenticationOAuth 2.0 + JWT tokensAPI access logs with token validation
Emergency AccessBreak-glass procedures with approvalEmergency access logs and approvals

4.2.2 Access Provisioning and Deprovisioning (CC6.3)

Implementation:

  • Automated user provisioning through HR systems
  • Role-based access control with approval workflows
  • Automated deprovisioning upon termination
  • Regular access reviews and recertification

Evidence:

  • User access provisioning logs and approvals
  • Termination checklists and deprovisioning confirmations
  • Quarterly access review results and attestations

5 Availability Controls

5.1 System Availability (A1.1)

5.1.1 Availability Commitment

Service Level Agreement: 99.9% uptime for Energent Cloud platform Measurement Period: Monthly Exclusions: Planned maintenance windows (max 4 hours/month)

5.1.2 Availability Monitoring

Monitoring ComponentTechnologyThresholdResponse SLA
Application HealthAWS CloudWatch, Datadog99.9% availability<5 minutes
Database PerformanceRDS monitoring<2s query response<10 minutes
Network ConnectivityVPC monitoring100% reachability<5 minutes
External DependenciesThird-party monitoring99.5% availability<15 minutes

5.2 System Capacity (A1.2)

5.2.1 Capacity Planning and Management

Implementation:

  • Monthly capacity planning reviews
  • Auto-scaling configured for all critical components
  • Load testing performed quarterly
  • Performance benchmarking and trending

Evidence:

  • Capacity planning reports and projections
  • Auto-scaling configuration and test results
  • Load testing reports and performance metrics

5.3 System Monitoring and Incident Response (A1.3)

5.3.1 24/7 System Monitoring

SOC 2 Implementation:

  • Real-time monitoring of all system components
  • Automated alerting for availability issues
  • Escalation procedures for critical incidents
  • Mean Time to Detection (MTTD): <3 minutes

Evidence:

  • Monitoring dashboard screenshots and configurations
  • Alert logs and escalation procedures
  • Incident response time metrics and analysis

6 Processing Integrity Controls

6.1 Processing Integrity Objectives (PI1.1)

6.1.1 Data Processing Accuracy

Implementation:

  • Input validation and data integrity checks
  • Automated error detection and correction
  • Processing audit trails and logging
  • Regular data quality assessments

Evidence:

  • Data validation rules and test results
  • Error logs and correction procedures
  • Processing audit logs with integrity checks

6.2 Processing Completeness (PI1.2)

6.2.1 Transaction Processing Controls

Control AreaImplementationValidation Method
Input ValidationSchema validation, boundary checksInput validation test results
Processing ControlsChecksums, sequence numberingProcessing control test logs
Output ValidationFormat checks, completeness verificationOutput validation reports
Exception HandlingAutomated retry, error notificationException handling logs

6.3 Processing Authorization (PI1.3)

6.3.1 Workflow Authorization Controls

Implementation:

  • Role-based workflow permissions
  • Approval workflows for sensitive operations
  • Audit logging of all processing activities
  • Segregation of duties for critical processes

Evidence:

  • Workflow permission matrices and approvals
  • Processing authorization logs
  • Segregation of duties documentation

7 Confidentiality Controls

7.1 Confidentiality Agreements (C1.1)

7.1.1 Data Classification and Handling

Classification LevelHandling RequirementsAccess ControlsRetention Policy
ConfidentialEncryption required, access loggingRole-based access, MFA requiredCustomer-defined
InternalStandard protectionEmployee access only1 year default
PublicNo special requirementsGeneral accessIndefinite

7.1.2 Confidentiality Commitments

Customer Data: All customer data treated as confidential Access Controls: Strict need-to-know basis Encryption: AES-256 encryption for all confidential data Audit Logging: All access to confidential data logged

7.2 Confidentiality Processing (C1.2)

7.2.1 Data Protection Implementation

Data StateEncryption MethodKey ManagementAccess Controls
At RestAES-256-GCM with CMKAWS KMS with auto-rotationIAM policies, MFA
In TransitTLS 1.3 with PFSCertificate ManagermTLS authentication
In ProcessingApplication-level encryptionHardware security modulesProcess isolation
BackupEncrypted backupsCross-region replicationEncrypted key storage

8 Privacy Controls

8.1 Privacy Notice and Choice (P1.1 - P2.1)

8.1.1 Privacy Notice Requirements

Implementation:

  • Clear privacy notices provided to data subjects
  • Notice of processing purposes and data types
  • Contact information for privacy inquiries
  • Regular review and updates of privacy notices

Evidence:

  • Privacy notice documents and versions
  • Privacy notice delivery confirmations
  • Privacy inquiry logs and responses

8.2 Collection and Data Quality (P3.1 - P4.2)

8.2.1 Data Collection Controls

Privacy ControlImplementationValidation
Collection LimitationMinimum necessary data collectionData mapping and necessity assessments
Data QualityAutomated data validationData quality reports and metrics
Consent ManagementExplicit consent mechanismsConsent audit trails and records
Purpose LimitationData used only for stated purposesPurpose limitation assessments

8.3 Data Retention and Disposal (P5.1 - P6.1)

8.3.1 Retention and Disposal Procedures

Implementation:

