Built for the controls your CISO will ask about.

The five Trust Services Criteria

• Security. The default scope. Encryption at rest and in transit, identity-and-access management, network isolation, vulnerability management, audit logging — see the security pillars and security FAQ for the engineering substance.
• Availability. Health checks, dependency monitoring, incident-response procedure with severity classification and notification cadence. Front Door Premium fronting every public surface with Azure DDoS Standard. See incident response.
• Confidentiality. Multi-tenant isolation across five layers. Tenant-scoped Blob containers. RBAC by profile type. JWT-based tenant scoping. See multi-tenant isolation.
• Processing integrity. Pre-LLM and post-LLM guardrails. Schema validation. Citation discipline. Audit-log writes. See responsible AI.
• Privacy. Data-handling policy, data-subject rights support, GDPR / CCPA / FERPA / regional alignment. See data handling.

Control narratives

Control narratives have been drafted for the security and confidentiality Trust Services Criteria, with availability, processing integrity, and privacy in active drafting. Each narrative documents the control objective, the implemented control, the responsible team, the testing methodology, and the evidence record. Narratives are reviewed quarterly and updated as the platform evolves.

Evidence-collection automation

Evidence collection is automated where the underlying control produces machine-readable signals: configuration drift detection through Azure Policy, change-control evidence through Azure DevOps Pipelines and pull- request audit history, access reviews through Microsoft Entra ID, audit-log sampling from the platform's structured audit trail. Manual evidence (training records, vendor reviews, policy attestations) follows a documented quarterly collection cadence.

The audit window

A SOC 2 Type 2 audit window typically spans six to twelve months of operation under the documented controls. The audit window for ArthurAI^™ CLE is being defined; engagement with an independent SOC 2 auditor is scheduled, and the window will be announced once the auditor and the start date are confirmed. Until the Type 2 report is finalized, we describe the posture as “Type 2 readiness” — we do not claim attested Type 2.

Beyond SOC 2: ISO 27001, FedRAMP, HIPAA-adjacent posture

ISO 27001 alignment is on the roadmap; the controls substantially overlap with SOC 2 and many will be evidenced through the same automation. FedRAMP is not on the near-term roadmap; ArthurAI is not currently pursuing federal-government deployment. HIPAA-adjacent posture applies to ChironAI^™, the sister product for healthcare, not to ArthurAI^™ — ArthurAI does not handle Protected Health Information by design.

Requesting the readiness summary

Institutional buyers can request the current SOC 2 readiness summary under NDA. The summary describes the controls in scope, the auditor engagement status, the audit window timeline, and the evidence-collection cadence. For request, talk to our team with the subject “SOC 2 readiness summary” and your organization name in the message body. Mention any in-progress procurement timeline so we can prioritize the response.