SOC 2 is the standard third-party audit framework for SaaS companies handling sensitive data. The framework evaluates five "trust services criteria": Security — protecting against unauthorized access. Availability — keeping the service running. Processing integrity — making sure operations work correctly. Confidentiality — keeping confidential data confidential. Privacy — handling personal information responsibly. Our Type II report covers Security and Confidentiality at minimum. Other criteria are added as the business grows.

SOC 2 posture — Relm Pro

Q: What SOC 2 doesn't cover

• HIPAA — separate framework. Not in scope for typical Relm Pro use (we don't handle PHI), but reach out if you have a specific scenario. • FedRAMP — federal-government framework. Not currently pursued. • ISO 27001 — also not currently pursued; the institutional buyers we work with consistently prefer SOC 2.

Relm is SOC 2 Type II-ready as of 2026. This page explains what that means in practical terms and how to request our report.

What SOC 2 covers

SOC 2 is the standard third-party audit framework for SaaS companies handling sensitive data. The framework evaluates five "trust services criteria":

Security — protecting against unauthorized access.
Availability — keeping the service running.
Processing integrity — making sure operations work correctly.
Confidentiality — keeping confidential data confidential.
Privacy — handling personal information responsibly.

Our Type II report covers Security and Confidentiality at minimum. Other criteria are added as the business grows.

Type II vs Type I

Type I — point-in-time assessment of controls.
Type II — operational assessment over a 6–12 month observation period. Stronger.

We're targeting Type II rather than Type I because for most institutional buyers it's the de-facto standard.

What's in the report

A SOC 2 Type II report contains:

An auditor's opinion.
A description of our system (architecture, data flows, subprocessors).
The controls we've designed.
Test results showing those controls operated effectively over the observation period.

The report is the deliverable you'd share with your IT / security team for vendor risk review.

How to request

Enterprise customers and prospective Enterprise customers can request the SOC 2 Type II report under NDA. Email security@relm.ai or ask your account contact. Self-Serve customers don't typically request SOC 2 reports directly — if you have a specific compliance question, the support form works.

What if we're not yet on the latest report

SOC 2 reports cover historical observation periods. If our most recent published report doesn't cover the full window your team is asking about, a "bridge letter" can fill the gap between the report's end date and today. We provide bridge letters on request.

What SOC 2 doesn't cover

HIPAA — separate framework. Not in scope for typical Relm Pro use (we don't handle PHI), but reach out if you have a specific scenario.
FedRAMP — federal-government framework. Not currently pursued.
ISO 27001 — also not currently pursued; the institutional buyers we work with consistently prefer SOC 2.

Other security artifacts

Beyond SOC 2 we maintain:

A DPA (Data Processing Agreement) for customers under GDPR or similar regimes.
A subprocessor list — published on our privacy policy.
A vulnerability disclosure policy at security@relm.ai.
A bug bounty for high-severity findings (informal; reach out to discuss).

SOC 2 posture

What SOC 2 covers

Type II vs Type I

What's in the report

How to request

What if we're not yet on the latest report

What SOC 2 doesn't cover

Other security artifacts

What's next

Was this article helpful?

Still need help?

What SOC 2 covers

Type II vs Type I

What's in the report

How to request

What if we're not yet on the latest report

What SOC 2 doesn't cover

Other security artifacts

What's next

Was this article helpful?

Still need help?

Related articles