Primates Achieves SOC 2 Type II Certification

Our Commitment to Enterprise Security

I am pleased to announce that Primates has successfully completed its SOC 2 Type II audit, conducted by Ernst and Young. This certification validates that our security controls, policies, and procedures meet the rigorous standards established by the American Institute of Certified Public Accountants for service organizations that handle sensitive customer data. Achieving SOC 2 Type II is a significant milestone for Primates and an important signal to our customers and prospects that we take data security as seriously as they do.

For those unfamiliar with SOC 2, it is worth explaining what this certification represents and why it matters. SOC 2 is a security framework developed specifically for technology companies and service providers that store, process, or transmit customer data. Unlike SOC 2 Type I, which evaluates the design of security controls at a single point in time, SOC 2 Type II evaluates both the design and operating effectiveness of controls over an extended observation period—in our case, twelve months. This means the auditors did not just review our security policies on paper; they verified that we consistently implemented and followed those policies throughout the entire observation period.

The audit covered all five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our audit report includes zero exceptions across all criteria, which means that every control tested by the auditors was found to be both properly designed and consistently operating as intended throughout the twelve-month observation period. This is an outcome we are extremely proud of, and it reflects the hard work of our entire organization in building and maintaining a robust security posture.

What We Did to Prepare

Achieving SOC 2 Type II certification was not an overnight endeavor. We began our formal preparation process eighteen months before the audit, although many of the security practices covered by the audit were already in place from the earliest days of the company. Our preparation involved several major workstreams: formalizing and documenting security policies and procedures that existed informally, implementing additional technical controls to close gaps identified in our readiness assessment, building monitoring and evidence collection systems to demonstrate ongoing compliance, and training our entire team on their roles and responsibilities in maintaining our security posture.

One of the most significant investments we made was in our access control and identity management infrastructure. We implemented a comprehensive identity and access management system that enforces the principle of least privilege across all systems, requires multi-factor authentication for all employee accounts, automatically provisions and deprovisions access based on role changes and employment status, and maintains detailed audit logs of all access events. Here is an overview of the key security controls we implemented or enhanced during our preparation:

// Example: Automated access review and compliance checking
import { AccessReviewEngine } from '@primates/security-framework';

const engine = new AccessReviewEngine({
  schedule: 'quarterly',
  reviewers: ['security-team', 'engineering-leads'],
  escalation: {
    unreviewedAfterDays: 7,
    escalateTo: 'ciso@primates.dev'
  }
});

// Automated access review workflow
engine.onReviewCycle(async (cycle) => {
  const accessRecords = await cycle.getAllAccessRecords();

  for (const record of accessRecords) {
    const isStillRequired = await evaluateBusinessNeed(record);
    const isAppropriateLevel = await evaluateAccessLevel(record);

    if (!isStillRequired) {
      await cycle.flagForRevocation(record, 'No longer required for role');
    } else if (!isAppropriateLevel) {
      await cycle.flagForAdjustment(record, 'Access level exceeds role requirements');
    } else {
      await cycle.approve(record);
    }
  }

  await cycle.generateComplianceReport();
  await cycle.notifyReviewers();
});

Key Security Controls

The SOC 2 audit evaluated our controls across dozens of control objectives. While the full audit report is available to customers and prospects under NDA, I want to highlight some of the key control areas that are most relevant to our customers' security concerns:

• Data encryption: all customer data is encrypted at rest using AES-256 encryption with keys managed through AWS KMS. All data in transit is encrypted using TLS 1.3 with strong cipher suites. Encryption key rotation is automated and occurs every ninety days.
• Network security: our production environment is deployed in isolated VPCs with strict security group rules that follow the principle of least privilege. All network traffic between services is encrypted using mutual TLS through our Istio service mesh. We conduct quarterly penetration tests performed by independent security firms.
• Access management: all employee access to production systems requires multi-factor authentication and is provisioned through a centralized identity management system. Access reviews are conducted quarterly, and access is automatically revoked upon employment termination within one hour.
• Incident response: we maintain a formal incident response plan that is tested through tabletop exercises quarterly and full simulation exercises annually. Our average incident response time is under fifteen minutes from detection to initial response.

"Security certification is not a destination—it is a continuous journey. SOC 2 Type II gives us a framework for maintaining and improving our security posture over time, and gives our customers confidence that their data is protected by controls that are regularly verified by independent auditors." — Elena Rodriguez, Principal Security Researcher at Primates

What This Means for Our Customers

For our existing and prospective customers, SOC 2 Type II certification provides several tangible benefits. First, it simplifies vendor security assessments. Many organizations require SOC 2 reports from their technology vendors as part of their risk management process. With our SOC 2 Type II report in hand, customers can satisfy their internal compliance requirements without conducting lengthy custom security assessments. Second, it provides assurance that our security controls are not just designed on paper but are consistently operating effectively in practice. The twelve-month observation period gives customers confidence that our security posture is sustained, not just demonstrated for audit purposes.

The following table summarizes the Trust Services Criteria covered by our audit and the key controls in each area:

Looking Ahead

SOC 2 Type II certification is an important milestone, but it is just one part of our broader security and compliance strategy. Over the coming year, we will be pursuing several additional certifications and compliance milestones. We are currently preparing for ISO 27001 certification, which provides an internationally recognized framework for information security management. We are also working toward HIPAA compliance for our healthcare customers and FedRAMP authorization for government customers.

Beyond certifications, we continue to invest in our security capabilities. We are expanding our security engineering team, enhancing our automated security testing pipeline, investing in advanced threat detection using machine learning, and building self-service security tools that allow customers to configure security controls for their own environments. Security is not a competitive differentiator that you achieve once and move on from—it is a core competency that requires continuous investment and vigilance.

1. Existing customers can request a copy of our SOC 2 Type II report through their account manager.
2. Prospective customers can request the report through our sales team at security@primates.dev.
3. Visit our Trust Center at trust.primates.dev for real-time information about our security posture, compliance status, and system availability.
4. Contact our security team if you have questions about specific controls or need information for your vendor risk assessment.

We want to thank our entire team for their dedication to building and maintaining the security controls that made this certification possible. Security is a company-wide responsibility at Primates, and every team member plays a role in protecting our customers' data. We are committed to maintaining the highest standards of security and transparency, and we look forward to continuing to earn the trust of our customers through our actions and our results.