Trust Center

🛡 SOC 2 Type II

Conduyt maintains SOC 2 Type II compliance, audited annually by Prescient Assurance. Our most recent report covers the Trust Services Criteria for Security, Availability, and Confidentiality.

Request Attestation Letter →

• AES-256 encryption at rest for all customer data
• TLS 1.3 enforced for all data in transit
• Role-based access control with principle of least privilege
• Complete audit logging with 90-day retention
• Automatic daily backups with point-in-time recovery
• GDPR and CCPA compliant data handling
• HIPAA-ready infrastructure (BAA available on Professional and Enterprise)

We use a minimal set of sub-processors, each selected for their own security posture.

Provider	Purpose	Location
Vercel	Application hosting & CDN	US (multi-region)
Neon	PostgreSQL database	US-East
Resend	Transactional email	US
Stripe	Payment processing	US

Last updated: April 2026. We notify customers 30 days before adding new sub-processors.

Need to complete a vendor security review? We maintain a pre-filled CAIQ v4 questionnaire and can support SIG, VSAQ, and custom questionnaire formats.

Our SOC 2 Type II report is the primary attestation customers ask for during vendor reviews. It is renewed annually under a full 12-month observation period rather than a snapshot point-in-time review, which means the auditor samples evidence across the entire period and verifies that our controls are not just designed correctly but operating effectively over time.

The report covers three of the five Trust Services Criteria:

• Security. Access controls, authentication, authorization, monitoring, change management. This section accounts for the bulk of the report and the bulk of the evidence the auditor reviews.
• Availability. Uptime commitments, redundancy, disaster recovery, backup integrity. The published service-level target is 99.9% monthly uptime; recent quarters have run at 99.98% or better.
• Confidentiality. How we protect data classified as confidential, including customer records, API tokens, and authentication material.

What the report does not cover, in the interest of being explicit: it is not a HIPAA certification (no such program exists), it is not PCI compliance (payments are handled by Stripe, which is PCI compliant), and it is not ISO 27001 (different framework with significant overlap, but we do not currently hold an ISO 27001 certification). If your vendor review requires any of these, please raise it during evaluation rather than after contract signing.

The headline encryption claims on this page are the starting point. The deeper picture:

In transit. TLS 1.3 is enforced for all customer-facing endpoints, with TLS 1.2 supported only for legacy webhook receivers that have not yet upgraded. All API calls, web sessions, and outbound webhook deliveries are encrypted. HSTS is enabled with a one-year max-age and includeSubDomains. Cipher suites are limited to those providing perfect forward secrecy via ECDHE; older RSA-only key exchanges are disabled.

At rest. AES-256 encryption applied to every customer database, every file attachment, and every backup. Encryption keys are managed in a dedicated key management service with annual rotation on the master keys and audit logging on every key-use event. Customer database encryption is bound to the workspace; one workspace cannot decrypt another's data even if both happen to land on the same physical infrastructure.

Key management. No human at Conduyt has direct access to the master keys; access requires a quorum approval workflow and is logged immutably. The 2-of-3 key custody model means a single compromised employee cannot exfiltrate keys unilaterally.

Conduyt customer data is protected by several layers of access control, each of which can be configured by the customer to fit their own posture:

• Role-based access. The default roles (Owner, Admin, Manager, Member, Read-Only) cover most use cases, and custom roles let you compose any subset of the 80+ granular permissions Conduyt exposes. Permissions are checked on every request, not just at navigation time.
• Single sign-on. SAML 2.0 and OIDC supported on Professional and Enterprise plans. Just-in-time provisioning, group-to-role mapping, and forced reauthentication intervals all configurable per workspace.
• Two-factor authentication. TOTP available on all plans, enforceable as a workspace-wide policy on Professional and above. WebAuthn / FIDO2 hardware key support included.
• Session policies. Idle timeout, absolute session lifetime, and concurrent-session limits are all admin-configurable. Sessions are bound to user agent and IP address with re-authentication required on material change.
• API and webhook security. Every API key carries a scope (read-only, contact-only, no-DNC-override, etc.) and an optional expiration. Every webhook payload is HMAC-signed; replay-protection nonces are part of every delivery.

