Loading...
Taking longer than expected.
Reload the pageTaking longer than expected.
Reload the pageAreebi does not yet hold a SOC 2 Type II report. We publish our readiness against each Trust Services Criterion publicly so you can verify our progress without a sales call. SOC 2 Type II audit is planned for Q3 2026.
Overall readiness (self-attested)
Weighted across 20 Trust Services Criteria. Status weights: drafting 25%, in review 50%, implemented 75%, audited 100%.
This bar will become "Audited" (100%) only when a SOC 2 Type II report is issued by a licensed CPA firm. Until then, every status is self-attested.
Each Trust Services Category contributes to the overall SOC 2 report. Coverage decisions for the audit will lock in Q2 2026.
Common Criteria (CC1-CC9)
Availability (A1)
Confidentiality (C1)
Processing Integrity (PI1)
Privacy (P1-P8)
A control is only audited when verified by our SOC 2 auditor. Everything else is self-attested.
Commitment to integrity and ethical values, board independence, organizational structure, commitment to competence, and accountability for internal control.
Evidence note: Code of conduct + ethics policy in place. Founding team accountability documented.
Internal and external communication policies, communication of objectives and responsibilities, communication channels for reporting issues.
Evidence note: Internal comms playbook drafted. External vulnerability disclosure policy live at security.txt.
Specifies suitable objectives, identifies risks to achieving objectives, considers fraud risk, identifies and analyzes changes.
Evidence note: Risk register v1 in progress. Aligned to NIST AI RMF and ISO/IEC 42001 control families.
Selects and develops ongoing or separate evaluations, evaluates and communicates deficiencies.
Evidence note: Quarterly internal review cadence drafted; first review scheduled Q2 2026.
Selects and develops control activities and general controls over technology, deploys through policies and procedures.
Evidence note: Control matrix mapped to platform features. Per-control evidence collection automated where possible.
Logical and physical access management, registration and authorization of users, identification and authentication, and credential management.
Evidence note: SSO/SAML enforced for the Areebi tenant. Hardware MFA for engineering. Customer-side: SSO + MFA + workspace isolation enforced.
Manages system operations including detection of and response to security incidents, monitoring of system performance.
Evidence note: Incident response runbook drafted. Monitoring via Datadog. AI-specific incident classifications mapped to NIST AI 600-1 GAI Profile.
Authorizes, designs, develops, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.
Evidence note: GitHub branch protection on main. CI gates (lint, typecheck, build, honesty grep gates). Squash-merge only. Decisions log for every content / strategic change.
Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions, identifies vendor and business partner risks.
Evidence note: Sub-processor inventory in place. Vendor risk assessment process being formalized.
Maintains capacity planning, environmental protections, disaster recovery, and business continuity procedures.
Evidence note: Customer-deployed (on customer infrastructure) by default - SLA framework being defined for hosted tier.
Identifies and protects confidential information from unauthorized access, use, or disclosure.
Evidence note: AES-256 encryption at rest, TLS 1.3 in transit. Customer-managed encryption keys supported. DLP engine for AI interactions.
System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.
Evidence note: Audit trail for every AI interaction. Immutable logs. Policy enforcement verified at runtime.
Privacy notices and communication of privacy practices to data subjects.
Evidence note: Privacy policy at /legal/privacy. DPA available pre-sales at /legal/dpa.
Choice and consent mechanisms for collection, use, retention, disclosure, and disposal of personal information.
Evidence note: Cookie consent banner. Plausible analytics is cookie-free by default. Newsletter opt-in.
Collection of personal information is limited to the purposes identified in the notice.
Evidence note: Data minimization principle applied to lead forms. Working to reduce default fields further.
Personal information is used, retained, and disposed of consistent with the notice.
Evidence note: Retention schedule drafted. Automatic purge of inactive leads after 24 months.
Data subjects can access their personal information for review and update.
Evidence note: GDPR subject access request (SAR) process drafted. Will offer self-serve via /legal/privacy by Q3 2026.
Personal information is disclosed only as identified in the notice or as authorized by the individual.
Evidence note: Sub-processor inventory published at /trust. DPA covers third-party disclosure rules.
Maintains accurate, complete, and relevant personal information.
Evidence note: Lead profile update flow planned. CRM data hygiene cadence being defined.
Monitors compliance with its privacy policies and procedures and addresses privacy-related complaints.
Evidence note: Privacy complaint handling process planned for Q3 2026.
We will email subscribers + post on our blog. You can also reach our compliance team directly.