  • Automated data retention policies
  • Secure data disposal procedures
  • Regular data inventory and cleanup
  • Customer-controlled retention settings

Evidence:

  • Data retention policy documentation
  • Data disposal logs and certifications
  • Customer retention setting configurations

9 Operational Security

9.1 Security Operations Center (SOC)

9.1.1 24/7 SOC 2 Monitoring

SOC 2 RequirementMonitoring ImplementationEvidence Type
CC4.1 - MonitoringReal-time SIEM monitoringSIEM logs and dashboards
CC7.2 - System MonitoringInfrastructure monitoringSystem performance reports
A1.3 - Incident ResponseAutomated incident detectionIncident response logs
CC7.4 - Data BackupBackup monitoring and testingBackup test results

9.2 Vulnerability Management (CC7.1)

9.2.1 SOC 2 Vulnerability Assessment Program

Assessment TypeSOC 2 AlignmentFrequencyEvidence Documentation
Infrastructure ScanningCC7.1 System OperationsWeeklyVulnerability scan reports
Application Security TestingCC8.1 Change ManagementPer releaseSecurity testing reports
Penetration TestingCC3.2 Risk AssessmentAnnuallyPenetration test reports
Security Code ReviewCC8.1 Change ManagementPer commitCode review documentation

9.3 Incident Response (CC7.3)

9.3.1 SOC 2 Incident Response Procedures

Incident Classification for SOC 2:

SeveritySOC 2 ImpactResponse TimeNotification Requirements
Critical (P0)Service unavailability, data breach<15 minutesCustomer notification <4 hours
High (P1)Significant service degradation<1 hourCustomer notification <24 hours
Medium (P2)Minor service impact<4 hoursInternal notification only
Low (P3)No service impact<24 hoursInternal notification only

10 SOC 2 Evidence & Documentation

10.1 SOC 2 Control Testing Evidence

10.1.1 Common Criteria Evidence

Control FamilyEvidence TypeCollection FrequencyRetention Period
Control Environment (CC1)Policy documents, training recordsAnnually7 years
Risk Assessment (CC3)Risk assessments, threat modelsQuarterly3 years
Monitoring (CC4)SIEM logs, monitoring reportsContinuous7 years
Logical Access (CC6)Access logs, provisioning recordsDaily7 years
System Operations (CC7)Change logs, backup testsContinuous7 years

10.1.2 Trust Service Category Evidence

Trust ServiceEvidence RequirementsSample Evidence
AvailabilityUptime reports, capacity planningMonthly availability reports
Processing IntegrityData validation logs, error reportsProcessing integrity test results
ConfidentialityEncryption evidence, access controlsEncryption implementation documentation
PrivacyPrivacy notices, consent recordsPrivacy impact assessments

10.2 SOC 2 Audit Readiness

10.2.1 Audit Documentation Repository

Centralized Evidence Collection:

  • Automated evidence collection systems
  • Version-controlled documentation
  • Real-time compliance dashboards
  • Audit trail preservation

Audit Support Process:

  • Dedicated audit liaison team
  • Evidence request tracking system
  • Auditor workspace provisioning
  • Sample selection automation

11 Continuous Monitoring & Improvement

11.1 SOC 2 Compliance Monitoring

11.1.1 Continuous Control Monitoring

Control CategoryMonitoring MethodFrequencyAutomated Testing
Access ControlsSIEM monitoringReal-timeDaily automated tests
Change ManagementVersion control integrationPer changeAutomated approval workflows
Backup ProceduresAutomated backup testingDailyRestore testing weekly
Vulnerability ManagementContinuous scanningDailyAuto-remediation for critical

11.1.2 SOC 2 Metrics and KPIs

SOC 2 MetricTargetCurrent PerformanceTrend
Control Test Pass Rate100%99.8%↑ Stable
Evidence Collection Automation95%92%↑ Improving
Incident Response Time<15 minutes12.8 minutes↓ Improving
Availability SLA Achievement99.9%99.95%↑ Exceeding

11.2 SOC 2 Continuous Improvement

11.2.1 Control Enhancement Program

Quarterly Review Process:

  • Control effectiveness assessment
  • Gap analysis and remediation planning
  • Process improvement implementation
  • Stakeholder feedback integration

Annual SOC 2 Program Review:

  • Complete control framework assessment
  • Trust Service Criteria alignment review
  • Audit readiness evaluation
  • Strategic compliance planning

References

  1. AICPA Trust Service Criteria, 2017 (SOC 2 Framework)
  2. AWS SOC 2 Compliance Documentation, 2024
  3. AICPA SOC 2 Implementation Guide, 2024
  4. Trust Service Criteria Control Objectives, 2023
  • Document Classification: Public
  • SOC 2 Audit Status: Under Review (ETA Q3 2025)
  • Version: 2.0
  • Last Updated: 2025-05-27
  • Next Review Date: 2025-08-27

Let's talk!

Office:

Abu Dhabi Office:

Al Khatem Tower, Al Maryah Island, Abu Dhabi

Silicon Valley Office:

3101 Park Blvd. Palo Alto, CA

Email:

admin@energent.ai
admin@energent.ai