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. The plan is reviewed annually and exercised at least quarterly through tabletop drills and live game-day exercises.

• Detection. 24/7 monitoring with on-call coverage across engineering and security. Anomalies are paged in under five minutes from the first signal.
• Customer notification. For incidents that affect customer data, our commitment is notification within 24 hours of confirmation, faster where possible. The first notice includes what we know at the time, what we are doing, and when we will update next.
• Communication channel. Email to the primary account contact plus an entry on our public status page for any service-affecting incident. Customers can subscribe to status updates by email, SMS, or RSS.
• Post-incident review. For material incidents, customers receive a written post-incident review covering root cause, customer impact, remediation, and prevention measures. Reviews are typically delivered within two weeks of resolution.
• HIPAA-applicable incidents. Customers with an executed Business Associate Agreement receive breach-notification timelines specifically scaled to the BAA terms, which are stricter than the general 24-hour commitment.

Conduyt has not had a material customer data breach in its operating history. The section above describes what will happen if and when one occurs, not what has happened.

Conduyt is an AI-native CRM, which means our AI surface is broader than most CRMs and the data-handling questions are correspondingly more important. The short version: your data is yours, and we do not use it to train any model — ours or anyone else's.

• No training on customer data. Conduyt does not train AI models on customer records. Customer data sent to upstream model providers (Anthropic, OpenAI, and any model the customer brings via Bring Your Own AI) is processed under those providers' API terms, which include commitments that customer data is not used to train their models.
• Permission parity. An AI agent operating against your workspace is bound by the same role-based access controls as a human user. The AI cannot read records the originating user could not read, and cannot take actions the originating user could not take.
• Scoped agent tokens. For Bring Your Own AI integrations, every token has explicit scopes, per-hour rate budgets, and an audit log of every action taken. Tokens can be revoked in seconds.
• Action audit log. Every AI-initiated action is logged with the agent identity, the record touched, the payload, the result, and the originating prompt context. The audit log is exportable to your own SIEM or observability stack.
• Confirmation tokens for destructive operations. Bulk deletes, mass updates, and DNC overrides require a second-step confirmation that the AI agent must explicitly produce, not a default it can hallucinate into.

Is Conduyt SOC 2 certified?

Yes. Conduyt is SOC 2 Type II certified by Prescient Assurance, renewed annually. The report covers Security, Availability, and Confidentiality, and is available under NDA to current and prospective customers via the Request Attestation Letter button above.

Is Conduyt HIPAA-certified?

No. There is no such thing as HIPAA certification because HIPAA does not have a certification program. Conduyt is designed to support HIPAA workflows, and we will sign a Business Associate Agreement (BAA) with qualifying customers on Professional and Enterprise plans. The combination of our SOC 2 controls and an executed BAA is what enables HIPAA-applicable use of the platform.

Does Conduyt's AI train on my data?

No. Our AI features do not train on customer data, and the upstream model providers we and our customers use (Anthropic, OpenAI, others via Bring Your Own AI) operate under terms that exclude customer data from their training pipelines.

Can I get a copy of the SOC 2 report?

Yes, under NDA. Use the Request Attestation Letter button above and we will route the request through our security team.

How fast is the breach-notification window?

Within 24 hours of confirming a customer-data-affecting incident. For HIPAA-applicable incidents under an executed BAA, the window is shorter and tied to the specific breach-notification terms in the BAA itself.

What about ISO 27001, FedRAMP, or other certifications?

We do not currently hold ISO 27001, FedRAMP, or PCI DSS certifications. If your procurement process requires one of these specifically, please raise it during evaluation so we can give you an honest answer about fit and any compensating evidence we can offer.

Where is Conduyt customer data stored?

In US-based infrastructure with redundancy across multiple availability zones. Data does not transit outside the United States as part of normal operations. Customers with international data residency requirements should raise this during evaluation; we do not currently offer EU or APAC residency options.